ID

VAR-202205-1990

CVE

CVE-2022-1927

TITLE

Red Hat Security Advisory 2022-7055-01

DESCRIPTION

Buffer Over-read in GitHub repository vim/vim prior to 8.2. Vim is a cross-platform text editor. Vim versions prior to 8.2 have a security vulnerability caused by buffer overreading. Description: Red Hat Advanced Cluster Management for Kubernetes 2.3.12 images Red Hat Advanced Cluster Management for Kubernetes provides the capabilities to address common challenges that administrators and site reliability engineers face as they work across a range of public and private cloud environments. Clusters and applications are all visible and managed from a single console—with security policy built in. Bugs fixed (https://bugzilla.redhat.com/): 2076856 - [doc] Remove 1.9.1 from Proxy Patch Documentation 2101411 - RHACM 2.3.12 images 2105075 - CVE-2022-31129 moment: inefficient parsing algorithm resulting in DoS 5. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ==================================================================== Red Hat Security Advisory Synopsis: Moderate: OpenShift Container Platform 4.11.1 bug fix and security update Advisory ID: RHSA-2022:6103-01 Product: Red Hat OpenShift Enterprise Advisory URL: https://access.redhat.com/errata/RHSA-2022:6103 Issue date: 2022-08-23 CVE Names: CVE-2022-1012 CVE-2022-1292 CVE-2022-1586 CVE-2022-1785 CVE-2022-1897 CVE-2022-1927 CVE-2022-2068 CVE-2022-2097 CVE-2022-30629 CVE-2022-30631 CVE-2022-32250 ==================================================================== 1. Summary: Red Hat OpenShift Container Platform release 4.11.1 is now available with updates to packages and images that fix several bugs and add enhancements. This release includes a security update for Red Hat OpenShift Container Platform 4.11. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Description: Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the container images for Red Hat OpenShift Container Platform 4.11.1. See the following advisory for the RPM packages for this release: https://access.redhat.com/errata/RHSA-2022:6102 Space precludes documenting all of the container images in this advisory. See the following Release Notes documentation, which will be updated shortly for this release, for details about these changes: https://docs.openshift.com/container-platform/4.11/release_notes/ocp-4-11-release-notes.html Security Fix(es): * golang: compress/gzip: stack exhaustion in Reader.Read (CVE-2022-30631) * golang: crypto/tls: session tickets lack random ticket_age_add (CVE-2022-30629) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. You may download the oc tool and use it to inspect release image metadata as follows: (For x86_64 architecture) $ oc adm release info quay.io/openshift-release-dev/ocp-release:4.11.1-x86_64 The image digest is sha256:97410a5db655a9d3017b735c2c0747c849d09ff551765e49d5272b80c024a844 (For s390x architecture) $ oc adm release info quay.io/openshift-release-dev/ocp-release:4.11.1-s390x The image digest is sha256:13734de7e796e46f5403ef9ee918be88c12fdc9b73acb8777e0cc7c56a276794 (For ppc64le architecture) $ oc adm release info quay.io/openshift-release-dev/ocp-release:4.11.1-ppc64le The image digest is sha256:d0019b6b8b32cc9fea06562e6ce175086fa7de7b2b7dce171a8ac1a57f92f10b (For aarch64 architecture) $ oc adm release info quay.io/openshift-release-dev/ocp-release:4.11.1-aarch64 The image digest is sha256:3394a79e173ac17bc96a7256665701d3d7e2a95535a12f2ceb19ceb41dcd6b79 All OpenShift Container Platform 4.11 users are advised to upgrade to these updated packages and images when they are available in the appropriate release channel. To check for available updates, use the OpenShift Console or the CLI oc command. Instructions for upgrading a cluster are available at https://docs.openshift.com/container-platform/4.11/updating/updating-cluster-cli.html 3. Solution: For OpenShift Container Platform 4.11 see the following documentation, which will be updated shortly for this release, for important instructions on how to upgrade your cluster and fully apply this asynchronous errata update: https://docs.openshift.com/container-platform/4.11/release_notes/ocp-4-11-release-notes.html Details on how to access