ID

VAR-202103-1463

CVE

CVE-2021-3450

TITLE

Red Hat Security Advisory 2021-3016-01

DESCRIPTION

The X509_V_FLAG_X509_STRICT flag enables additional security checks of the certificates present in a certificate chain. It is not set by default. Starting from OpenSSL version 1.1.1h a check to disallow certificates in the chain that have explicitly encoded elliptic curve parameters was added as an additional strict check. An error in the implementation of this check meant that the result of a previous check to confirm that certificates in the chain are valid CA certificates was overwritten. This effectively bypasses the check that non-CA certificates must not be able to issue other certificates. If a "purpose" has been configured then there is a subsequent opportunity for checks that the certificate is a valid CA. All of the named "purpose" values implemented in libcrypto perform this check. Therefore, where a purpose is set the certificate chain will still be rejected even when the strict flag has been used. A purpose is set by default in libssl client and server certificate verification routines, but it can be overridden or removed by an application. In order to be affected, an application must explicitly set the X509_V_FLAG_X509_STRICT verification flag and either not set a purpose for the certificate verification or, in the case of TLS client or server applications, override the default purpose. OpenSSL versions 1.1.1h and newer are affected by this issue. Users of these versions should upgrade to OpenSSL 1.1.1k. OpenSSL 1.0.2 is not impacted by this issue. Fixed in OpenSSL 1.1.1k (Affected 1.1.1h-1.1.1j). OpenSSL is an open source general encryption library of the Openssl team that can implement the Secure Sockets Layer (SSLv2/v3) and Transport Layer Security (TLSv1) protocols. The product supports a variety of encryption algorithms, including symmetric ciphers, hash algorithms, secure hash algorithms, etc. On March 25, 2021, the OpenSSL Project released a security advisory, OpenSSL Security Advisory [25 March 2021], that disclosed two vulnerabilities. Exploitation of these vulnerabilities could allow an malicious user to use a valid non-certificate authority (CA) certificate to act as a CA and sign a certificate for an arbitrary organization, user or device, or to cause a denial of service (DoS) condition. Description: Red Hat Advanced Cluster Management for Kubernetes 2.3.0 images Red Hat Advanced Cluster Management for Kubernetes provides the capabilities to address common challenges that administrators and site reliability engineers face as they work across a range of public and private cloud environments. Clusters and applications are all visible and managed from a single console—with security policy built in. See the following Release Notes documentation, which will be updated shortly for this release, for additional details about this release: https://access.redhat.com/documentation/en-us/red_hat_advanced_cluster_mana gement_for_kubernetes/2.3/html/release_notes/ Security: * fastify-reply-from: crafted URL allows prefix scape of the proxied backend service (CVE-2021-21321) * fastify-http-proxy: crafted URL allows prefix scape of the proxied backend service (CVE-2021-21322) * nodejs-netmask: improper input validation of octal input data (CVE-2021-28918) * redis: Integer overflow via STRALGO LCS command (CVE-2021-29477) * redis: Integer overflow via COPY command for large intsets (CVE-2021-29478) * nodejs-glob-parent: Regular expression denial of service (CVE-2020-28469) * nodejs-lodash: ReDoS via the toNumber, trim and trimEnd functions (CVE-2020-28500) * golang.org/x/text: Panic in language.ParseAcceptLanguage while parsing - -u- extension (CVE-2020-28851) * golang.org/x/text: Panic in language.ParseAcceptLanguage while processing bcp47 tag (CVE-2020-28852) * nodejs-ansi_up: XSS due to insufficient URL sanitization (CVE-2021-3377) * oras: zip-slip vulnerability via oras-pull (CVE-2021-21272) * redis: integer overflow when configurable limit for maximum supported bulk input size is too big on 32-bit platforms (CVE-2021-21309) * nodejs-lodash: command injection via template (CVE-2021-23337) * nodejs-hosted-git-info: Regular Expression denial of service via shortcutMatch in fromUrl() (CVE-2021-23362) * browserslist: parsing of invalid queries could result in Regular Expression Denial of Service (ReDoS) (CVE-2021-23364) * nodejs-postcss: Regular expression denial of service during source map parsing (CVE-2021-23368) * nodejs-handlebars: Remote code execution when compiling untrusted compile templates with strict:true option (CVE-2021-23369) * nodejs-postcss: ReDoS via getAnnotationURL() and loadAnnotation() in lib/previous-map.js (CVE-2021-23382) * nodejs-handlebars: Remote code execution when compiling untrusted compile templates with compat:true option (CVE-2021-23383) * openssl: integer overflow in CipherUpdate (CVE-2021-23840) * openssl: NULL pointer dereference in X509_issuer_and_serial_hash() (CVE-2021-23841) * nodejs-ua-parser-js: ReDoS via malicious User-Agent header (CVE-2021-27292) * grafana: snapshot feature allow an unauthenticated remote attacker to trigger a DoS via a remote API call (CVE-2021-27358) * nodejs-is-svg: ReDoS via malicious string (CVE-2021-28092) * nodejs-netmask: incorrectly parses an IP address that has octal integer with invalid character (CVE-2021-29418) * ulikunitz/xz: Infinite loop in readUvarint allows for denial of service (CVE-2021-29482) * normalize-url: ReDoS for data URLs (CVE-2021-33502) * nodejs-trim-newlines: ReDoS in .end() method (CVE-2021-33623) * nodejs-path-parse: ReDoS via splitDeviceRe, splitTailRe and splitPathRe (CVE-2021-23343) * html-parse-stringify: Regular Expression DoS (CVE-2021-23346) * openssl: incorrect SSLv2 rollback protection (CVE-2021-23839) For more details about the security issues, including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE pages listed in the References section. Bugs: * RFE Make the source code for the endpoint-metrics-operator public (BZ# 1913444) * cluster became offline after apiserver health check (BZ# 1942589) 3. Bugs fixed (https://bugzilla.redhat.com/): 1913333 - CVE-2020-28851 golang.org/x/text: Panic in language.ParseAcceptLanguage while parsing -u- extension 1913338 - CVE-2020-28852 golang.org/x/text: Panic in language.ParseAcceptLanguage while processing bcp47 tag 1913444 - RFE Make the source code for the endpoint-metrics-operator public 1921286 - CVE-2021-21272 oras: zip-slip vulnerability via oras-pull 1927520 - RHACM 2.3.0 images 1928937 - CVE-2021-23337 nodejs-lodash: command injection via template 1928954 - CVE-2020-28500 nodejs-lodash: ReDoS via the toNumber, trim and trimEnd functions 1930294 - CVE-2021-23839 openssl: incorrect SSLv2 rollback protection 1930310 - CVE-2021-23841 openssl: NULL pointer dereference in X509_issuer_and_serial_hash() 1930324 - CVE-2021-23840 openssl: integer overflow in CipherUpdate 1932634 - CVE-2021-21309 redis: integer overflow when configurable limit for maximum supported bulk input size is too big on 32-bit platforms 1936427 - CVE-2021-3377 nodejs-ansi_up: XSS due to insufficient URL sanitization 1939103 - CVE-2021-28092 nodejs-is-svg: ReDoS via malicious string 1940196 - View Resource YAML option shows 404 error when reviewing a Subscription for an application 1940613 - CVE-2021-27292 nodejs-ua-parser-js: ReDoS via malicious User-Agent header 1941024 - CVE-2021-27358 grafana: snapshot feature allow an unauthenticated remote attacker to trigger a DoS via a remote API call 1941675 - CVE-2021-23346 html-parse-stringify: Regular Expression DoS 1942178 - CVE-2021-21321 fastify-reply-from: crafted URL allows prefix scape of the proxied backend service 1942182 - CVE-2021-21322 fastify-http-proxy: crafted URL allows prefix scape of the proxied backend service 1942589 - cluster became offline after apiserver health check 1943208 - CVE-2021-23362 nodejs-hosted-git-info: Regular Expression denial of service via shortcutMatch in fromUrl() 1944822 - CVE-2021-29418 nodejs-netmask: incorrectly parses an IP address that has octal integer with invalid character 1944827 - CVE-2021-28918 nodejs-netmask: improper input validation of octal input data 1945459 - CVE-2020-28469 nodejs-glob-parent: Regular expression denial of service 1948761 - CVE-2021-23369 nodejs-handlebars: Remote code execution when compiling untrusted compile templates with strict:true option 1948763 - CVE-2021-23368 nodejs-postcss: Regular expression denial of service during source map parsing 1954150 - CVE-2021-23382 nodejs-postcss: ReDoS via getAnnotationURL() and loadAnnotation() in lib/previous-map.js 1954368 - CVE-2021-29482 ulikunitz/xz: Infinite loop in readUvarint allows for denial of service 1955619 - CVE-2021-23364 browserslist: parsing of invalid queries could result in Regular Expression Denial of Service (ReDoS) 1956688 - CVE-2021-23383 nodejs-handlebars: Remote code execution when compiling untrusted compile templates with compat:true option 1956818 - CVE-2021-23343 nodejs-path-parse: ReDoS via splitDeviceRe, splitTailRe and splitPathRe 1957410 - CVE-2021-29477 redis: Integer overflow via STRALGO LCS command 1957414 - CVE-2021-29478 redis: Integer overflow via COPY command for large intsets 1964461 - CVE-2021-33502 normalize-url: ReDoS for data URLs 1966615 - CVE-2021-33623 nodejs-trim-newlines: ReDoS in .end() method 1968122 - clusterdeployment fails because hiveadmission sc does not have correct permissions 1972703 - Subctl fails to