Hash: SHA256
=====================================================================
Red Hat Security Advisory
Synopsis: Moderate: Red Hat OpenShift Data Foundation 4.9.0
enhancement, security, and bug fix update
Advisory ID: RHSA-2021:5086-01
Product: Red Hat OpenShift Data Foundation
Advisory URL: https://access.redhat.com/errata/RHSA-2021:5086
Issue date: 2021-12-13
CVE Names: CVE-2020-8565 CVE-2021-32803 CVE-2021-32804
CVE-2021-33195 CVE-2021-33197 CVE-2021-33198
CVE-2021-34558 CVE-2021-37701 CVE-2021-37712
=====================================================================
1. Summary:
Updated images that include numerous enhancements, security, and
bug fixes
are now available for Red Hat OpenShift Data Foundation 4.9.0 on
Red Hat
Enterprise Linux 8.
Red Hat Product Security has rated this update as having a
security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base
score, which
gives a detailed severity rating, is available for each
vulnerability from
the CVE link(s) in the References section.
2. Description:
Red Hat OpenShift Data Foundation is software-defined storage
integrated
with and optimized for the Red Hat OpenShift Container Platform.
Red Hat
OpenShift Data Foundation is a highly scalable, production-grade
persistent
storage for stateful applications running in the Red Hat
OpenShift
Container Platform. In addition to persistent storage, Red Hat
OpenShift
Data Foundation provisions a multicloud data management service
with an S3
compatible API.
Security Fix(es):
* kubernetes: Incomplete fix for CVE-2019-11250 allows for token
leak in
logs when logLevel >= 9 (CVE-2020-8565)
* nodejs-tar: Insufficient symlink protection allowing arbitrary
file
creation and overwrite (CVE-2021-32803)
* nodejs-tar: Insufficient absolute path sanitization allowing
arbitrary
file creation and overwrite (CVE-2021-32804)
* golang: net: lookup functions may return invalid host
names
(CVE-2021-33195)
* golang: net/http/httputil: ReverseProxy forwards connection
headers if
first one is empty (CVE-2021-33197)
* golang: math/big.Rat: may cause a panic or an unrecoverable
fatal error
if passed inputs with very large exponents (CVE-2021-33198)
* golang: crypto/tls: certificate of wrong type is causing TLS
client to
panic (CVE-2021-34558)
* nodejs-tar: insufficient symlink protection due to directory
cache
poisoning using symbolic links allowing arbitrary file creation
and
overwrite (CVE-2021-37701)
* nodejs-tar: insufficient symlink protection due to directory
cache
poisoning using symbolic links allowing arbitrary file creation
and
overwrite (CVE-2021-37712)
For more details about the security issue(s), including the
impact, a CVSS
score, acknowledgments, and other related information, refer to the
CVE
page(s) listed in the References section.
For more details about the security issue(s), including the
impact, a CVSS
score, acknowledgments, and other related information refer to the
CVE
page(s) listed in the References section.
These updated images include numerous enhancements and bug
fixes. Space
precludes documenting all of these changes in this advisory. Users
are
directed to the Red Hat OpenShift Data Foundation Release Notes
for
information on the most significant of these changes:
https://access.redhat.com//documentation/en-us/red_hat_openshift_data_foundation/4.9/html/4.9_release_notes/index
All Red Hat OpenShift Data Foundation users are advised to
upgrade to
these updated images, which provide numerous bug fixes and
enhancements.
3. Solution:
For details on how to apply this update, which includes the
changes
described in this advisory, refer to:
https://access.redhat.com/articles/11258
4. Bugs fixed (https://bugzilla.redhat.com/):
1810525 - [GSS][RFE] [Tracker for Ceph # BZ # 1910272] Deletion
of data is not allowed after the Ceph cluster reaches
osd-full-ratio threshold.
