ID

VAR-202103-1464

CVE

CVE-2021-3449

TITLE

OpenSSL  In  NULL  Pointer dereference vulnerability

DESCRIPTION

An OpenSSL TLS server may crash if sent a maliciously crafted renegotiation ClientHello message from a client. If a TLSv1.2 renegotiation ClientHello omits the signature_algorithms extension (where it was present in the initial ClientHello), but includes a signature_algorithms_cert extension then a NULL pointer dereference will result, leading to a crash and a denial of service attack. A server is only vulnerable if it has TLSv1.2 and renegotiation enabled (which is the default configuration). OpenSSL TLS clients are not impacted by this issue. All OpenSSL 1.1.1 versions are affected by this issue. Users of these versions should upgrade to OpenSSL 1.1.1k. OpenSSL 1.0.2 is not impacted by this issue. Fixed in OpenSSL 1.1.1k (Affected 1.1.1-1.1.1j). OpenSSL is an open source general encryption library of the Openssl team that can implement the Secure Sockets Layer (SSLv2/v3) and Transport Layer Security (TLSv1) protocols. The product supports a variety of encryption algorithms, including symmetric ciphers, hash algorithms, secure hash algorithms, etc. For the detailed security status of openssl please refer to its security tracker page at: https://security-tracker.debian.org/tracker/openssl Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -----BEGIN PGP SIGNATURE----- iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmBcru1fFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND z0S4mQ//TejQ2VdmmRyQT6iSB6p9zu55Aq/cDlOaW+i338XKwZyI/AxvA+KMohGb 3xquLt4F9xaqT/I6jEUXRvev/y5+gsF3F6bIDczkR/3YG6YivWOXbcBXqIa8Z+NF F2xcz33R3iMZyLh03N4iw7LaZmCTcXFXgsdpDpGv/SM0Ze7B44GRA9znYtoHWqJk Mbk/ddsCQOYNRPccO+tfLzRKlNmoSIDDTbrPdAnETEevgVDbIHTyh/Wiv3BR/leV YHzEGMZ7EQlCrt7V7DoYp2/tXfmxVbrvw0ZOnyGnrfn/wVgaYhxbYhhP9LqszDgL 0z/KGOOIVs4Kqjos3d5QBymA9M1QNzBbfcH+QV3NmqqmOLHfHEFSGmd/JsCX1H7/ xZo3lFCaLAexZwcwa0cQ8AyZuaBnLmpSKoVb9Oo+MAKiPmmjEJ/IBOF4/qnwlLa6 jJ79/fq/SMV3+Unf4wtNrLV1W/J5Yhio1WIOVYzmIYrCcHpHDT3gtC9LC3IOIVCS ddJJtMB43092Z1knlfujhnEcTrVDxadcW8vce7vkFnErux7cTNSyEKdZ4afUOZP8 nxFDffPylMfvZXVS+Bp1668GiGfVAN9e+cIhy6RatkM2CMx63mZq3tXMfpT6wzps us3U1xgIgTZabZhyyuQGPFwpxLxnc32y26wgCxMjOHtmXdP8T5s= =r6Ce -----END PGP SIGNATURE----- . See the following Release Notes documentation, which will be updated shortly for this release, for additional details about this release: https://access.redhat.com/documentation/en-us/red_hat_advanced_cluster_mana gement_for_kubernetes/2.3/html/release_notes/ Security: * fastify-reply-from: crafted URL allows prefix scape of the proxied backend service (CVE-2021-21321) * fastify-http-proxy: crafted URL allows prefix scape of the proxied backend service (CVE-2021-21322) * nodejs-netmask: improper input validation of octal input data (CVE-2021-28918) * redis: Integer overflow via STRALGO LCS command (CVE-2021-29477) * redis: Integer overflow via COPY command for large intsets (CVE-2021-29478) * nodejs-glob-parent: Regular expression denial of service (CVE-2020-28469) * nodejs-lodash: ReDoS via the toNumber, trim and trimEnd functions (CVE-2020-28500) * golang.org/x/text: Panic in language.ParseAcceptLanguage while parsing - -u- extension (CVE-2020-28851) * golang.org/x/text: Panic in language.ParseAcceptLanguage while processing bcp47 tag (CVE-2020-28852) * nodejs-ansi_up: XSS due to insufficient URL sanitization (CVE-2021-3377) * oras: zip-slip vulnerability via oras-pull (CVE-2021-21272) * redis: integer overflow when configurable limit for maximum supported bulk input size is too big on 32-bit platforms (CVE-2021-21309) * nodejs-lodash: command injection via template (CVE-2021-23337) * nodejs-hosted-git-info: Regular Expression denial of service via shortcutMatch in fromUrl() (CVE-2021-23362) * browserslist: parsing of invalid queries could result in Regular Expression Denial of Service (ReDoS) (CVE-2021-23364) * nodejs-postcss: Regular expression denial of service during source map parsing (CVE-2021-23368) * nodejs-handlebars: Remote code execution when compiling untrusted compile templates with strict:true option (CVE-2021-23369) * nodejs-postcss: ReDoS via getAnnotationURL() and loadAnnotation() in lib/previous-map.js (CVE-2021-23382) * nodejs-handlebars: Remote code execution when compiling untrusted compile templates with compat:true option (CVE-2021-23383) * openssl: integer overflow in CipherUpdate (CVE-2021-23840) * openssl: NULL pointer dereference in X509_issuer_and_serial_hash() (CVE-2021-23841) * nodejs-ua-parser-js: ReDoS via malicious User-Agent header (CVE-2021-27292) * grafana: snapshot feature allow an unauthenticated remote attacker to trigger a DoS via a remote API call (CVE-2021-27358) * nodejs-is-svg: ReDoS via malicious string (CVE-2021-28092) * nodejs-netmask: incorrectly parses an IP address that has octal integer with invalid character (CVE-2021-29418) * ulikunitz/xz: Infinite loop in readUvarint allows for denial of service (CVE-2021-29482) * normalize-url: ReDoS for data URLs (CVE-2021-33502) * nodejs-trim-newlines: ReDoS in .end() method (CVE-2021-33623) * nodejs-path-parse: ReDoS via splitDeviceRe, splitTailRe and splitPathRe (CVE-2021-23343) * html-parse-stringify: Regular Expression DoS (CVE-2021-23346) * openssl: incorrect SSLv2 rollback protection (CVE-2021-23839) For more details about the security issues, including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE pages listed in the References section. Bugs: * RFE Make the source code for the endpoint-metrics-operator public (BZ# 1913444) * cluster became offline after apiserver health check (BZ# 1942589) 3. Bugs fixed (https://bugzilla.redhat.com/): 1913333 - CVE-2020-28851 golang.org/x/text: Panic in language.ParseAcceptLanguage while parsing -u- extension 1913338 - CVE-2020-28852 golang.org/x/text: Panic in language.ParseAcceptLanguage while processing bcp47 tag 1913444 - RFE Make the source code for the endpoint-metrics-operator public 1921286 - CVE-2021-21272 oras: zip-slip vulnerability via oras-pull 1927520 - RHACM 2.3.0 images 1928937 - CVE-2021-23337 nodejs-lodash: command injection via template 1928954 - CVE-2020-28500 nodejs-lodash: ReDoS via the toNumber, trim and trimEnd functions 1930294 - CVE-2021-23839 openssl: incorrect SSLv2 rollback protection 1930310 - CVE-2021-23841 openssl: NULL pointer dereference in X509_issuer_and_serial_hash() 1930324 - CVE-2021-23840 openssl: integer overflow in CipherUpdate 1932634 - CVE-2021-21309 redis: integer overflow when configurable limit for maximum supported bulk input size is too big on 32-bit platforms 1936427 - CVE-2021-3377 nodejs-ansi_up: XSS due to insufficient URL sanitization 1939103 - CVE-2021-28092 nodejs-is-svg: ReDoS via malicious string 1940196 - View Resource YAML option shows 404 error when reviewing a Subscription for an application 1940613 - CVE-2021-27292 nodejs-ua-parser-js: ReDoS via malicious User-Agent header 1941024 - CVE-2021-27358 grafana: snapshot feature allow an unauthenticated remote attacker to trigger a DoS via a remote API call 1941675 - CVE-2021-23346 html-parse-stringify: Regular Expression DoS 1942178 - CVE-2021-21321 fastify-reply-from: crafted URL allows prefix scape of the proxied backend service 1942182 - CVE-2021-21322 fastify-http-proxy: crafted URL allows prefix scape of the proxied backend service 1942589 - cluster became offline after apiserver health check 1943208 - CVE-2021-23362 nodejs-hosted-git-info: Regular Expression denial of service via shortcutMatch in fromUrl() 1944822 - CVE-2021-29418 nodejs-netmask: incorrectly parses an IP address that has octal integer with invalid character 1944827 - CVE-2021-28918 nodejs-netmask: improper input validation of octal input data 1945459 - CVE-2020-28469 nodejs-glob-parent: Regular expression denial of service 1948761 - CVE-2021-23369 nodejs-handlebars: Remote code execution when compiling untrusted compile templates with strict:true option 1948763 - CVE-2021-23368 nodejs-postcss: Regular expression denial of service during source map parsing 1954150 - CVE-2021-23382 nodejs-postcss: ReDoS via getAnnotationURL() and loadAnnotation() in lib/previous-map.js 1954368 - CVE-2021-29482 ulikunitz/xz: Infinite loop in readUvarint allows for denial of service 1955619 - CVE-2021-23364 browserslist: parsing of invalid queries could result in Regular Expression Denial of Service (ReDoS) 1956688 - CVE-2021-23383 nodejs-handlebars: Remote code execution when compiling untrusted compile templates with