join cluster, since it cannot auto-generate a valid cluster id 1983131 - Defragmenting an etcd member doesn't reduce the DB size (7.5GB) on a setup with ~1000 spoke clusters 5. This issue was reported to OpenSSL on 18th March 2021 by Benjamin Kaduk from Akamai and was discovered by Xiang Ding and others at Akamai. The fix was developed by Tomáš Mráz. NULL pointer deref in signature_algorithms processing (CVE-2021-3449) ===================================================================== Severity: High An OpenSSL TLS server may crash if sent a maliciously crafted renegotiation ClientHello message from a client. If a TLSv1.2 renegotiation ClientHello omits the signature_algorithms extension (where it was present in the initial ClientHello), but includes a signature_algorithms_cert extension then a NULL pointer dereference will result, leading to a crash and a denial of service attack. A server is only vulnerable if it has TLSv1.2 and renegotiation enabled (which is the default configuration). This issue was reported to OpenSSL on 17th March 2021 by Nokia. The fix was developed by Peter Kästle and Samuel Sapalski from Nokia. Note ==== OpenSSL 1.0.2 is out of support and no longer receiving public updates. Extended support is available for premium support customers: https://www.openssl.org/support/contracts.html OpenSSL 1.1.0 is out of support and no longer receiving updates of any kind. References ========== URL for this Security Advisory: https://www.openssl.org/news/secadv/20210325.txt Note: the online version of the advisory may be updated with additional details over time. For details of OpenSSL severity classifications please see: https://www.openssl.org/policies/secpolicy.html . Bug Fix(es): This update includes various bug fixes and enhancements. Space precludes documenting all of these changes in this advisory. Bugs fixed (https://bugzilla.redhat.com/): 1803849 - [RFE] Include per volume encryption with Vault integration in RHCS 4.1 1814681 - [RFE] use topologySpreadConstraints to evenly spread OSDs across hosts 1840004 - CVE-2020-7608 nodejs-yargs-parser: prototype pollution vulnerability 1850089 - OBC CRD is outdated and leads to missing columns in get queries 1860594 - Toolbox pod should have toleration for OCS tainted nodes 1861104 - OCS podDisruptionBudget prevents successful OCP upgrades 1861878 - [RFE] use appropriate PDB values for OSD 1866301 - [RHOCS Usability Study][Installation] “Create storage cluster” should be a part of the installation flow or need to be emphasized as a crucial step. 1869406 - must-gather should include historical pod logs 1872730 - [RFE][External mode] Re-configure noobaa to use the updated RGW endpoint from the RHCS cluster 1874367 - "Create Backing Store" page doesn't allow to select already defined k8s secret as target bucket credentials when Google Cloud Storage is selected as a provider 1883371 - CVE-2020-26160 jwt-go: access restriction bypass vulnerability 1886112 - log message flood with Reconciling StorageCluster","Request.Namespace":"openshift-storage","Request.Name":"ocs-storagecluster" 1886416 - Uninstall 4.6: ocs-operator logging regarding noobaa-core PVC needs change 1886638 - CVE-2020-8565 kubernetes: Incomplete fix for CVE-2019-11250 allows for token leak in logs when logLevel >= 9 1888839 - Create public route for ceph-rgw service 1892622 - [GSS] Noobaa management dashboard reporting High number of issues when the cluster is in healthy state 1893611 - Skip ceph commands collection attempt if must-gather helper pod is not created 1893613 - must-gather tries to collect ceph commands in external mode when storagecluster already deleted 1893619 - OCS must-gather: Inspect errors for cephobjectoreUser and few ceph commandd when storage cluster does not exist 1894412 - [RFE][External] RGW metrics should be made available even if anything else except 9283 is provided as the monitoring-endpoint-port 1896338 - OCS upgrade from 4.6 to 4.7 build failed 1897246 - OCS - ceph historical logs collection 1897635 - CVE-2020-28362 golang: math/big: panic during recursive division of very large numbers 1898509 - [Tracker][RHV #1899565] Deployment on RHV/oVirt storage class ovirt-csi-sc failing 1898680 - CVE-2020-7774 nodejs-y18n: prototype pollution vulnerability 1898808 - Rook-Ceph crash collector pod should not run on non-ocs node 1900711 - [RFE] Alerting for Namespace buckets and resources 1900722 - Failed to init upgrade process on noobaa-core-0 1900749 - Namespace Resource reported as Healthy when target bucket deleted 1900760 - RPC call for Namespace resource creation allows invalid target bucket names 1901134 - OCS - ceph historical logs collection 1902192 - [RFE][External] RGW metrics should be made available even if anything else