1853638 - [RFE] - Can Force deletion of noobaa-db be automatically
handled in case on hosting node shutdown (similar to OSD &
MONS)
1886638 - CVE-2020-8565 kubernetes: Incomplete fix for
CVE-2019-11250 allows for token leak in logs when logLevel >=
9
1890438 - collect rados objects created by cephcsi to store
internal mapping
1890978 - [External] Improve error logging in ocs-operator
1892709 - NooBaa storage class should be deleted when
uninstalling
1901954 - Allow restoring snapshot to a different pool than parent
volume
1910790 - [AWS 1AZ] [OCP 4.7 / OCS 4.6] ocs-operator stuck in
Installing phase, and noobaa-db-0 pod in a Pending state
1927782 - With graceful mode, storagecluster/cephcluster deletion
should be blocked if OBC based on RGW SC still exists
1929242 - [GSS] [RFE] QoS and limits in Object Bucket Claims in
OpenShift for RGW
1932396 - [TRACKER for BZ #1943619] - RGW does not handle "Expect:
100-continue" answers from http requests not needing it
1934625 - [must-gather]improve logging and mention all instances in
MG terminal log
1956285 - [must-gather] log collection for some ceph cmd failed
with timeout: fork system call failed: Resource temporarily
unavailable
1959793 - [RBD][Thick] PVC restored from a snapshot or cloned from
a thick provisioned PVC, is not thick provisioned
1964083 - [RFE] ocs-must-gather should collect logs for
RegionalDR
1965322 - Error code 500 is used when page not found
1968510 - OCS uninstall should check for Volumesnapshots before
proceeding with graceful Uninstall
1968606 - OCS CSV Status moves to Failed and Installs again when a
StorageCluster is created
1969216 - Rook may recreate a file system with existing pools
1973256 - [Tracker for BZ #1975608] [Mon Recovery
testing(bz1965768)] After replacing degraded cephfs with new
cephfs, the cephfs app-pod created before mon corruption is not
accessible
1975272 - [RFE] [KMS] Add support for auto-detection of the Vault
KV version
1975581 - OCS is still using deprecated api v1beta1
1979244 - [KMS] Keys are still listed in vault after deleting
encrypted PVCs while using kv-v2 secret engine
1979502 - Multi-Cloud Object Gateway with v4.7 RC5 performs slow
compared to v4.6 with mongodb - read flows
1980818 - RBD Snapshot of encrypted PVC may fail with error "BUG:
"xyz" and "xyz" have the same VolID (xyz) set!? Call stack:
goroutine 118 [running]:
1981331 - New namespace OBCs stuck in Pending, even though
underlying bucketclass is Ready
1983596 - CVE-2021-34558 golang: crypto/tls: certificate of wrong
type is causing TLS client to panic
1983756 - [Multus] Deletion of CephBlockPool get stuck and blocks
creation of new pools
1984284 - [GSS] [4.9 clone] Standalone Object Gateway is failing to
connect
1984334 - [RFE] [4.9 clone] VAULT_BACKEND parameter should be added
to the csi-kms-connection-details
1984396 - Failing the only OSD of a node on a 3 node cluster
doesn't create blocking PDBs
1984735 - [External Mode] Monitoring spec is getting reset in
CephCluster resource
1985074 - must-gather is skipping the ceph collection when there
are two must-gather-helper pods
1986444 - Alert NooBaaNamespaceBucketErrorState is not triggered
when namespacestore's target bucket is deleted
1986794 - [Tracker for Ceph BZ #2000434] [RBD][Thick] PVC is not
reaching Bound state
1987806 - [External] External Cluster resources are not updated
even after updating the JSON input secret
1988518 - ocs-metrics-exporter runAsNonRoot error
1989482 - odf-operator.v4.9.0-43.ci fails to install
1989564 - CVE-2021-33195 golang: net: lookup functions may return
invalid host names
1989570 - CVE-2021-33197 golang: net/http/httputil: ReverseProxy
forwards connection headers if first one is empty
1989575 - CVE-2021-33198 golang: math/big.Rat: may cause a panic or
an unrecoverable fatal error if passed inputs with very large
exponents
1990230 - ocs-operator.v4.9.0-50.ci csv not found
1990409 - CVE-2021-32804 nodejs-tar: Insufficient absolute path
sanitization allowing arbitrary file creation and overwrite
1990415 - CVE-2021-32803 nodejs-tar: Insufficient symlink
protection allowing arbitrary file creation and overwrite
1991822 - ocs-operator.v4.9.0-53.ci: install strategy failed with
"noobaa-operator" is invalid
1992472 - How to add toleration to OCS pods for any non OCS
taints?