compat:true option 1956818 - CVE-2021-23343 nodejs-path-parse: ReDoS via splitDeviceRe, splitTailRe and splitPathRe 1957410 - CVE-2021-29477 redis: Integer overflow via STRALGO LCS command 1957414 - CVE-2021-29478 redis: Integer overflow via COPY command for large intsets 1964461 - CVE-2021-33502 normalize-url: ReDoS for data URLs 1966615 - CVE-2021-33623 nodejs-trim-newlines: ReDoS in .end() method 1968122 - clusterdeployment fails because hiveadmission sc does not have correct permissions 1972703 - Subctl fails to join cluster, since it cannot auto-generate a valid cluster id 1983131 - Defragmenting an etcd member doesn't reduce the DB size (7.5GB) on a setup with ~1000 spoke clusters 5. OpenSSL Security Advisory [25 March 2021] ========================================= CA certificate check bypass with X509_V_FLAG_X509_STRICT (CVE-2021-3450) ======================================================================== Severity: High The X509_V_FLAG_X509_STRICT flag enables additional security checks of the certificates present in a certificate chain. It is not set by default. Starting from OpenSSL version 1.1.1h a check to disallow certificates in the chain that have explicitly encoded elliptic curve parameters was added as an additional strict check. An error in the implementation of this check meant that the result of a previous check to confirm that certificates in the chain are valid CA certificates was overwritten. This effectively bypasses the check that non-CA certificates must not be able to issue other certificates. If a "purpose" has been configured then there is a subsequent opportunity for checks that the certificate is a valid CA. All of the named "purpose" values implemented in libcrypto perform this check. Therefore, where a purpose is set the certificate chain will still be rejected even when the strict flag has been used. A purpose is set by default in libssl client and server certificate verification routines, but it can be overridden or removed by an application. In order to be affected, an application must explicitly set the X509_V_FLAG_X509_STRICT verification flag and either not set a purpose for the certificate verification or, in the case of TLS client or server applications, override the default purpose. This issue was reported to OpenSSL on 18th March 2021 by Benjamin Kaduk from Akamai and was discovered by Xiang Ding and others at Akamai. The fix was developed by Tomáš Mráz. This issue was reported to OpenSSL on 17th March 2021 by Nokia. The fix was developed by Peter Kästle and Samuel Sapalski from Nokia. Note ==== OpenSSL 1.0.2 is out of support and no longer receiving public updates. Extended support is available for premium support customers: https://www.openssl.org/support/contracts.html OpenSSL 1.1.0 is out of support and no longer receiving updates of any kind. References ========== URL for this Security Advisory: https://www.openssl.org/news/secadv/20210325.txt Note: the online version of the advisory may be updated with additional details over time. For details of OpenSSL severity classifications please see: https://www.openssl.org/policies/secpolicy.html . -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: Red Hat OpenShift Container Storage 4.7.0 security, bug fix, and enhancement update Advisory ID: RHSA-2021:2041-01 Product: Red Hat OpenShift Container Storage Advisory URL: https://access.redhat.com/errata/RHSA-2021:2041 Issue date: 2021-05-19 CVE Names: CVE-2020-7608 CVE-2020-7774 CVE-2020-8565 CVE-2020-25678 CVE-2020-26160 CVE-2020-26289 CVE-2020-28362 CVE-2021-3114 CVE-2021-3139 CVE-2021-3449 CVE-2021-3450 CVE-2021-3528 CVE-2021-20305 ===================================================================== 1. Summary: Updated images which include numerous security fixes, bug fixes, and enhancements are now available for Red Hat OpenShift Container Storage 4.7.0 on Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Description: Red Hat OpenShift Container Storage is software-defined storage integrated with and optimized for the Red Hat OpenShift Container Platform. Red Hat OpenShift Container Storage is a highly scalable, production-grade persistent storage for stateful applications running in the Red Hat OpenShift Container