this content are available at https://docs.openshift.com/container-platform/4.11/updating/updating-cluster-cli.html 4. Bugs fixed (https://bugzilla.redhat.com/): 2033256 - openshift-installer intermittent failure on AWS with "Error: Provider produced inconsistent result after apply" when creating the module.vpc.aws_route_table.private_routes resource 2040715 - post 1.23 rebase: regression in service-load balancer reliability 2063622 - Failed to install the podman package from repo rhocp-4.10-for-rhel-8-x86_64-rpms 2092793 - CVE-2022-30629 golang: crypto/tls: session tickets lack random ticket_age_add 2102576 - [4.11] [Cluster storage Operator] DefaultStorageClassController report fake message "No default StorageClass for this platform" on azure and openstack 2103638 - No need to pass to-image-base for `oc adm release new` command when use --from-release 2103899 - [OVN] bonding fails after active-backup fail-over and reboot, kargs static IP 2104386 - OVS-Configure doesn't iterate connection names containing spaces correctly 2104435 - [dpu-network-operator] Updating images to be consistent with ART 2104510 - Update ose-machine-config-operator images to be consistent with ART 2104687 - MCP upgrades can stall waiting for master node reboots since MCC no longer gets drained 2105056 - Openshift-Ansible RHEL 8 CI update 2105444 - [OVN] Node to service traffic is blocked if service is "internalTrafficPolicy: Local" even backed pod is on the same node 2106772 - openshift4/ose-operator-registry image is vulnerable to multiple CVEs 2106795 - crio umask sometimes set to 0000 2107003 - The bash completion doesn't work for get subcommand 2107045 - OLM updates namespace labels even if they haven't changed 2107342 - CVE-2022-30631 golang: compress/gzip: stack exhaustion in Reader.Read 2107777 - Pipeline status filter and status colors doesn't work correctly with non-english languages 2107871 - Import: Advanced option sentence is splited into two parts and headlines has no padding 2108021 - Machine Controller stuck with Terminated Instances while Provisioning on AWS 2109052 - Add to application dropdown options are not visible on application-grouping sidebar action dropdown. 2109205 - HTTPS_PROXY ENV missing in some CSI driver operators 2109270 - Kube controllers crash when nodes are shut off in OpenStack 2109489 - Reply to arp requests on interfaces with no ip 2109709 - Namespace value is missing on the list when selecting "All namespaces" for operators 2109731 - alertmanager-main pods failing to start due to startupprobe timeout 2109866 - Cannot delete a Machine if a VM got stuck in ERROR 2109977 - storageclass should not be created for unsupported vsphere version 2110482 - [vsphere] failed to create cluster if datacenter is embedded in a Folder 2110723 - openshift-tests: allow -f to match tests for any test suite 2110737 - Master node in SchedulingDisabled after upgrade from 4.10.24 -> 4.11.0-rc.4 2111037 - Affinity rule created in console deployment for single-replica infrastructure 2111347 - dummy bug for 4.10.z bz2111335 2111471 - Node internal DNS address is not set for machine 2111475 - Fetch internal IPs of vms from dhcp server 2111587 - [4.11] Export OVS metrics 2111619 - Pods are unable to reach clusterIP services, ovn-controller isn't installing the group mod flows correctly 2111992 - OpenShift controller manager needs permissions to get/create/update leases for leader election 2112297 - bond-cni: Backport "mac duplicates" 4.11 2112353 - lifecycle.posStart hook does not have network connectivity. 2112908 - Search resource "virtualmachine" in "Home -> Search" crashes the console 2112912 - sum_irate doesn't work in OCP 4.8 2113926 - hypershift cluster deployment hang due to nil pointer dereference for hostedControlPlane.Spec.Etcd.Managed 2113938 - Fix e2e tests for [reboots][machine_config_labels] (tsc=nowatchdog) 2114574 - can not upgrade. Incorrect reading of olm.maxOpenShiftVersion 2114602 - Upgrade failing because restrictive scc is injected into version pod 2114964 - kola dhcp.propagation test failing 2115315 - README file for helm charts coded in Chinese shows messy characters when viewing in developer perspective. 