1994261 - odf-operator.v4.9.0-91.ci fails to install with
odf-console
1994577 - openshift-storage namespace is not created automatically
when installing odf-operator
1994584 - ocs-operator is not hidden when installed as a dependency
of odf-operator 4.9
1994602 - Icon for odf-operator is missing during and post
installation
1994606 - Details missing on the card while installing ODF Operator
via UI
1994687 - [vSphere]: csv ocs-registry:4.9.0-91.ci is in Installing
phase
1995009 - Warning to create storage system is missing in odf
operator Details page
1995056 - OCS_CSV_NAME is not correct in
odf-operator-manager-config configmap
1995271 - [GSS] noobaa-db-pg-0 Pod get in stuck CrashLoopBackOff
state when enabling hugepages
1995718 - [External Mode] Script
"ceph-external-cluster-details-exporter.py" incompatible with
python 2.x
1997237 - [UI] 404: Page Not Found error when creating storage
system
1997624 - [KMS] PV encryption fails when using vault namespace
functionality in ODF 4.9
1997738 - RBD pvc creation fails on VMware
1997922 - ODF-Operator installed failed because odf-console pod is
in ImagePullBackOff
1998851 - Disabling Ceph File System also disable Ceph RBD
VolumeSnapshotStorageClass
1999050 - [UI] Storage system link on OpenShift Data Foundation
Page is not redirecting to the details page of the particular
storage system
1999731 - CVE-2021-37701 nodejs-tar: Insufficient symlink
protection due to directory cache poisoning using symbolic links
allowing arbitrary file creation and overwrite
1999739 - CVE-2021-37712 nodejs-tar: Insufficient symlink
protection due to directory cache poisoning using symbolic links
allowing arbitrary file creation and overwrite
1999748 - Update OCP CSI sidecar to 4.9
1999763 - odf-operator.v4.9.0-119.ci failed with version in range:
4.9.0-119.ci for noobaa-operator
1999767 - [Tracker for Ceph BZ #2002557] Raw capacity is not shown
in block pool page
2000082 - 2 of the odf quick starts guides 'getting started' and
'configuration & management' doesn't disappear from UI on
odf-operator uninstallation
2000098 - ODF operator 4.9.0-120.ci fails to install on s390x due
to incompatible ibm-storage-odf-plugin Docker image
2000143 - OCS 4.8 to ODF 4.9 upgrade failed on OCP 4.9 AWS
cluster
2000190 - Current must-gather doesn't collect some of the
odf-operator and storagesystem related logs for odf 4.9
2000579 - [UI] ODF tab under Storage found missing and appears and
then disappears again with 404: Page not found error message on URL
reload
2000588 - Bucket creation is failing from nooba management
console
2000860 - Hide thick provisioning from the UI
2000865 - Revert the creation of thick provisioned storage class in
4.9
2001482 - StorageCluster stuck in Progressing state for MCG only
deployment
2001539 - [UI] ODF Overview showing two different status for the
same storage system
2001580 - [UI] Title "OpenShift Data Foundation" should be used
instead of "OpenShift Data Foundation Overview"
2001970 - Openshift Data Foundation navitem missing under "Storage"
navsection.