Platform. In addition to persistent storage, Red Hat OpenShift Container Storage provisions a multicloud data management service with an S3 compatible API. Security Fix(es): * nodejs-y18n: prototype pollution vulnerability (CVE-2020-7774) * kubernetes: Incomplete fix for CVE-2019-11250 allows for token leak in logs when logLevel >= 9 (CVE-2020-8565) * jwt-go: access restriction bypass vulnerability (CVE-2020-26160) * nodejs-date-and-time: ReDoS in parsing via date.compile (CVE-2020-26289) * golang: math/big: panic during recursive division of very large numbers (CVE-2020-28362) * golang: crypto/elliptic: incorrect operations on the P-224 curve (CVE-2021-3114) * NooBaa: noobaa-operator leaking RPC AuthToken into log files (CVE-2021-3528) * nodejs-yargs-parser: prototype pollution vulnerability (CVE-2020-7608) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Bug Fix(es): This update includes various bug fixes and enhancements. Space precludes documenting all of these changes in this advisory. Users are directed to the Red Hat OpenShift Container Storage Release Notes for information on the most significant of these changes: https://access.redhat.com/documentation/en-us/red_hat_openshift_container_s torage/4.7/html-single/4.7_release_notes/index All Red Hat OpenShift Container Storage users are advised to upgrade to these updated images. 3. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258 4. Bugs fixed (https://bugzilla.redhat.com/): 1803849 - [RFE] Include per volume encryption with Vault integration in RHCS 4.1 1814681 - [RFE] use topologySpreadConstraints to evenly spread OSDs across hosts 1840004 - CVE-2020-7608 nodejs-yargs-parser: prototype pollution vulnerability 1850089 - OBC CRD is outdated and leads to missing columns in get queries 1860594 - Toolbox pod should have toleration for OCS tainted nodes 1861104 - OCS podDisruptionBudget prevents successful OCP upgrades 1861878 - [RFE] use appropriate PDB values for OSD 1866301 - [RHOCS Usability Study][Installation] “Create storage cluster” should be a part of the installation flow or need to be emphasized as a crucial step. 1869406 - must-gather should include historical pod logs 1872730 - [RFE][External mode] Re-configure noobaa to use the updated RGW endpoint from the RHCS cluster 1874367 - "Create Backing Store" page doesn't allow to select already defined k8s secret as target bucket credentials when Google Cloud Storage is selected as a provider 1883371 - CVE-2020-26160 jwt-go: access restriction bypass vulnerability 1886112 - log message flood with Reconciling StorageCluster","Request.Namespace":"openshift-storage","Request.Name":"ocs-storagecluster" 1886416 - Uninstall 4.6: ocs-operator logging regarding noobaa-core PVC needs change 1886638 - CVE-2020-8565 kubernetes: Incomplete fix for CVE-2019-11250 allows for token leak in logs when logLevel >= 9 1888839 - Create public route for ceph-rgw service 1892622 - [GSS] Noobaa management dashboard reporting High number of issues when the cluster is in healthy state 1893611 - Skip ceph commands collection attempt if must-gather helper pod is not created 1893613 - must-gather tries to collect ceph commands in external mode when storagecluster already deleted 1893619 - OCS must-gather: Inspect errors for cephobjectoreUser and few ceph commandd when storage cluster does not exist 1894412 - [RFE][External] RGW metrics should be made available even if anything else except 9283 is provided as the monitoring-endpoint-port 1896338 - OCS upgrade from 4.6 to 4.7 build failed 1897246 - OCS - ceph historical logs collection 1897635 - CVE-2020-28362 golang: math/big: panic during recursive division of very large numbers 1898509 - [Tracker][RHV #1899565] Deployment on RHV/oVirt storage class ovirt-csi-sc failing 1898680 - CVE-2020-7774 nodejs-y18n: prototype pollution vulnerability 1898808 - Rook-Ceph crash collector pod should not run on non-ocs node 1900711 - [RFE] Alerting for Namespace buckets and resources 1900722 - Failed to init upgrade process on noobaa-core-0 1900749 - Namespace Resource reported as Healthy when target bucket deleted 1900760 - RPC call for Namespace resource creation allows invalid target bucket names 1901134 - OCS - ceph historical logs collection 