Red Hat 9062 Published by

OpenShift Serverless Version 1.22.1 has been released.



RHSA-2022:4863-01: Moderate: Release of OpenShift Serverless Version 1.22.1



=====================================================================
Red Hat Security Advisory

Synopsis: Moderate: Release of OpenShift Serverless Version 1.22.1
Advisory ID: RHSA-2022:4863-01
Product: Red Hat OpenShift Serverless
Advisory URL:   https://access.redhat.com/errata/RHSA-2022:4863
Issue date: 2022-06-01
CVE Names: CVE-2018-25032 CVE-2021-3634 CVE-2021-3737
CVE-2021-4189 CVE-2022-23772 CVE-2022-23773
CVE-2022-23806
=====================================================================

1. Summary:

OpenShift Serverless version 1.22.1 contains a moderate security impact.

The References section contains CVE links providing detailed severity
ratings for each vulnerability. Ratings are based on a Common Vulnerability
Scoring System (CVSS) base score.

2. Description:

Version 1.22.1 of the OpenShift Serverless Operator is supported on Red Hat
OpenShift Container Platform versions 4.6, 4.7, 4.8, 4.9, and 4.10.

This release includes security and bug fixes, and enhancements.

Security Fixes in this release include:
- - golang: crypto/elliptic IsOnCurve returns true for invalid field
elements(CVE-2022-23806)
- - golang: cmd/go: misinterpretation of branch names can lead to incorrect
access control(CVE-2022-23773)
- - golang: math/big: uncontrolled memory consumption due to an unhandled
overflow via Rat.SetString (CVE-2022-23772)

For more details about the security issues, including the impact; a CVSS
score; acknowledgments; and other related information refer to the CVE
pages linked in the References section.

3. Solution:

See the Red Hat OpenShift Container Platform 4.6 documentation at:
  https://access.redhat.com/documentation/en-us/openshift_container_platform/4.6/html/serverless/index
See the Red Hat OpenShift Container Platform 4.7 documentation at:
  https://access.redhat.com/documentation/en-us/openshift_container_platform/4.7/html/serverless/index
See the Red Hat OpenShift Container Platform 4.8 documentation at:
  https://access.redhat.com/documentation/en-us/openshift_container_platform/4.8/html/serverless/index
See the Red Hat OpenShift Container Platform 4.9 documentation at:
  https://access.redhat.com/documentation/en-us/openshift_container_platform/4.9/html/serverless/index
See the Red Hat OpenShift Container Platform 4.10 documentation at:
  https://access.redhat.com/documentation/en-us/openshift_container_platform/4.10/html/serverless/index

4. Bugs fixed (  https://bugzilla.redhat.com/):

2053429 - CVE-2022-23806 golang: crypto/elliptic IsOnCurve returns true for invalid field elements
2053532 - CVE-2022-23772 golang: math/big: uncontrolled memory consumption due to an unhandled overflow via Rat.SetString
2053541 - CVE-2022-23773 golang: cmd/go: misinterpretation of branch names can lead to incorrect access control

5. JIRA issues fixed (  https://issues.jboss.org/):

SRVKE-1217 - New KafkaSource implementation does not default to PLAIN for SASL

6. References:

  https://access.redhat.com/security/cve/CVE-2018-25032
  https://access.redhat.com/security/cve/CVE-2021-3634
  https://access.redhat.com/security/cve/CVE-2021-3737
  https://access.redhat.com/security/cve/CVE-2021-4189
  https://access.redhat.com/security/cve/CVE-2022-23772
  https://access.redhat.com/security/cve/CVE-2022-23773
  https://access.redhat.com/security/cve/CVE-2022-23806
  https://access.redhat.com/security/updates/classification/#moderate
  https://access.redhat.com/documentation/en-us/openshift_container_platform/4.6/html/serverless/index
  https://access.redhat.com/documentation/en-us/openshift_container_platform/4.7/html/serverless/index
  https://access.redhat.com/documentation/en-us/openshift_container_platform/4.8/html/serverless/index
  https://access.redhat.com/documentation/en-us/openshift_container_platform/4.9/html/serverless/index
  https://access.redhat.com/documentation/en-us/openshift_container_platform/4.10/html/serverless/index

7. Contact:

The Red Hat security contact is . More contact
details at   https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.