except 9283 is provided as the monitoring-endpoint-port 1902685 - Too strict Content-Length header check refuses valid upload requests 1902711 - Tracker for Bug #1903078 Deleting VolumeSnapshotClass makes VolumeSnapshot not Ready 1903973 - [Azure][ROKS] Set SSD tuning (tuneFastDeviceClass) as default for OSD devices in Azure/ROKS platform 1903975 - Add "ceph df detail" for ocs must-gather to enable support to debug compression 1904302 - [GSS] ceph_daemon label includes references to a replaced OSD that cause a prometheus ruleset to fail 1904929 - [GSS][RFE]Reduce debug level for logs of Nooba Endpoint pod 1907318 - Unable to deploy & upgrade to ocs 4.7 - missing postgres image reference 1908414 - [GSS][VMWare][ROKS] rgw pods are not showing up in OCS 4.5 - due to pg_limit issue 1908678 - ocs-osd-removal job failed with "Invalid value" error when using multiple ids 1909268 - OCS 4.7 UI install -All OCS operator pods respin after storagecluster creation 1909488 - [NooBaa CLI] CLI status command looks for wrong DB PV name 1909745 - pv-pool backing store name restriction should be at 43 characters 1910705 - OBCs are stuck in a Pending state 1911131 - Bucket stats in the NB dashboard are incorrect 1911266 - Backingstore phase is ready, modecode is INITIALIZING 1911627 - CVE-2020-26289 nodejs-date-and-time: ReDoS in parsing via date.compile 1911789 - Data deduplication does not work properly 1912421 - [RFE] noobaa cli allow the creation of BackingStores with already existing secrets 1912894 - OCS storagecluster is Progressing state and some noobaa pods missing with latest 4.7 build -4.7.0-223.ci and storagecluster reflected as 4.8.0 instead of 4.7.0 1913149 - make must-gather backward compatibility for version <4.6 1913357 - ocs-operator should show error when flexible scaling and arbiter are both enabled at the same time 1914132 - No metrics available in the Object Service Dashboard in OCS 4.7, logs show "failed to retrieve metrics exporter servicemonitor" 1914159 - When OCS was deployed using arbiter mode mon's are going into CLBO state, ceph version = 14.2.11-95 1914215 - must-gather fails to delete the completed state compute-xx-debug pods after successful completion 1915111 - OCS OSD selection algorithm is making some strange choices. 1915261 - Deleted MCG CRs are stuck in a 'Deleting' state 1915445 - Uninstall 4.7: Storagecluster deletion stuck on a partially created KMS enabled OCS cluster + support TLS configuration for KMS 1915644 - update noobaa db label in must-gather to collect db pod in noobaa dir 1915698 - There is missing noobaa-core-0 pod after upgrade from OCS 4.6 to OCS 4.7 1915706 - [Azure][RBD] PV taking longer time ~ 9 minutes to get deleted 1915730 - [ocs-operator] Create public route for ceph-rgw service 1915737 - Improve ocs-operator logging during uninstall to be more verbose, to understand reasons for failures - e.g. for Bug 1915445 1915758 - improve noobaa logging in case of uninstall - logs do not specify clearly the resource on which deletion is stuck 1915807 - Arbiter: OCS Install failed when used label = topology.kubernetes.io/zone instead of deprecated failureDomain label 1915851 - OCS PodDisruptionBudget redesign for OSDs to allow multiple nodes to drain in the same failure domain 1915953 - Must-gather takes hours to complete if the OCS cluster is not fully deployed, delay seen in ceph command collection step 1916850 - Uninstall 4.7- rook: Storagecluster deletion stuck on a partially created KMS enabled OCS cluster(OSD creation failed) 1917253 - Restore-pvc creation fails with error "csi-vol-* has unsupported quota" 1917815 - [IBM Z and Power] OSD pods restarting due to OOM during upgrade test using ocs-ci 1918360 - collect timestamp for must-gather commands and also the total time taken for must-gather to complete 1918750 - CVE-2021-3114 golang: crypto/elliptic: incorrect operations on the P-224 curve 1918925 - noobaa operator pod logs messages for other components - like rook-ceph-mon, csi-pods, new Storageclass, etc 1918938 - ocs-operator has Error logs with "unable to deploy Prometheus rules" 1919967 - MCG RPC calls time out and the system is unresponsive 1920202 - RGW pod did not get created when OCS was deployed using arbiter mode 1920498 - [IBM Z] OSDs are OOM killed and storage cluster goes into error state during ocs-ci tier1 pvc expansion tests 1920507 - Creation of cephblockpool with compression failed on timeout 1921521 - Add support for VAULT_SKIP_VERIFY option in Ceph-CSI 1921540 - RBD PVC creation fails with error "invalid encryption kms configuration: "POD_NAMESPACE" is not set" 1921609 - MongoNetworkError messages in noobaa-core logs 1921625 - 'Not Found: Secret "noobaa-root-master-key" message' in noobaa logs and cli output when