1902192 - [RFE][External] RGW metrics should be made available even if anything else except 9283 is provided as the monitoring-endpoint-port 1902685 - Too strict Content-Length header check refuses valid upload requests 1902711 - Tracker for Bug #1903078 Deleting VolumeSnapshotClass makes VolumeSnapshot not Ready 1903973 - [Azure][ROKS] Set SSD tuning (tuneFastDeviceClass) as default for OSD devices in Azure/ROKS platform 1903975 - Add "ceph df detail" for ocs must-gather to enable support to debug compression 1904302 - [GSS] ceph_daemon label includes references to a replaced OSD that cause a prometheus ruleset to fail 1904929 - [GSS][RFE]Reduce debug level for logs of Nooba Endpoint pod 1907318 - Unable to deploy & upgrade to ocs 4.7 - missing postgres image reference 1908414 - [GSS][VMWare][ROKS] rgw pods are not showing up in OCS 4.5 - due to pg_limit issue 1908678 - ocs-osd-removal job failed with "Invalid value" error when using multiple ids 1909268 - OCS 4.7 UI install -All OCS operator pods respin after storagecluster creation 1909488 - [NooBaa CLI] CLI status command looks for wrong DB PV name 1909745 - pv-pool backing store name restriction should be at 43 characters 1910705 - OBCs are stuck in a Pending state 1911131 - Bucket stats in the NB dashboard are incorrect 1911266 - Backingstore phase is ready, modecode is INITIALIZING 1911627 - CVE-2020-26289 nodejs-date-and-time: ReDoS in parsing via date.compile 1911789 - Data deduplication does not work properly 1912421 - [RFE] noobaa cli allow the creation of BackingStores with already existing secrets 1912894 - OCS storagecluster is Progressing state and some noobaa pods missing with latest 4.7 build -4.7.0-223.ci and storagecluster reflected as 4.8.0 instead of 4.7.0 1913149 - make must-gather backward compatibility for version <4.6 1913357 - ocs-operator should show error when flexible scaling and arbiter are both enabled at the same time 1914132 - No metrics available in the Object Service Dashboard in OCS 4.7, logs show "failed to retrieve metrics exporter servicemonitor" 1914159 - When OCS was deployed using arbiter mode mon's are going into CLBO state, ceph version = 14.2.11-95 1914215 - must-gather fails to delete the completed state compute-xx-debug pods after successful completion 1915111 - OCS OSD selection algorithm is making some strange choices. 1915261 - Deleted MCG CRs are stuck in a 'Deleting' state 1915445 - Uninstall 4.7: Storagecluster deletion stuck on a partially created KMS enabled OCS cluster + support TLS configuration for KMS 1915644 - update noobaa db label in must-gather to collect db pod in noobaa dir 1915698 - There is missing noobaa-core-0 pod after upgrade from OCS 4.6 to OCS 4.7 1915706 - [Azure][RBD] PV taking longer time ~ 9 minutes to get deleted 1915730 - [ocs-operator] Create public route for ceph-rgw service 1915737 - Improve ocs-operator logging during uninstall to be more verbose, to understand reasons for failures - e.g. for Bug 1915445 1915758 - improve noobaa logging in case of uninstall - logs do not specify clearly the resource on which deletion is stuck 1915807 - Arbiter: OCS Install failed when used label = topology.kubernetes.io/zone instead of deprecated failureDomain label 1915851 - OCS PodDisruptionBudget redesign for OSDs to allow multiple nodes to drain in the same failure domain 1915953 - Must-gather takes hours to complete if the OCS cluster is not fully deployed, delay seen in ceph command collection step 1916850 - Uninstall 4.7- rook: Storagecluster deletion stuck on a partially created KMS enabled OCS cluster(OSD creation failed) 1917253 - Restore-pvc creation fails with error "csi-vol-* has unsupported quota" 1917815 - [IBM Z and Power] OSD pods restarting due to OOM during upgrade test using ocs-ci 1918360 - collect timestamp for must-gather commands and also the total time taken for must-gather to complete 1918750 - CVE-2021-3114 golang: crypto/elliptic: incorrect operations on the P-224 curve 1918925 - noobaa operator pod logs messages for other components - like rook-ceph-mon, csi-pods, new Storageclass, etc 1918938 - ocs-operator has Error logs with "unable to deploy Prometheus rules" 1919967 - MCG RPC calls time out and the system is unresponsive 