2002225 - [Tracker for Ceph BZ #2002398] [4.9.0-129.ci]: ceph
health in WARN state due to mon.a crashed
2003444 - [IBM] odf metrics data is not shown in odf-console
2003904 - odf-operator.v4.9.0-136.ci fails to install with
odf-console in ImagePullBackOff
2004003 - [External Mode] rook TLS certificate was not created
2004013 - [DR] After performing failover mirroringStatus reports
image_health: ERROR
2004030 - Storagecluster should have a reference under
storageSystem
2004824 - remove ibm-console from the odf-operator
2005103 - Bucket replication does not work (objects are not
replicated)
2005290 - namespace: openshift-storage label missing for few OCS
alerts
2005812 - [Recovery DOC Tracker 1978769] recover documents when
ceph cluster filled up because of CephFS snapshots and clones
2005838 - [Tracker for Ceph BZ #1981186] [DR] Rbdmirror pod keeps
showing unable to find a keyring
2005843 - [DR] odfmo-controller-manager pod label should be set
based on Deployment name
2005937 - Not able to add toleration for MDS pods via
StorageCluster yaml
2006176 - [DR] token-exchange-agent pod logs flooded with failed to
sync and Failed to watch messages
2006865 - Ceph alerts that are auto-resolved should not be
fired
2007130 - [External Mode] Exporter script fails if multiple
monitoring endpoints are provided
2007202 - VolumeReplication condition "Degraded" never moves to
"False" when recovering from a split brain
2007212 - VolumeReplication condition "Degraded" never moves to
"False" when recovering from a split brain
2007377 - CephObjectStore does not update the RGW configuration
period if 'period --commit' fails in the first reconcile
2007717 - ODF 4.9 is failing to deploy
2010041 - Backport to 4.9: Inject default label to
noobaa_system_reconciler
2010185 - MirrorPeer status always in ExchangedSecret Phase
2010188 - [DR] odfmo-controller-manager pod label should be set
based on Deployment name
2010194 - [DR] token-exchange-agent pod logs flooded with failed to
sync and Failed to watch messages
2010202 - Backport to 4.9: Adding the ability to change/add labels
in service monitor
2011225 - NooBaa Operator repo generates invalid CSV
5. References:
https://access.redhat.com/security/cve/CVE-2020-8565
https://access.redhat.com/security/cve/CVE-2021-32803
https://access.redhat.com/security/cve/CVE-2021-32804
https://access.redhat.com/security/cve/CVE-2021-33195
https://access.redhat.com/security/cve/CVE-2021-33197
https://access.redhat.com/security/cve/CVE-2021-33198
https://access.redhat.com/security/cve/CVE-2021-34558
https://access.redhat.com/security/cve/CVE-2021-37701
https://access.redhat.com/security/cve/CVE-2021-37712
https://access.redhat.com/security/updates/classification/#moderate
6. Contact:
The Red Hat security contact is <
details at https://access.redhat.com/security/team/contact/
Copyright 2021 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIVAwUBYbei+dzjgjWX9erEAQj9ow//QhaukAiKpIm579W/smWGhYvMRojDp0gq
vx74LCpSz03rPPyZxeoaDxGNDJohtpKaqGXvBn+2yyrul/F6zrsN4YIuaILre4EI
Hk8BKm+0LsG6INfLvTGNIhjW36fXb+vgR+Iv7tDQ85swAoC6e9JWFingqeSZTi6h
jE6HlcVDox57X0cntB3o6D1nqJlASTMwi09tg6R0yknRunuXpUwVHdQBqx4xDpr7
74OyifVqJKpJ46xVg01LZPBuUdKhFIzU6q60JNFMOTN6m9oaDfVg35eaRti3QomV
0BJkosldZkl3DdNy1FlPDj3xETn23DGEd4O00uvtW4Wh0Nr0z1Xi28h8Rz4TrtEG
r+90LQG36HmJd/13eEIJh3Q5YYLOivr+y/HwZ0lzx8jYHGMjx8gEkb/TxSOMEqs0
rRnLB+o4qogObIyog+TntW3A6HqYQ2KPqLIOoyc/ybEqaPazSlyV9hlSBZYMGOKh
AL7dF+siGIAUjlFBwmFGBquJYkKHncMkrE7R71Nj5qQtFoIKUUO9RQwHUHgrSRRg
anFkMTnu3Y7SxdzuHPxxG8kear2T9u5zk0nTQvL5mKDCbGCsukJgx0+t0WSWCkZz
BjRx0Ey2Uvsul9HYcYABz9w2pWip4SXOws3k/eF23Tg2GAHALIm5GcFuL6ByvUHx
+7kNvf3sAbA=
=CApk
-----END PGP SIGNATURE-----
--
RHSA-announce mailing list
https://listman.redhat.com/mailman/listinfo/rhsa-announce
Read more https://packetstormsecurity.com/files/165275/RHSA-2021-5086-06.txt