kms is configured 1922064 - uninstall on VMware LSO+ arbiter with 4 OSDs in Pending state: Storagecluster deletion stuck, waiting for cephcluster to be deleted 1922108 - OCS 4.7 4.7.0-242.ci and beyond: osd pods are not created 1922113 - noobaa-db pod init container is crashing after OCS upgrade from OCS 4.6 to OCS 4.7 1922119 - PVC snapshot creation failing on OCP4.6-OCS 4.7 cluster 1922421 - [ROKS] OCS deployment stuck at mon pod in pending state 1922954 - [IBM Z] OCS: Failed tests because of osd deviceset restarts 1924185 - Object Service Dashboard shows alerts related to "system-internal-storage-pool" in OCS 4.7 1924211 - 4.7.0-249.ci: RGW pod not deployed, rook logs show - failed to create object store "must be no more than 63 characters" 1924634 - MG terminal logs show `pods "compute-x-debug" not found` even though pods are in Running state 1924784 - RBD PVC creation fails with error "invalid encryption kms configuration: failed to parse kms configuration" 1924792 - RBD PVC creation fails with error "invalid encryption kms configuration: failed to parse kms configuration" 1925055 - OSD pod stuck in Init:CrashLoopBackOff following Node maintenance in OCP upgrade from OCP 4.7 to 4.7 nightly 1925179 - MG fix [continuation from bug 1893619]: Do not attempt creating helper pod if storagecluster/cephcluster already deleted 1925249 - KMS resources should be garbage collected when StorageCluster is deleted 1925533 - [GSS] Unable to install Noobaa in AWS govcloud 1926182 - [RFE] Support disabling reconciliation of monitoring related resources using a dedicated reconcile strategy flag 1926617 - osds are in Init:CrashLoopBackOff with rgw in CrashLoopBackOff on KMS enabled cluster 1926717 - Only one NOOBAA_ROOT_SECRET_PATH key created in vault when the same backend path is used for multiple OCS clusters 1926831 - [IBM][ROKS] Deploy RGW pods only if IBM COS is not available on platform 1927128 - [Tracker for BZ #1937088] When Performed add capacity over arbiter mode cluster ceph health reports PG_AVAILABILITY Reduced data availability: 25 pgs inactive, 25 pgs incomplete 1927138 - must-gather skip collection of ceph in every run 1927186 - Configure pv-pool as backing store if cos creds secret not found in IBM Cloud 1927317 - [Arbiter] Storage Cluster installation did not started because ocs-operator was Expecting 8 node found 4 1927330 - Namespacestore-backed OBCs are stuck on Pending 1927338 - Uninstall OCS: Include events for major CRs to know the cause of deletion getting stuck 1927885 - OCS 4.7: ocs operator pod in 1/1 state even when Storagecluster is in Progressing state 1928063 - For FD: rack: actual osd pod distribution and OSD placement in rack under ceph osd tree output do not match 1928451 - MCG CLI command of diagnose doesn't work on windows 1928471 - [Deployment blocker] Ceph OSDs do not register properly in the CRUSH map 1928487 - MCG CLI - noobaa ui command shows wss instead of https 1928642 - [IBM Z] rook-ceph-rgw pods restarts continously with ocs version 4.6.3 due to liveness probe failure 1931191 - Backing/namespacestores are stuck on Creating with credentials errors 1931810 - LSO deployment(flexibleScaling:true): 100% PGS unknown even though ceph osd tree placement is correct(root cause diff from bug 1928471) 1931839 - OSD in state init:CrashLoopBackOff with KMS signed certificates 1932400 - Namespacestore deletion takes 15 minutes 1933607 - Prevent reconcile of labels on all monitoring resources deployed by ocs-operator 1933609 - Prevent reconcile of labels on all monitoring resources deployed by rook 1933736 - Allow shrinking the cluster by removing OSDs 1934000 - Improve error logging for kv-v2 while using encryption with KMS 1934990 - Ceph health ERR post node drain on KMS encryption enabled cluster 1935342 - [RFE] Add OSD flapping alert 1936545 - [Tracker for BZ #1938669] setuid and setgid file bits are not retained after a OCS CephFS CSI restore 1936877 - Include at OCS Multi-Cloud Object Gateway core container image the fixes on CVEs from RHEL8 on "nodejs" 1937070 - Storage cluster cannot be uninstalled when cluster not fully configured 1937100 - [RGW][notification][kafka]: notification fails with error: pubsub endpoint configuration error: unknown schema in: kafka 1937245 - csi-cephfsplugin pods CrashLoopBackoff in fresh 4.6 cluster due to conflict with kube-rbac-proxy 1937768 - OBC with Cache BucketPolicy stuck on pending 1939026 - ServiceUnavailable when calling the CreateBucket operation (reached max retries: 4): Reduce your request rate 1939472 - Failure domain set incorrectly to zone if flexible scaling is enabled but there are >= 3 zones 1939617 - [Arbiter] Mons cannot be failed over in stretch mode 1940440 - noobaa migration pod is deleted on failure