An OpenShift Container Platform 4.13.0 CNF vRAN extras security update has been released.

RHSA-2023:2138-01: Moderate: OpenShift Container Platform 4.13.0 CNF vRAN extras security update

=====================================================================
Red Hat Security Advisory

Synopsis: Moderate: OpenShift Container Platform 4.13.0 CNF vRAN extras security update
Advisory ID: RHSA-2023:2138-01
Product: Red Hat OpenShift Enterprise
Advisory URL:   https://access.redhat.com/errata/RHSA-2023:2138
Issue date: 2023-05-18
CVE Names: CVE-2020-16251 CVE-2021-43998
=====================================================================

1. Summary:

An update for ztp-site-generate-container, topology-aware-lifecycle-manager
and bare-metal-event-relay is now available for Red Hat OpenShift Container
Platform 4.13.

Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.

2. Description:

Red Hat OpenShift Container Platform is Red Hat's cloud computing
Kubernetes application platform solution designed for on-premise or private
cloud deployments.

This advisory contains the extra low-latency container images for Red Hat
OpenShift Container Platform 4.13. See the following advisory for the
container images for this release:

  https://access.redhat.com/errata/RHSA-2023:1326

All OpenShift Container Platform users are advised to upgrade to these
updated packages and images.

Security Fix(es):

* vault: GCP Auth Method Allows Authentication Bypass (CVE-2020-16251)
* vault: incorrect policy enforcement (CVE-2021-43998)

3. Solution:

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

For details on how to apply this update, refer to:

  https://access.redhat.com/articles/11258

4. Bugs fixed (  https://bugzilla.redhat.com/):

2028193 - CVE-2021-43998 vault: incorrect policy enforcement
2167340 - CVE-2020-16251 vault: GCP Auth Method Allows Authentication Bypass

5. JIRA issues fixed (  https://issues.jboss.org/):

OCPBUGS-10819 - TALM SNO Backup Fails on Managed Cluster Running CoreOS 9.2
OCPBUGS-11890 - TALM keeps spinning with the hub template error when unsupported hub template function is being used in the second policy
OCPBUGS-2336 - dataset_comparison should be G.8275.x in ptpconfig source crs
OCPBUGS-3005 - step_threshold should be changed from 0.0 to 2.0 in in ptpconfig source crs
OCPBUGS-3047 - TALM spent 42 minutes precaching when there was no precaching work to be done.
OCPBUGS-3092 - TALM precaching pulls more content than needed
OCPBUGS-3210 - TALM attempting to approve PAO installplan for 4.11 operator upgrade
OCPBUGS-3885 - After CGU timed out it got stuck in a loop and kept adding duplicates to status field
OCPBUGS-3954 - Precaching status missing for temporarily unavailable clusters
OCPBUGS-4197 - CGU pod goes to CrashLoopBackOff when incorrect channel is provided for OCP precaching
OCPBUGS-4200 - Segfault from TALM after CGU timeout
OCPBUGS-4246 - Precaching spec error due to invalid policy combination reported as precaching/backup failures on spokes
OCPBUGS-4329 - Cannot install LVMO through gitops ZTP
OCPBUGS-4406 - ptp configs should match reference configs
OCPBUGS-4704 - TALM - precache does not begin if catalogsource config policy is Compliant
OCPBUGS-4821 - TALM getImageForVersionFromUpdateGraph func making insecure external calls
OCPBUGS-5797 - TALM backup CGU only indicates status of one cluster when two clusters are being backed up
OCPBUGS-6612 - Default backup timeout too short for large scale upgrade
OCPBUGS-6769 - TALM 4.11 pre-cache fails on 4.10 cluster
OCPBUGS-6944 - TALM backup - recovery script fails due to unable to find running container even though it is running
OCPBUGS-7217 - TALM cli state is not correct when cgu is enabled after backup
OCPBUGS-7464 - Unable to deploy 4.11 spoke using ZTP 4.13 due to new spec added to performanceprofile
OCPBUGS-7933 - Image Precaching Fails Due To Missing check_space Script
OCPBUGS-7948 - 4.13 bmer build does not include 4.13 sidecar changes
OCPBUGS-8006 - TALM applies a 5 minute reconciliation loop to monitor cluster readiness and start policy application
OCPBUGS-8032 - TALM Fails to Report Low Disk Space during Image Precaching
OCPBUGS-8414 - BMER - operator upgrade from 4.12 to 4.13 does not work - subs stays at AtLatestKnown and no installplan is created
OCPBUGS-8525 - TALM may miss MCP reconcile after change to PerformanceProfile or operator upgrade
OCPBUGS-9428 - ignition reports warning at $.systemd.units.22.contents, line 1 col 363575: unit "container-mount-namespace.service" is enabled, but has no install section so enable does nothing
OCPBUGS-9943 - Remove duplicated field macAddress from Siteconfigs

6. References:

  https://access.redhat.com/security/cve/CVE-2020-16251
  https://access.redhat.com/security/cve/CVE-2021-43998
  https://access.redhat.com/security/updates/classification/#moderate

7. Contact:

The Red Hat security contact is . More contact
details at   https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.