2115435 - [4.11] INIT container stuck forever 2115564 - ClusterVersion availableUpdates is stale: PromQL conditional risks vs. slow/stuck Thanos 2115817 - Updates / config metrics are not available in 4.11 2116009 - Node Tuning Operator(NTO) - OCP upgrade failed due to node-tuning CO still progressing 2116557 - Order of config attributes are not maintained during conversion of PT4l from ptpconfig to ptp4l.0.config file 2117223 - kubernetes-nmstate-operator fails to install with error "no channel heads (entries not replaced by another entry) found in channel" 2117324 - catalog-operator fatal error: concurrent map writes 2117353 - kola dhcp.propagation test out of memory 2117370 - Migrate openshift-ansible to ansible-core 2117746 - Bump to latest k8s.io 1.24 release 2118214 - dummy bug for 4.10.z bz2118209 2118375 - pass the "--quiet" option via the buildconfig for s2i 5. JIRA issues fixed (https://issues.jboss.org/): OCPBUGS-1 - Test Bug 6. References: https://access.redhat.com/security/cve/CVE-2022-1012 https://access.redhat.com/security/cve/CVE-2022-1292 https://access.redhat.com/security/cve/CVE-2022-1586 https://access.redhat.com/security/cve/CVE-2022-1785 https://access.redhat.com/security/cve/CVE-2022-1897 https://access.redhat.com/security/cve/CVE-2022-1927 https://access.redhat.com/security/cve/CVE-2022-2068 https://access.redhat.com/security/cve/CVE-2022-2097 https://access.redhat.com/security/cve/CVE-2022-30629 https://access.redhat.com/security/cve/CVE-2022-30631 https://access.redhat.com/security/cve/CVE-2022-32250 https://access.redhat.com/security/updates/classification/#moderate 7. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2022 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBYwUXddzjgjWX9erEAQhaVQ/+LoSAe5mCgjPe0+gupmu0jxSmErna51Gz LBlcOWhmgSi2LDYiLl0x5fIg1rQuFX87rSqo0397m7k4Wcon7ztOeDBAtc120fbP i3N+2C+t2wrRPkObvGYKwiCj15+CZP/pIoTQqBlwzqcMAOBLPkXmyXgPaGiA12W7 MoZlSyeEfyx2r636op+e9GC6ysmP2Jq7v+IU2H5/fK7fwPb2lnEIqZV/VXQB4+n7 U7x4Rlng+iLwqalJjCgWY8VLHBQPbIkAQoWS1rMj4f/VEzdbJf7tXNwJOBlPaaJ0 qn8aVZt0b0DMnW0NERm08jg6SYIx8jwMjC/E9Y+JkLdI4nO7f22TOEXgocKHpSMi jm6yLG6Klvjio8rT0+tYB9QBgo8owR5QxhTH3+ffcdlNqDWk33wt8da2n0vCKY4w iC1p3bTxCFdxkPz8FkF/p+nVrI5ZGTNd94Q29YiK+BtlGVAVGGqk208YVcQ85RH2 8YQminXLeLt/RA4cKm/4eq5PlGW7lXAsKVM4UxiYZdqWe/WFuW5zoaF1IdcbNL1p dZaaS1Dy9KvEzF6LPeVFcBg7ouGkdWtBwWQcEGV4bzPjbik8HkiIOkd4J1uT6KHs di3yYWJc3Q1mHuXV7byNUhaQQtpkiB/jDAUiQ0ggOfTawBbwleBMgxwUt38sMtpV 6FmWxlUydm8=6nTC -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://listman.redhat.com/mailman/listinfo/rhsa-announce . The image digests may be found at https://quay.io/repository/openshift-release-dev/ocp-release?tab=tags. Bugs fixed (https://bugzilla.redhat.com/): 2215317 - CVE-2022-21235 github.com/Masterminds/vcs: Command Injection via argument injection 5. JIRA issues fixed (https://issues.redhat.com/): OCPBUGS-15446 - (release-4.11) gather "gateway-mode-config" config map from "openshift-network-operator" namespace OCPBUGS-15532 - visiting Configurations page returns error Cannot read properties of undefined (reading 'apiGroup') OCPBUGS-15645 - Can't use git lfs in BuildConfig git source with strategy Docker OCPBUGS-15739 - Environment cannot find Python OCPBUGS-15758 - [release-4.11] Bump Jenkins and Jenkins Agent Base image versions OCPBUGS-15942 - 9% of OKD tests failing on error: tag latest failed: Internal error occurred: registry.centos.org/dotnet/dotnet-31-centos7:latest: Get "https://registry.centos.org/v2/": dial tcp: lookup registry.centos.org on 172.30.0.10:53: no such host OCPBUGS-15966 - [4.12] MetalLB contains incorrect data Correct and incorrect MetalLB resources coexist should have correct statuses 6. See the following Release Notes documentation, which will be updated shortly for this release, for additional details about this release: https://access.redhat.com/documentation/en-us/red_hat_advanced_cluster_management_for_kubernetes/2.5/html/release_notes/ Security fixes: * moment: inefficient parsing algorithim resulting in DoS (CVE-2022-31129) * vm2: Sandbox Escape in vm2 (CVE-2022-36067) Bug fixes: * Submariner Globalnet e2e tests failed on MTU between On-Prem to Public clusters (BZ# 2074547) * OCP 4.11 - Install fails because of: pods "management-ingress-63029-5cf6789dd6-" is