and logs are not available for inspection 1940476 - Backingstore deletion hangs 1940957 - Deletion of Rejected NamespaceStore is stuck even when target bucket and bucketclass are deleted 1941647 - OCS deployment fails when no backend path is specified for cluster wide encryption using KMS 1941977 - rook-ceph-osd-X gets stuck in initcontainer expand-encrypted-bluefs 1942344 - No permissions in /etc/passwd leads to fail noobaa-operaor 1942350 - No permissions in /etc/passwd leads to fail noobaa-operaor 1942519 - MCG should not use KMS to store encryption keys if cluster wide encryption is not enabled using KMS 1943275 - OSD pods re-spun after "add capacity" on cluster with KMS 1943596 - [Tracker for BZ #1944611][Arbiter] When Performed zone(zone=a) Power off and Power On, 3 mon pod(zone=b,c) goes in CLBO after node Power off and 2 Osd(zone=a) goes in CLBO after node Power on 1944980 - Noobaa deployment fails when no KMS backend path is provided during storagecluster creation 1946592 - [Arbiter] When both the rgw pod hosting nodes are down, the rgw service is unavailable 1946837 - OCS 4.7 Arbiter Mode Cluster becomes stuck when entire zone is shutdown 1955328 - Upgrade of noobaa DB failed when upgrading OCS 4.6 to 4.7 1955601 - CVE-2021-3528 NooBaa: noobaa-operator leaking RPC AuthToken into log files 1957187 - Update to RHCS 4.2z1 Ceph container image at OCS 4.7.0 1957639 - Noobaa migrate job is failing when upgrading OCS 4.6.4 to 4.7 on FIPS environment 5. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ==================================================================== Red Hat Security Advisory Synopsis: Moderate: Red Hat OpenShift Container Storage 4.6.5 security and bug fix update Advisory ID: RHSA-2021:2479-01 Product: Red Hat OpenShift Container Storage Advisory URL: https://access.redhat.com/errata/RHSA-2021:2479 Issue date: 2021-06-17 CVE Names: CVE-2016-10228 CVE-2017-14502 CVE-2019-2708 CVE-2019-3842 CVE-2019-9169 CVE-2019-13012 CVE-2019-14866 CVE-2019-25013 CVE-2020-8231 CVE-2020-8284 CVE-2020-8285 CVE-2020-8286 CVE-2020-8927 CVE-2020-9948 CVE-2020-9951 CVE-2020-9983 CVE-2020-13434 CVE-2020-13543 CVE-2020-13584 CVE-2020-13776 CVE-2020-15358 CVE-2020-24977 CVE-2020-25659 CVE-2020-25678 CVE-2020-26116 CVE-2020-26137 CVE-2020-27618 CVE-2020-27619 CVE-2020-27783 CVE-2020-28196 CVE-2020-29361 CVE-2020-29362 CVE-2020-29363 CVE-2020-36242 CVE-2021-3139 CVE-2021-3177 CVE-2021-3326 CVE-2021-3449 CVE-2021-3450 CVE-2021-3528 CVE-2021-20305 CVE-2021-23239 CVE-2021-23240 CVE-2021-23336 ==================================================================== 1. Summary: Updated images that fix one security issue and several bugs are now available for Red Hat OpenShift Container Storage 4.6.5 on Red Hat Enterprise Linux 8 from Red Hat Container Registry. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Description: Red Hat OpenShift Container Storage is software-defined storage integrated with and optimized for the Red Hat OpenShift Container Platform. Red Hat OpenShift Container Storage is a highly scalable, production-grade persistent storage for stateful applications running in the Red Hat OpenShift Container Platform. In addition to persistent storage, Red Hat OpenShift Container Storage provisions a multicloud data management service with an S3 compatible API. Security Fix(es): * NooBaa: noobaa-operator leaking RPC AuthToken into log files (CVE-2021-3528) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section. Bug Fix(es): * Currently, a newly restored PVC cannot be mounted if some of the OpenShift Container Platform nodes are running on a version of Red Hat Enterprise Linux which is less than 8.2, and the snapshot from which the PVC was restored is deleted. Workaround: Do not delete the snapshot from which the PVC was restored until the restored PVC is deleted. (BZ#1962483) * Previously, the default backingstore was not created on AWS S3 when OpenShift Container Storage was deployed, due to incorrect identification of AWS S3. With this update, the default backingstore gets created when OpenShift Container Storage is deployed on AWS S3. (BZ#1927307) * Previously, log messages were printed to the endpoint pod log even if the debug option was not set. With this update, the log messages are printed to the endpoint pod log only when the debug option is set. (BZ#1938106) * Previously, the PVCs could not be provisioned as the `rook-ceph-mds` did not register the pod IP on the monitor servers, and hence every mount on the filesystem timed out, resulting in CephFS volume provisioning failure. With this update, an argument `--public-addr=podIP` is added to the MDS pod when the host network is not enabled, and hence the CephFS volume provisioning does not