Red Hat 9062 Published by

An OpenShift Container Platform 4.11.0 extras and security update has been released.



RHSA-2022:5070-01: Moderate: OpenShift Container Platform 4.11.0 extras and security update



=====================================================================
Red Hat Security Advisory

Synopsis: Moderate: OpenShift Container Platform 4.11.0 extras and security update
Advisory ID: RHSA-2022:5070-01
Product: Red Hat OpenShift Enterprise
Advisory URL:   https://access.redhat.com/errata/RHSA-2022:5070
Issue date: 2022-08-10
CVE Names: CVE-2018-25032 CVE-2019-5827 CVE-2019-13750
CVE-2019-13751 CVE-2019-17594 CVE-2019-17595
CVE-2019-18218 CVE-2019-18874 CVE-2019-19603
CVE-2019-20838 CVE-2020-13435 CVE-2020-14155
CVE-2020-24370 CVE-2020-28493 CVE-2021-3580
CVE-2021-3634 CVE-2021-3737 CVE-2021-4189
CVE-2021-20095 CVE-2021-20231 CVE-2021-20232
CVE-2021-23177 CVE-2021-25219 CVE-2021-31566
CVE-2021-36084 CVE-2021-36085 CVE-2021-36086
CVE-2021-36087 CVE-2021-38561 CVE-2021-40528
CVE-2021-42771 CVE-2022-0778 CVE-2022-1271
CVE-2022-1621 CVE-2022-1629 CVE-2022-1706
CVE-2022-1729 CVE-2022-21698 CVE-2022-22576
CVE-2022-23772 CVE-2022-23773 CVE-2022-23806
CVE-2022-24407 CVE-2022-24675 CVE-2022-24903
CVE-2022-24921 CVE-2022-25313 CVE-2022-25314
CVE-2022-27191 CVE-2022-27774 CVE-2022-27776
CVE-2022-27782 CVE-2022-28327 CVE-2022-29162
CVE-2022-29824
=====================================================================

1. Summary:

Red Hat OpenShift Container Platform release 4.11.0 is now available with
updates to packages and images that fix several bugs and add enhancements.

This release includes a security update for Red Hat OpenShift Container
Platform 4.11.

Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.

2. Description:

Red Hat OpenShift Container Platform is Red Hat's cloud computing
Kubernetes application platform solution designed for on-premise or private
cloud deployments.

This advisory contains the RPM packages for Red Hat OpenShift Container
Platform 4.11.0. See the following advisory for the container images for
this release:

  https://access.redhat.com/errata/RHSA-2022:5068

Security Fix(es):

* golang: out-of-bounds read in golang.org/x/text/language leads to DoS
(CVE-2021-38561)
* prometheus/client_golang: Denial of service using
InstrumentHandlerCounter (CVE-2022-21698)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

All OpenShift Container Platform 4.11 users are advised to upgrade to these
updated packages and images when they are available in the appropriate
release channel. To check for available updates, use the OpenShift Console
or the CLI oc command. Instructions for upgrading a cluster are available
at
  https://docs.openshift.com/container-platform/4.11/updating/updating-cluster-cli.html

3. Solution:

For OpenShift Container Platform 4.11 see the following documentation,
which will be updated shortly for this release, for important instructions
on how to upgrade your cluster and fully apply this asynchronous errata
update:

  https://docs.openshift.com/container-platform/4.11/release_notes/ocp-4-11-release-notes.html

Details on how to access this content are available at
  https://docs.openshift.com/container-platform/4.11/updating/updating-cluster-cli.html

4. Bugs fixed (  https://bugzilla.redhat.com/):

2042536 - OCP 4.10: nfd-topology-updater daemonset fails to get created on worker nodes - forbidden: unable to validate against any security context constraint
2042652 - Unable to deploy hw-event-proxy operator
2045880 - CVE-2022-21698 prometheus/client_golang: Denial of service using InstrumentHandlerCounter
2047308 - Remove metrics and events for master port offsets
2055049 - No pre-caching for NFD images
2055436 - nfd-master tracking the wrong api group
2055439 - nfd-master tracking the wrong api group (operand)
2057569 - nfd-worker: drop 'custom-' prefix from matchFeatures custom rules
2058256 - LeaseDuration for NFD Operator seems to be rather small, causing Operator restarts when running etcd defrag
2062849 - hw event proxy is not binding on ipv6 local address
2066860 - Wrong spec in NFD documentation under `operand`
2066887 - Dependabot alert: Path traversal in github.com/valyala/fasthttp
2066889 - Dependabot alert: Path traversal in github.com/valyala/fasthttp
2067312 - PPT event source is lost when received by the consumer
2077243 - NFD os release label lost after upgrade to ocp 4.10.6
2087511 - NFD SkipRange is wrong causing OLM install problems
2089962 - Node feature Discovery operator installation failed.
2090774 - Add Readme to plugin directory
2091106 - Dependabot alert: Unhandled exception in gopkg.in/yaml.v3
2091142 - Dependabot alert: Unhandled exception in gopkg.in/yaml.v3
2100495 - CVE-2021-38561 golang: out-of-bounds read in golang.org/x/text/language leads to DoS