forbidden: unable to validate against any security context constrain (BZ# 2082254) * subctl gather fails to gather libreswan data if CableDriver field is missing/empty in Submariner Spec (BZ# 2083659) * Yaml editor for creating vSphere cluster moves to next line after typing (BZ# 2086883) * Submariner addon status doesn't track all deployment failures (BZ# 2090311) * Unable to deploy Hypershift operator on MCE hub using ManagedClusterAddOn without including s3 secret (BZ# 2091170) * After switching to ACM 2.5 the managed clusters log "unable to create ClusterClaim" errors (BZ# 2095481) * Enforce failed and report the violation after modified memory value in limitrange policy (BZ# 2100036) * Creating an application fails with "This application has no subscription match selector (spec.selector.matchExpressions)" (BZ# 2101577) * Inconsistent cluster resource statuses between "All Subscription" topology and individual topologies (BZ# 2102273) * managed cluster is in "unknown" state for 120 mins after OADP restore * RHACM 2.5.2 images (BZ# 2104553) * Subscription UI does not allow binding to label with empty value (BZ# 2104961) * Upgrade to 2.5.1 from 2.5.0 fails due to missing Subscription CRD (BZ# 2106069) * Region information is not available for Azure cloud in managedcluster CR (BZ# 2107134) * cluster uninstall log points to incorrect container name (BZ# 2107359) * ACM shows wrong path for Argo CD applicationset git generator (BZ# 2107885) * Single node checkbox not visible for 4.11 images (BZ# 2109134) * Unable to deploy hypershift cluster when enabling validate-cluster-security (BZ# 2109544) * Deletion of Application (including app related resources) from the console fails to delete PlacementRule for the application (BZ# 20110026) * After the creation by a policy of job or deployment (in case the object is missing)ACM is trying to add new containers instead of updating (BZ# 2117728) * pods in CrashLoopBackoff on 3.11 managed cluster (BZ# 2122292) * ArgoCD and AppSet Applications do not deploy to local-cluster (BZ# 2124707) 3. Bugs fixed (https://bugzilla.redhat.com/): 2074547 - Submariner Globalnet e2e tests failed on MTU between On-Prem to Public clusters 2082254 - OCP 4.11 - Install fails because of: pods "management-ingress-63029-5cf6789dd6-" is forbidden: unable to validate against any security context constraint 2083659 - subctl gather fails to gather libreswan data if CableDriver field is missing/empty in Submariner Spec 2086883 - Yaml editor for creating vSphere cluster moves to next line after typing 2090311 - Submariner addon status doesn't track all deployment failures 2091170 - Unable to deploy Hypershift operator on MCE hub using ManagedClusterAddOn without including s3 secret 2095481 - After switching to ACM 2.5 the managed clusters log "unable to create ClusterClaim" errors 2100036 - Enforce failed and report the violation after modified memory value in limitrange policy 2101577 - Creating an application fails with "This application has no subscription match selector (spec.selector.matchExpressions)" 2102273 - Inconsistent cluster resource statuses between "All Subscription" topology and individual topologies 2103653 - managed cluster is in "unknown" state for 120 mins after OADP restore 2104553 - RHACM 2.5.2 images 2104961 - Subscription UI does not allow binding to label with empty value 2105075 - CVE-2022-31129 moment: inefficient parsing algorithm resulting in DoS 2106069 - Upgrade to 2.5.1 from 2.5.0 fails due to missing Subscription CRD 2107134 - Region information is not available for Azure cloud in managedcluster CR 2107359 - cluster uninstall log points to incorrect container name 2107885 - ACM shows wrong path for Argo CD applicationset git generator 2109134 - Single node checkbox not visible for 4.11 images 2110026 - Deletion of Application (including app related resources) from the console fails to delete PlacementRule for the application 2117728 - After the creation by a policy of job or deployment (in case the object is missing)ACM is trying to add new containers instead of updating 2122292 - pods in CrashLoopBackoff on 3.11 managed cluster 2124707 - ArgoCD and AppSet Applications do not deploy to