fail. (BZ#1949558) * Previously, OpenShift Container Storage 4.2 clusters were not updated with the correct cache value, and hence MDSs in standby-replay might report an oversized cache, as rook did not apply the `mds_cache_memory_limit` argument during upgrades. With this update, the `mds_cache_memory_limit` argument is applied during upgrades and the mds daemon operates normally. (BZ#1951348) * Previously, the coredumps were not generated in the correct location as rook was setting the config option `log_file` to an empty string since logging happened on stdout and not on the files, and hence Ceph read the value of the `log_file` to build the dump path. With this update, rook does not set the `log_file` and keeps Ceph's internal default, and hence the coredumps are generated in the correct location and are accessible under `/var/log/ceph/`. (BZ#1938049) * Previously, Ceph became inaccessible, as the mons lose quorum if a mon pod was drained while another mon was failing over. With this update, voluntary mon drains are prevented while a mon is failing over, and hence Ceph does not become inaccessible. (BZ#1946573) * Previously, the mon quorum was at risk, as the operator could erroneously remove the new mon if the operator was restarted during a mon failover. With this update, the operator completes the same mon failover after the operator is restarted, and hence the mon quorum is more reliable in the node drains and mon failover scenarios. (BZ#1959983) All users of Red Hat OpenShift Container Storage are advised to pull these new images from the Red Hat Container Registry. 3. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258 4. Bugs fixed (https://bugzilla.redhat.com/): 1938106 - [GSS][RFE]Reduce debug level for logs of Nooba Endpoint pod 1950915 - XSS Vulnerability with Noobaa version 5.5.0-3bacc6b 1951348 - [GSS][CephFS] health warning "MDS cache is too large (3GB/1GB); 0 inodes in use by clients, 0 stray files" for the standby-replay 1951600 - [4.6.z][Clone of BZ #1936545] setuid and setgid file bits are not retained after a OCS CephFS CSI restore 1955601 - CVE-2021-3528 NooBaa: noobaa-operator leaking RPC AuthToken into log files 1957189 - [Rebase] Use RHCS4.2z1 container image with OCS 4..6.5[may require doc update for external mode min supported RHCS version] 1959980 - When a node is being drained, increase the mon failover timeout to prevent unnecessary mon failover 1959983 - [GSS][mon] rook-operator scales mons to 4 after healthCheck timeout 1962483 - [RHEL7][RBD][4.6.z clone] FailedMount error when using restored PVC on app pod 5. References: https://access.redhat.com/security/cve/CVE-2016-10228 https://access.redhat.com/security/cve/CVE-2017-14502 https://access.redhat.com/security/cve/CVE-2019-2708 https://access.redhat.com/security/cve/CVE-2019-3842 https://access.redhat.com/security/cve/CVE-2019-9169 https://access.redhat.com/security/cve/CVE-2019-13012 https://access.redhat.com/security/cve/CVE-2019-14866 https://access.redhat.com/security/cve/CVE-2019-25013 https://access.redhat.com/security/cve/CVE-2020-8231 https://access.redhat.com/security/cve/CVE-2020-8284 https://access.redhat.com/security/cve/CVE-2020-8285 https://access.redhat.com/security/cve/CVE-2020-8286 https://access.redhat.com/security/cve/CVE-2020-8927 https://access.redhat.com/security/cve/CVE-2020-9948 https://access.redhat.com/security/cve/CVE-2020-9951 https://access.redhat.com/security/cve/CVE-2020-9983 https://access.redhat.com/security/cve/CVE-2020-13434 https://access.redhat.com/security/cve/CVE-2020-13543 https://access.redhat.com/security/cve/CVE-2020-13584 https://access.redhat.com/security/cve/CVE-2020-13776 https://access.redhat.com/security/cve/CVE-2020-15358 https://access.redhat.com/security/cve/CVE-2020-24977 https://access.redhat.com/security/cve/CVE-2020-25659 https://access.redhat.com/security/cve/CVE-2020-25678 https://access.redhat.com/security/cve/CVE-2020-26116 https://access.redhat.com/security/cve/CVE-2020-26137 https://access.redhat.com/security/cve/CVE-2020-27618 https://access.redhat.com/security/cve/CVE-2020-27619 https://access.redhat.com/security/cve/CVE-2020-27783 https://access.redhat.com/security/cve/CVE-2020-28196 https://access.redhat.com/security/cve/CVE-2020-29361 https://access.redhat.com/security/cve/CVE-2020-29362 https://access.redhat.com/security/cve/CVE-2020-29363 https://access.redhat.com/security/cve/CVE-2020-36242 https://access.redhat.com/security/cve/CVE-2021-3139 https://access.redhat.com/security/cve/CVE-2021-3177 https://access.redhat.com/security/cve/CVE-2021-3326 https://access.redhat.com/security/cve/CVE-2021-3449 https://access.redhat.com/security/cve/CVE-2021-3450 https://access.redhat.com/security/cve/CVE-2021-3528 https://access.redhat.com/security/cve/CVE-2021-20305 https://access.redhat.com/security/cve/CVE-2021-23239 https://access.redhat.com/security/cve/CVE-2021-23240 https://access.redhat.com/security/cve/CVE-2021-23336 https://access.redhat.com/security/updates/classification/#moderate 6. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2021 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBYMtu/9zjgjWX9erEAQh6fhAAm9UPxF0e8ubzCEae+bkQAduwCkzpQ0ND Q1/UcDAAc4ueEhBrwXPhOLrgfBj+VG+QA19YZcNPzbW7I48RGjCm5WccnUyEbFAo FKTspCZW7FkXKBU15u58c/sFCGa4/Yuu+IpqCMuZ6lR2g9WHIBKdVtaB4y59AyfS v59cAorqZ3AoTX4lVys6HfDGySQWlg5P8t6ST72cUJjESi6U0HV00P7ECU2SFxCF HXA4gbXbZ1EPb/1+UkRRnXemJuT8SaRFRTrzj9woTrVAGQFvn+yjxLbZxVZb0WDd 6QeNpiJNICfL+/ExvEmGQucf7NcekYPWud11pnRUfQ+Uqsj+I7YoaepXAAolLzvN kAVVpFNsWADOVz7BrfSKoo4b38UCFOEUSd2d1ijCNE96Q9XyNUpn+kZqz0/wpBQC L+E5N9kEuaLyDBoI0wJAfoqU1NY4Cvl6lIMDgHUv2CE10zxhFwHCDulAfcQgxNQG sIbpSgSegq9HfZSDxa6Rtrox1I7oGhnBy10sIwUUH1+fxAusUk+Xrxf8hUv8KgDz V144yrGwN/6KVxh74A60bJX3ai12l6fC8bkmsxg5K1r/Dk4tUkQeXNdBbaK/rEKO AQs7YDab/0VA2qKtXDRkbnzqBRSbamDNOO/jd28nGMoclaIRHCzQgJRFv6Qb6dwT RCrstqAM5QQ=DHD0 -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://listman.redhat.com/mailman/listinfo/rhsa-announce . These packages include redhat-release-virtualization-host, ovirt-node, and rhev-hypervisor. RHVH features a Cockpit user interface for monitoring the host's resources and performing administrative tasks. These packages include redhat-release-virtualization-host, ovirt-node, and rhev-hypervisor. RHVH features a Cockpit user interface for monitoring the host's resources and performing administrative tasks. Changes to the redhat-release-virtualization-host component: * Previously, the redhat-support-tool was missing from the RHV-H 4.4 package. In this release, the redhat-support-tool has been added. For the update to take effect, all services linked to the glibc library must be restarted, or the system rebooted. Bugs fixed (https://bugzilla.redhat.com/): 1892573 - RHVH 4.4.2 fails to boot from SAN when using UUID for /boot partition 1895832 - RHVH 4.4.3: No response when clicking button "Help" in Anaconda GUI 1907306 - "sysstat" doesn't collect data for upgraded RHVH 1907358 - In FIPS mode, RHVH cannot enter the new layer after upgrade 1907746 - RHVH cannot enter the new layer after upgrade testing with STIG profile selected. 1918207 - RHVH upgrade to 4.4.5-1 will fail due to FileNotFoundError 1927395 - RHVH, protecting key packages from being removed. 1928607 - redhat-support-tool is missing from latest RHV-H 4.4 1940845 - Include updated gluster-ansible-features in RHV-H 4.4.5 1941547 - CVE-2021-3450 openssl: CA certificate check bypass with X509_V_FLAG_X509_STRICT 1941554 - CVE-2021-3449 openssl: NULL pointer dereference in signature_algorithms processing 1942040 - Rebase RHV-H 4.4.5 on RHEL-AV 8.3.1 Async 1942498 - Rebase RHV-H 4.4.5 on RHEL-8.3.1.3 6. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. Security Fix(es): * golang: crypto/tls: certificate of wrong type is causing TLS client to panic (CVE-2021-34558) * golang: net: lookup functions may return invalid host names (CVE-2021-33195) * golang: net/http/httputil: ReverseProxy forwards connection headers if first one is empty (CVE-2021-33197) * golang: match/big.Rat: may cause a panic or an unrecoverable fatal error if passed inputs with very large exponents (CVE-2021-33198) * golang: encoding/xml: infinite loop when using xml.NewTokenDecoder with a custom TokenReader (CVE-2021-27918) * golang: net/http: panic in ReadRequest and ReadResponse when reading a very large header (CVE-2021-31525) * golang: archive/zip: malformed archive may cause panic or memory exhaustion (CVE-2021-33196) It was found that the CVE-2021-27918, CVE-2021-31525 and CVE-2021-33196 have been incorrectly mentioned as fixed in RHSA for Serverless client kn 1.16.0. Bugs fixed (https://bugzilla.redhat.com/): 1983596 - CVE-2021-34558 golang: crypto/tls: certificate of wrong type is causing TLS client to panic 1983651 - Release of OpenShift Serverless Serving 1.17.0 1983654 - Release of OpenShift Serverless Eventing 1.17.0 1989564 - CVE-2021-33195 golang: net: lookup functions may return invalid host names 1989570 - CVE-2021-33197 golang: net/http/httputil: ReverseProxy forwards connection headers if first one is empty 1989575 - CVE-2021-33198 golang: math/big.Rat: may cause a panic or an unrecoverable fatal error if passed inputs with very large exponents 1992955 - CVE-2021-3703 serverless: incomplete fix for CVE-2021-27918 / CVE-2021-31525 / CVE-2021-33196 5

AFFECTED PRODUCTS

CVSS

PROBLEMTYPE DATA

TYPE

code execution

PATCH

EXTERNAL IDS

REFERENCES

CREDITS

Red Hat

SOURCES

LAST UPDATE DATE

2025-01-28T22:00:14.024000+00:00

SOURCES UPDATE DATE

SOURCES RELEASE DATE