5. References:

  https://access.redhat.com/security/cve/CVE-2018-25032
  https://access.redhat.com/security/cve/CVE-2019-5827
  https://access.redhat.com/security/cve/CVE-2019-13750
  https://access.redhat.com/security/cve/CVE-2019-13751
  https://access.redhat.com/security/cve/CVE-2019-17594
  https://access.redhat.com/security/cve/CVE-2019-17595
  https://access.redhat.com/security/cve/CVE-2019-18218
  https://access.redhat.com/security/cve/CVE-2019-18874
  https://access.redhat.com/security/cve/CVE-2019-19603
  https://access.redhat.com/security/cve/CVE-2019-20838
  https://access.redhat.com/security/cve/CVE-2020-13435
  https://access.redhat.com/security/cve/CVE-2020-14155
  https://access.redhat.com/security/cve/CVE-2020-24370
  https://access.redhat.com/security/cve/CVE-2020-28493
  https://access.redhat.com/security/cve/CVE-2021-3580
  https://access.redhat.com/security/cve/CVE-2021-3634
  https://access.redhat.com/security/cve/CVE-2021-3737
  https://access.redhat.com/security/cve/CVE-2021-4189
  https://access.redhat.com/security/cve/CVE-2021-20095
  https://access.redhat.com/security/cve/CVE-2021-20231
  https://access.redhat.com/security/cve/CVE-2021-20232
  https://access.redhat.com/security/cve/CVE-2021-23177
  https://access.redhat.com/security/cve/CVE-2021-25219
  https://access.redhat.com/security/cve/CVE-2021-31566
  https://access.redhat.com/security/cve/CVE-2021-36084
  https://access.redhat.com/security/cve/CVE-2021-36085
  https://access.redhat.com/security/cve/CVE-2021-36086
  https://access.redhat.com/security/cve/CVE-2021-36087
  https://access.redhat.com/security/cve/CVE-2021-38561
  https://access.redhat.com/security/cve/CVE-2021-40528
  https://access.redhat.com/security/cve/CVE-2021-42771
  https://access.redhat.com/security/cve/CVE-2022-0778
  https://access.redhat.com/security/cve/CVE-2022-1271
  https://access.redhat.com/security/cve/CVE-2022-1621
  https://access.redhat.com/security/cve/CVE-2022-1629
  https://access.redhat.com/security/cve/CVE-2022-1706
  https://access.redhat.com/security/cve/CVE-2022-1729
  https://access.redhat.com/security/cve/CVE-2022-21698
  https://access.redhat.com/security/cve/CVE-2022-22576
  https://access.redhat.com/security/cve/CVE-2022-23772
  https://access.redhat.com/security/cve/CVE-2022-23773
  https://access.redhat.com/security/cve/CVE-2022-23806
  https://access.redhat.com/security/cve/CVE-2022-24407
  https://access.redhat.com/security/cve/CVE-2022-24675
  https://access.redhat.com/security/cve/CVE-2022-24903
  https://access.redhat.com/security/cve/CVE-2022-24921
  https://access.redhat.com/security/cve/CVE-2022-25313
  https://access.redhat.com/security/cve/CVE-2022-25314
  https://access.redhat.com/security/cve/CVE-2022-27191
  https://access.redhat.com/security/cve/CVE-2022-27774
  https://access.redhat.com/security/cve/CVE-2022-27776
  https://access.redhat.com/security/cve/CVE-2022-27782
  https://access.redhat.com/security/cve/CVE-2022-28327
  https://access.redhat.com/security/cve/CVE-2022-29162
  https://access.redhat.com/security/cve/CVE-2022-29824
  https://access.redhat.com/security/updates/classification/#moderate

6. Contact:

The Red Hat security contact is . More contact
details at   https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.