local-cluster 2124794 - CVE-2022-36067 vm2: Sandbox Escape in vm2 5. Summary: The Migration Toolkit for Containers (MTC) 1.7.4 is now available. Description: The Migration Toolkit for Containers (MTC) enables you to migrate Kubernetes resources, persistent volume data, and internal container images between OpenShift Container Platform clusters, using the MTC web console or the Kubernetes API. Solution: For details on how to install and use MTC, refer to: https://docs.openshift.com/container-platform/latest/migration_toolkit_for_containers/installing-mtc.html 4. Bugs fixed (https://bugzilla.redhat.com/): 1928937 - CVE-2021-23337 nodejs-lodash: command injection via template 1928954 - CVE-2020-28500 nodejs-lodash: ReDoS via the toNumber, trim and trimEnd functions 2054663 - CVE-2022-0512 nodejs-url-parse: authorization bypass through user-controlled key 2057442 - CVE-2022-0639 npm-url-parse: Authorization Bypass Through User-Controlled Key 2060018 - CVE-2022-0686 npm-url-parse: Authorization bypass through user-controlled key 2060020 - CVE-2022-0691 npm-url-parse: authorization bypass through user-controlled key 2085307 - CVE-2022-1650 eventsource: Exposure of Sensitive Information 2107342 - CVE-2022-30631 golang: compress/gzip: stack exhaustion in Reader.Read 5. Description: Logging Subsystem 5.5.5 - Red Hat OpenShift Security Fixe(s): * jackson-databind: denial of service via a large depth of nested objects (CVE-2020-36518) * golang: net/http: handle server errors after sending GOAWAY (CVE-2022-27664) * golang: archive/tar: unbounded memory consumption when reading headers (CVE-2022-2879, CVE-2022-2880, CVE-2022-41715) * jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS (CVE-2022-42003) * jackson-databind: use of deeply nested arrays (CVE-2022-42004) * loader-utils: Regular expression denial of service (CVE-2022-37603) * golang: math/big: decoding big.Float and big.Rat types can panic if the encoded message is too short, potentially allowing a denial of service (CVE-2022-32189) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Bugs fixed (https://bugzilla.redhat.com/): 2064698 - CVE-2020-36518 jackson-databind: denial of service via a large depth of nested objects 2113814 - CVE-2022-32189 golang: math/big: decoding big.Float and big.Rat types can panic if the encoded message is too short, potentially allowing a denial of service 2124669 - CVE-2022-27664 golang: net/http: handle server errors after sending GOAWAY 2132867 - CVE-2022-2879 golang: archive/tar: unbounded memory consumption when reading headers 2132868 - CVE-2022-2880 golang: net/http/httputil: ReverseProxy should not forward unparseable query parameters 2132872 - CVE-2022-41715 golang: regexp/syntax: limit memory used by parsing regexps 2135244 - CVE-2022-42003 jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS 2135247 - CVE-2022-42004 jackson-databind: use of deeply nested arrays 2140597 - CVE-2022-37603 loader-utils:Regular expression denial of service 5. JIRA issues fixed (https://issues.jboss.org/): LOG-2860 - Error on LokiStack Components when forwarding logs to Loki on proxy cluster LOG-3131 - vector: kube API server certificate validation failure due to hostname mismatch LOG-3222 - [release-5.5] fluentd plugin for kafka ca-bundle secret doesn't support multiple CAs LOG-3226 - FluentdQueueLengthIncreasing rule failing to be evaluated. LOG-3284 - [release-5.5][Vector] logs parsed into structured when json is set without structured types. LOG-3287 - [release-5.5] Increase value of cluster-logging PriorityClass to move closer to system-cluster-critical value LOG-3301 - [release-5.5][ClusterLogging] elasticsearchStatus in ClusterLogging instance CR is not updated when Elasticsearch status is changed LOG-3305 - [release-5.5] Kibana Authentication Exception cookie issue LOG-3310 - [release-5.5] Can't choose correct CA ConfigMap Key when creating lokistack in Console LOG-3332 - [release-5.5] Reconcile error on controller when creating LokiStack with tls config 6

AFFECTED PRODUCTS

CVSS

PROBLEMTYPE DATA

TYPE

code execution

PATCH

EXTERNAL IDS

REFERENCES

CREDITS

Red Hat

SOURCES

LAST UPDATE DATE

2024-11-20T21:50:30.410000+00:00

SOURCES UPDATE DATE

SOURCES RELEASE DATE