1920202 - RGW pod did not get created when OCS was deployed using arbiter mode 1920498 - [IBM Z] OSDs are OOM killed and storage cluster goes into error state during ocs-ci tier1 pvc expansion tests 1920507 - Creation of cephblockpool with compression failed on timeout 1921521 - Add support for VAULT_SKIP_VERIFY option in Ceph-CSI 1921540 - RBD PVC creation fails with error "invalid encryption kms configuration: "POD_NAMESPACE" is not set" 1921609 - MongoNetworkError messages in noobaa-core logs 1921625 - 'Not Found: Secret "noobaa-root-master-key" message' in noobaa logs and cli output when kms is configured 1922064 - uninstall on VMware LSO+ arbiter with 4 OSDs in Pending state: Storagecluster deletion stuck, waiting for cephcluster to be deleted 1922108 - OCS 4.7 4.7.0-242.ci and beyond: osd pods are not created 1922113 - noobaa-db pod init container is crashing after OCS upgrade from OCS 4.6 to OCS 4.7 1922119 - PVC snapshot creation failing on OCP4.6-OCS 4.7 cluster 1922421 - [ROKS] OCS deployment stuck at mon pod in pending state 1922954 - [IBM Z] OCS: Failed tests because of osd deviceset restarts 1924185 - Object Service Dashboard shows alerts related to "system-internal-storage-pool" in OCS 4.7 1924211 - 4.7.0-249.ci: RGW pod not deployed, rook logs show - failed to create object store "must be no more than 63 characters" 1924634 - MG terminal logs show `pods "compute-x-debug" not found` even though pods are in Running state 1924784 - RBD PVC creation fails with error "invalid encryption kms configuration: failed to parse kms configuration" 1924792 - RBD PVC creation fails with error "invalid encryption kms configuration: failed to parse kms configuration" 1925055 - OSD pod stuck in Init:CrashLoopBackOff following Node maintenance in OCP upgrade from OCP 4.7 to 4.7 nightly 1925179 - MG fix [continuation from bug 1893619]: Do not attempt creating helper pod if storagecluster/cephcluster already deleted 1925249 - KMS resources should be garbage collected when StorageCluster is deleted 1925533 - [GSS] Unable to install Noobaa in AWS govcloud 1926182 - [RFE] Support disabling reconciliation of monitoring related resources using a dedicated reconcile strategy flag 1926617 - osds are in Init:CrashLoopBackOff with rgw in CrashLoopBackOff on KMS enabled cluster 1926717 - Only one NOOBAA_ROOT_SECRET_PATH key created in vault when the same backend path is used for multiple OCS clusters 1926831 - [IBM][ROKS] Deploy RGW pods only if IBM COS is not available on platform 1927128 - [Tracker for BZ #1937088] When Performed add capacity over arbiter mode cluster ceph health reports PG_AVAILABILITY Reduced data availability: 25 pgs inactive, 25 pgs incomplete 1927138 - must-gather skip collection of ceph in every run 1927186 - Configure pv-pool as backing store if cos creds secret not found in IBM Cloud 1927317 - [Arbiter] Storage Cluster installation did not started because ocs-operator was Expecting 8 node found 4 1927330 - Namespacestore-backed OBCs are stuck on Pending 1927338 - Uninstall OCS: Include events for major CRs to know the cause of deletion getting stuck 1927885 - OCS 4.7: ocs operator pod in 1/1 state even when Storagecluster is in Progressing state 1928063 - For FD: rack: actual osd pod distribution and OSD placement in rack under ceph osd tree output do not match 1928451 - MCG CLI command of diagnose doesn't work on windows 1928471 - [Deployment blocker] Ceph OSDs do not register properly in the CRUSH map 1928487 - MCG CLI - noobaa ui command shows wss instead of https 1928642 - [IBM Z] rook-ceph-rgw pods restarts continously with ocs version 4.6.3 due to liveness probe failure 1931191 - Backing/namespacestores are stuck on Creating with credentials errors 1931810 - LSO deployment(flexibleScaling:true): 100% PGS unknown even though ceph osd tree placement is correct(root cause diff from bug 1928471) 1931839 - OSD in state init:CrashLoopBackOff with KMS signed certificates 1932400 - Namespacestore deletion takes 15 minutes 1933607 - Prevent reconcile of labels on all monitoring resources deployed by ocs-operator 1933609 - Prevent reconcile of labels on all monitoring resources deployed by rook 1933736 - Allow shrinking the cluster by removing OSDs 1934000 - Improve error logging for kv-v2 while using encryption with KMS 1934990 - Ceph health ERR post node drain on KMS encryption enabled cluster 1935342 - [RFE] Add OSD flapping alert 1936545 - [Tracker for BZ #1938669] setuid and setgid file bits are not retained after a OCS CephFS CSI restore 1936877 - Include at OCS Multi-Cloud Object Gateway core container image the fixes on CVEs from RHEL8 on "nodejs" 1937070 - Storage cluster cannot be uninstalled when cluster not fully configured 1937100 - [RGW][notification][kafka]: notification fails with error: pubsub endpoint configuration error: unknown schema in: kafka 1937245 - csi-cephfsplugin pods CrashLoopBackoff in fresh 4.6 cluster due to conflict with kube-rbac-proxy 1937768 - OBC with Cache BucketPolicy stuck on pending 1939026 - ServiceUnavailable when calling the CreateBucket operation (reached max retries: 4): Reduce your request rate 1939472 - Failure domain set incorrectly to zone if flexible scaling is enabled but there are >= 3 zones 1939617 - [Arbiter] Mons cannot be failed over in stretch mode 1940440 - noobaa migration pod is deleted on failure and logs are not available for inspection 1940476 - Backingstore deletion hangs 1940957 - Deletion of Rejected NamespaceStore is stuck even when target bucket and bucketclass are deleted 1941647 - OCS deployment fails when no backend path is specified for cluster wide encryption using KMS 1941977 - rook-ceph-osd-X gets stuck in initcontainer expand-encrypted-bluefs 1942344 - No permissions in /etc/passwd leads to fail noobaa-operaor 1942350 - No permissions in /etc/passwd leads to fail noobaa-operaor 1942519 - MCG should not use KMS to store encryption keys if cluster wide encryption is not enabled using KMS 1943275 - OSD pods re-spun after "add capacity" on cluster with KMS 1943596 - [Tracker for BZ #1944611][Arbiter] When Performed zone(zone=a) Power off and Power On, 3 mon pod(zone=b,c) goes in CLBO after node Power off and 2 Osd(zone=a) goes in CLBO after node Power on 1944980 - Noobaa deployment fails when no KMS backend path is provided during storagecluster creation 1946592 - [Arbiter] When both the rgw pod hosting nodes are down, the rgw service is unavailable 1946837 - OCS 4.7 Arbiter Mode Cluster becomes stuck when entire zone is shutdown 1955328 - Upgrade of noobaa DB failed when upgrading OCS 4.6 to 4.7 1955601 - CVE-2021-3528 NooBaa: noobaa-operator leaking RPC AuthToken into log files 1957187 - Update to RHCS 4.2z1 Ceph container image at OCS 4.7.0 1957639 - Noobaa migrate job is failing when upgrading OCS 4.6.4 to 4.7 on FIPS environment 5. References: https://access.redhat.com/security/cve/CVE-2020-7608 https://access.redhat.com/security/cve/CVE-2020-7774 https://access.redhat.com/security/cve/CVE-2020-8565 https://access.redhat.com/security/cve/CVE-2020-25678 https://access.redhat.com/security/cve/CVE-2020-26160 https://access.redhat.com/security/cve/CVE-2020-26289 https://access.redhat.com/security/cve/CVE-2020-28362 https://access.redhat.com/security/cve/CVE-2021-3114 https://access.redhat.com/security/cve/CVE-2021-3139 https://access.redhat.com/security/cve/CVE-2021-3449 https://access.redhat.com/security/cve/CVE-2021-3450 https://access.redhat.com/security/cve/CVE-2021-3528 https://access.redhat.com/security/cve/CVE-2021-20305 https://access.redhat.com/security/updates/classification/#moderate 6. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2021 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBYKTXntzjgjWX9erEAQhWpRAApeS59vyJLmaSJLski/0+eXbsKF6T3p2J FTz7NRK3Jlvw1LAwiKRuliKY9/dGb+n59hBXZMte80mBp3eBtCUNlp3NuK7iLGRk glAZjVAR1qoaqY6989GF/Limxbv5DOzmZbFGUI2cAJxX2MEkkNk++lrn1Gg7MlF+ M5xjJ5qwORTxbpSgkLLIxNnCL05/pSSmQi1u4kesNXUGa1l7XKJZafVkkAWJj5/D RA2kKF/p59jl1irJPRAHfIeCpn2IpjgvNkv5d2nTp26yhuBnVprI2dDiirOAaMcY GMCmBf8fFkA+kYRW/ad9WvOrhgGNH2vIXwKTkwwNY41W8HNj2HhVfZ41yz67UYv+ Gia+r8/5MJhzJZeWnzcdSKB0w6U9CfE02c2cxjLubDepEOGisoCD9wlm/Zx/TQqp bXvrQQ9rw5tMX1vwHMu8UCdcb2MErj0nW7cmd9nHv8efWCDrRDEmqC7DcHmT4JHl eTa+YS820EGg8DDDZVqUz4Kwxua4u4YvtL64NvH3tnKrF9wyaXLz1FLQquCOpMFc S8TBoIIm9seWLjDKy11FOmAnciBkHPoxS2YzmZWpbE5GWLw5R2/HWsFX1ZYk38tA sMYul3HVTx5UChweURmthpnX9mwUK7oXYRNPMG14VV5718v85Mfw3GRcIM2ovDXF k8d8Crjhc88= =wRRT -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://listman.redhat.com/mailman/listinfo/rhsa-announce . Bugs fixed (https://bugzilla.redhat.com/): 1897635 - CVE-2020-28362 golang: math/big: panic during recursive division of very large numbers 1918750 - CVE-2021-3114 golang: crypto/elliptic: incorrect operations on the P-224 curve 1928172 - CVE-2020-13949 libthrift: potential DoS when processing untrusted payloads 1928937 - CVE-2021-23337 nodejs-lodash: command injection via template 1928954 - CVE-2020-28500 nodejs-lodash: ReDoS via the toNumber, trim and trimEnd functions 5. Bug fix: * RHACM 2.0.10 images (BZ #1940452) 3. Bugs fixed (https://bugzilla.redhat.com/): 1940452 - RHACM 2.0.10 images 1944286 - CVE-2021-23358 nodejs-underscore: Arbitrary code execution via the template function 5. Description: Red Hat JBoss Web Server is a fully integrated and certified set of components for hosting Java web applications. It is comprised of the Apache Tomcat Servlet container, JBoss HTTP Connector (mod_cluster), the PicketLink Vault extension for Apache Tomcat, and the Tomcat Native library. Solution: Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on. The References section of this erratum contains a download link for the update. You must be logged in to download the update. Bugs fixed (https://bugzilla.redhat.com/): 1941547 - CVE-2021-3450 openssl: CA certificate check bypass with X509_V_FLAG_X509_STRICT 1941554 - CVE-2021-3449 openssl: NULL pointer dereference in signature_algorithms processing 5. Description: Red Hat Advanced Cluster Management for Kubernetes 2.1.6 images Red Hat Advanced Cluster Management for Kubernetes provides the capabilities to address common challenges that administrators and site reliability engineers face as they work across a range of public and private cloud environments. Clusters and applications are all visible and managed from a single console—with security policy built in. Bug fixes: * RHACM 2.1.6 images (BZ#1940581) * When generating the import cluster string, it can include unescaped characters (BZ#1934184) 3. Bugs fixed (https://bugzilla.redhat.com/): 1853652 - CVE-2020-14040 golang.org/x/text: possibility to trigger an infinite loop in encoding/unicode could lead to crash 1929338 - CVE-2020-35149 mquery: Code injection via merge or clone operation 1934184 - When generating the import cluster string, it can include unescaped characters 1940581 - RHACM 2.1.6 images 5. Security Fix(es): * golang: crypto/tls: certificate of wrong type is causing TLS client to panic (CVE-2021-34558) * golang: net: lookup functions may return invalid host names (CVE-2021-33195) * golang: net/http/httputil: ReverseProxy forwards connection headers if first one is empty (CVE-2021-33197) * golang: match/big.Rat: may cause a panic or an unrecoverable fatal error if passed inputs with very large exponents (CVE-2021-33198) * golang: encoding/xml: infinite loop when using xml.NewTokenDecoder with a custom TokenReader (CVE-2021-27918) * golang: net/http: panic in ReadRequest and ReadResponse when reading a very large header (CVE-2021-31525) * golang: archive/zip: malformed archive may cause panic or memory exhaustion (CVE-2021-33196) It was found that the CVE-2021-27918, CVE-2021-31525 and CVE-2021-33196 have been incorrectly mentioned as fixed in RHSA for Serverless client kn 1.16.0. Bugs fixed (https://bugzilla.redhat.com/): 1983596 - CVE-2021-34558 golang: crypto/tls: certificate of wrong type is causing TLS client to panic 1983651 - Release of OpenShift Serverless Serving 1.17.0 1983654 - Release of OpenShift Serverless Eventing 1.17.0 1989564 - CVE-2021-33195 golang: net: lookup functions may return invalid host names 1989570 - CVE-2021-33197 golang: net/http/httputil: ReverseProxy forwards connection headers if first one is empty 1989575 - CVE-2021-33198 golang: math/big.Rat: may cause a panic or an unrecoverable fatal error if passed inputs with very large exponents 1992955 - CVE-2021-3703 serverless: incomplete fix for CVE-2021-27918 / CVE-2021-31525 / CVE-2021-33196 5

AFFECTED PRODUCTS

CVSS

PROBLEMTYPE DATA

TYPE

code execution

PATCH

EXTERNAL IDS

REFERENCES

CREDITS

Red Hat

SOURCES

LAST UPDATE DATE

2026-02-07T19:43:19.848000+00:00

SOURCES UPDATE DATE

SOURCES RELEASE DATE