Red Hat 9062 Published by

A Windows Container Support for Red Hat OpenShift 5.0.0 security update has been released.



RHSA-2022:0577-01: Moderate: Windows Container Support for Red Hat OpenShift 5.0.0 security update:



=====================================================================
Red Hat Security Advisory

Synopsis: Moderate: Windows Container Support for Red Hat OpenShift 5.0.0 [security update]
Advisory ID: RHSA-2022:0577-01
Product: Red Hat OpenShift Enterprise
Advisory URL:   https://access.redhat.com/errata/RHSA-2022:0577
Issue date: 2022-03-28
CVE Names: CVE-2020-28851 CVE-2020-28852 CVE-2021-3121
CVE-2021-3521 CVE-2021-3712 CVE-2021-29923
CVE-2021-31525 CVE-2021-33195 CVE-2021-33197
CVE-2021-33198 CVE-2021-34558 CVE-2021-36221
CVE-2021-42574 CVE-2022-24407
=====================================================================

1. Summary:

The components for Windows Container Support for Red Hat OpenShift 5.0.0
are now available. This product release includes bug fixes and a moderate
security update for the following packages: windows-machine-config-operator
and windows-machine-config-operator-bundle.

Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.

2. Description:

Windows Container Support for Red Hat OpenShift allows you to deploy
Windows container workloads running on Windows Server containers.

Security Fix(es):

* gogo/protobuf: plugin/unmarshal/unmarshal.go lacks certain index
validation (CVE-2021-3121)
* golang.org/x/text: Panic in language.ParseAcceptLanguage while parsing
- -u- extension (CVE-2020-28851)
* golang.org/x/text: Panic in language.ParseAcceptLanguage while processing
bcp47 tag (CVE-2020-28852)
* golang: net: incorrect parsing of extraneous zero characters at the
beginning of an IP address octet (CVE-2021-29923)
* golang: net/http: panic in ReadRequest and ReadResponse when reading a
very large header (CVE-2021-31525)
* golang: net: lookup functions may return invalid host names
(CVE-2021-33195)
* golang: net/http/httputil: ReverseProxy forwards connection headers if
first one is empty (CVE-2021-33197)
* golang: math/big.Rat: may cause a panic or an unrecoverable fatal error
if passed inputs with very large exponents (CVE-2021-33198)
* golang: crypto/tls: certificate of wrong type is causing TLS client to
panic (CVE-2021-34558)
* golang: net/http/httputil: panic due to racy read of persistConn after
handler panic (CVE-2021-36221)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

3. Solution:

For Windows Machine Config Operator upgrades, see the following
documentation:
  https://docs.openshift.com/container-platform/latest/windows_containers/windows-node-upgrades.html

4. Bugs fixed (  https://bugzilla.redhat.com/):

1913333 - CVE-2020-28851 golang.org/x/text: Panic in language.ParseAcceptLanguage while parsing -u- extension
1913338 - CVE-2020-28852 golang.org/x/text: Panic in language.ParseAcceptLanguage while processing bcp47 tag
1921650 - CVE-2021-3121 gogo/protobuf: plugin/unmarshal/unmarshal.go lacks certain index validation
1958341 - CVE-2021-31525 golang: net/http: panic in ReadRequest and ReadResponse when reading a very large header
1983596 - CVE-2021-34558 golang: crypto/tls: certificate of wrong type is causing TLS client to panic
1989564 - CVE-2021-33195 golang: net: lookup functions may return invalid host names
1989570 - CVE-2021-33197 golang: net/http/httputil: ReverseProxy forwards connection headers if first one is empty
1989575 - CVE-2021-33198 golang: math/big.Rat: may cause a panic or an unrecoverable fatal error if passed inputs with very large exponents
1990573 - Username annotation error when byoh Windows have uppercase hostname
1992006 - CVE-2021-29923 golang: net: incorrect parsing of extraneous zero characters at the beginning of an IP address octet
1992841 - Deleting Machine Node object throws reconciliation error after WMCO restart
1994859 - Windows Containers on Windows Nodes get assigned the DNS Server IP “172.30.0.10”, which is wrong, if the default kubernetes subnet is not used
1995656 - CVE-2021-36221 golang: net/http/httputil: panic due to racy read of persistConn after handler panic
2000772 - WMCO fails to configure VMs with Powershell set as the default SSH shell
2001547 - BYOH Windows instance configured with DNS name got deconfigured immediately on UPI baremetal
2002961 - CSR reconciler report error constantly when BYOH CSR approved by other Approver
2005360 - BYOH Windows instance configured twice with DNS name
2008601 - WMCO ignores delete events for machines with invalid IP addresses
2015772 - Replacing private key reconcile 2 Windows nodes in parallel
2032048 - CSR approval failures caused by update conflicts

5. JIRA issues fixed (  https://issues.jboss.org/):

WINC-747 - Windows Container Support for Red Hat OpenShift 5.0.0 release

6. References:

  https://access.redhat.com/security/cve/CVE-2020-28851
  https://access.redhat.com/security/cve/CVE-2020-28852
  https://access.redhat.com/security/cve/CVE-2021-3121
  https://access.redhat.com/security/cve/CVE-2021-3521
  https://access.redhat.com/security/cve/CVE-2021-3712
  https://access.redhat.com/security/cve/CVE-2021-29923
  https://access.redhat.com/security/cve/CVE-2021-31525
  https://access.redhat.com/security/cve/CVE-2021-33195
  https://access.redhat.com/security/cve/CVE-2021-33197
  https://access.redhat.com/security/cve/CVE-2021-33198
  https://access.redhat.com/security/cve/CVE-2021-34558
  https://access.redhat.com/security/cve/CVE-2021-36221
  https://access.redhat.com/security/cve/CVE-2021-42574
  https://access.redhat.com/security/cve/CVE-2022-24407
  https://access.redhat.com/security/updates/classification/#moderate

7. Contact:

The Red Hat security contact is . More contact
details at   https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.