A Red Hat OpenShift Container Storage 4.7.0 security, bug fix, and enhancement update has been released for Red Hat Enterprise Linux 8.

RHSA-2021:2041-01: Moderate: Red Hat OpenShift Container Storage 4.7.0 security, bug fix, and enhancement update

=====================================================================
Red Hat Security Advisory

Synopsis: Moderate: Red Hat OpenShift Container Storage 4.7.0 security, bug fix, and enhancement update
Advisory ID: RHSA-2021:2041-01
Product: Red Hat OpenShift Container Storage
Advisory URL:   https://access.redhat.com/errata/RHSA-2021:2041
Issue date: 2021-05-19
CVE Names: CVE-2020-7608 CVE-2020-7774 CVE-2020-8565
CVE-2020-25678 CVE-2020-26160 CVE-2020-26289
CVE-2020-28362 CVE-2021-3114 CVE-2021-3139
CVE-2021-3449 CVE-2021-3450 CVE-2021-3528
CVE-2021-20305
=====================================================================

1. Summary:

Updated images which include numerous security fixes, bug fixes, and
enhancements are now available for Red Hat OpenShift Container Storage
4.7.0 on Red Hat Enterprise Linux 8.

Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.

2. Description:

Red Hat OpenShift Container Storage is software-defined storage integrated
with and optimized for the Red Hat OpenShift Container Platform. Red Hat
OpenShift Container Storage is a highly scalable, production-grade
persistent storage for stateful applications running in the Red Hat
OpenShift Container Platform. In addition to persistent storage, Red Hat
OpenShift Container Storage provisions a multicloud data management service
with an S3 compatible API.

Security Fix(es):

* nodejs-y18n: prototype pollution vulnerability (CVE-2020-7774)

* kubernetes: Incomplete fix for CVE-2019-11250 allows for token leak in
logs when logLevel >= 9 (CVE-2020-8565)

* jwt-go: access restriction bypass vulnerability (CVE-2020-26160)

* nodejs-date-and-time: ReDoS in parsing via date.compile (CVE-2020-26289)

* golang: math/big: panic during recursive division of very large numbers
(CVE-2020-28362)

* golang: crypto/elliptic: incorrect operations on the P-224 curve
(CVE-2021-3114)

* NooBaa: noobaa-operator leaking RPC AuthToken into log files
(CVE-2021-3528)

* nodejs-yargs-parser: prototype pollution vulnerability (CVE-2020-7608)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

Bug Fix(es):

This update includes various bug fixes and enhancements. Space precludes
documenting all of these changes in this advisory. Users are directed to
the Red Hat OpenShift Container Storage Release Notes for information on
the most significant of these changes:

  https://access.redhat.com/documentation/en-us/red_hat_openshift_container_s
torage/4.7/html-single/4.7_release_notes/index

All Red Hat OpenShift Container Storage users are advised to upgrade to
these updated images.

3. Solution:

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

For details on how to apply this update, refer to:

  https://access.redhat.com/articles/11258

4. Bugs fixed (  https://bugzilla.redhat.com/):

1803849 - [RFE] Include per volume encryption with Vault integration in RHCS 4.1
1814681 - [RFE] use topologySpreadConstraints to evenly spread OSDs across hosts
1840004 - CVE-2020-7608 nodejs-yargs-parser: prototype pollution vulnerability
1850089 - OBC CRD is outdated and leads to missing columns in get queries
1860594 - Toolbox pod should have toleration for OCS tainted nodes
1861104 - OCS podDisruptionBudget prevents successful OCP upgrades
1861878 - [RFE] use appropriate PDB values for OSD
1866301 - [RHOCS Usability Study][Installation] “Create storage cluster” should be a part of the installation flow or need to be emphasized as a crucial step.
1869406 - must-gather should include historical pod logs
1872730 - [RFE][External mode] Re-configure noobaa to use the updated RGW endpoint from the RHCS cluster
1874367 - "Create Backing Store" page doesn't allow to select already defined k8s secret as target bucket credentials when Google Cloud Storage is selected as a provider
1883371 - CVE-2020-26160 jwt-go: access restriction bypass vulnerability
1886112 - log message flood with Reconciling StorageCluster","Request.Namespace":"openshift-storage","Request.Name":"ocs-storagecluster"
1886416 - Uninstall 4.6: ocs-operator logging regarding noobaa-core PVC needs change
1886638 - CVE-2020-8565 kubernetes: Incomplete fix for CVE-2019-11250 allows for token leak in logs when logLevel >= 9
1888839 - Create public route for ceph-rgw service
1892622 - [GSS] Noobaa management dashboard reporting High number of issues when the cluster is in healthy state
1893611 - Skip ceph commands collection attempt if must-gather helper pod is not created
1893613 - must-gather tries to collect ceph commands in external mode when storagecluster already deleted
1893619 - OCS must-gather: Inspect errors for cephobjectoreUser and few ceph commandd when storage cluster does not exist
1894412 - [RFE][External] RGW metrics should be made available even if anything else except 9283 is provided as the monitoring-endpoint-port
1896338 - OCS upgrade from 4.6 to 4.7 build failed
1897246 - OCS - ceph historical logs collection
1897635 - CVE-2020-28362 golang: math/big: panic during recursive division of very large numbers
1898509 - [Tracker][RHV #1899565] Deployment on RHV/oVirt storage class ovirt-csi-sc failing
1898680 - CVE-2020-7774 nodejs-y18n: prototype pollution vulnerability
1898808 - Rook-Ceph crash collector pod should not run on non-ocs node
1900711 - [RFE] Alerting for Namespace buckets and resources
1900722 - Failed to init upgrade process on noobaa-core-0
1900749 - Namespace Resource reported as Healthy when target bucket deleted
1900760 - RPC call for Namespace resource creation allows invalid target bucket names
1901134 - OCS - ceph historical logs collection
1902192 - [RFE][External] RGW metrics should be made available even if anything else except 9283 is provided as the monitoring-endpoint-port
1902685 - Too strict Content-Length header check refuses valid upload requests
1902711 - Tracker for Bug #1903078 Deleting VolumeSnapshotClass makes VolumeSnapshot not Ready
1903973 - [Azure][ROKS] Set SSD tuning (tuneFastDeviceClass) as default for OSD devices in Azure/ROKS platform
1903975 - Add "ceph df detail" for ocs must-gather to enable support to debug compression
1904302 - [GSS] ceph_daemon label includes references to a replaced OSD that cause a prometheus ruleset to fail
1904929 - [GSS][RFE]Reduce debug level for logs of Nooba Endpoint pod
1907318 - Unable to deploy & upgrade to ocs 4.7 - missing postgres image reference
1908414 - [GSS][VMWare][ROKS] rgw pods are not showing up in OCS 4.5 - due to pg_limit issue
1908678 - ocs-osd-removal job failed with "Invalid value" error when using multiple ids
1909268 - OCS 4.7 UI install -All OCS operator pods respin after storagecluster creation
1909488 - [NooBaa CLI] CLI status command looks for wrong DB PV name
1909745 - pv-pool backing store name restriction should be at 43 characters
1910705 - OBCs are stuck in a Pending state
1911131 - Bucket stats in the NB dashboard are incorrect
1911266 - Backingstore phase is ready, modecode is INITIALIZING
1911627 - CVE-2020-26289 nodejs-date-and-time: ReDoS in parsing via date.compile
1911789 - Data deduplication does not work properly
1912421 - [RFE] noobaa cli allow the creation of BackingStores with already existing secrets
1912894 - OCS storagecluster is Progressing state and some noobaa pods missing with latest 4.7 build -4.7.0-223.ci and storagecluster reflected as 4.8.0 instead of 4.7.0
1913149 - make must-gather backward compatibility for version = 3 zones
1939617 - [Arbiter] Mons cannot be failed over in stretch mode
1940440 - noobaa migration pod is deleted on failure and logs are not available for inspection
1940476 - Backingstore deletion hangs
1940957 - Deletion of Rejected NamespaceStore is stuck even when target bucket and bucketclass are deleted
1941647 - OCS deployment fails when no backend path is specified for cluster wide encryption using KMS
1941977 - rook-ceph-osd-X gets stuck in initcontainer expand-encrypted-bluefs
1942344 - No permissions in /etc/passwd leads to fail noobaa-operaor
1942350 - No permissions in /etc/passwd leads to fail noobaa-operaor
1942519 - MCG should not use KMS to store encryption keys if cluster wide encryption is not enabled using KMS
1943275 - OSD pods re-spun after "add capacity" on cluster with KMS
1943596 - [Tracker for BZ #1944611][Arbiter] When Performed zone(zone=a) Power off and Power On, 3 mon pod(zone=b,c) goes in CLBO after node Power off and 2 Osd(zone=a) goes in CLBO after node Power on
1944980 - Noobaa deployment fails when no KMS backend path is provided during storagecluster creation
1946592 - [Arbiter] When both the rgw pod hosting nodes are down, the rgw service is unavailable
1946837 - OCS 4.7 Arbiter Mode Cluster becomes stuck when entire zone is shutdown
1955328 - Upgrade of noobaa DB failed when upgrading OCS 4.6 to 4.7
1955601 - CVE-2021-3528 NooBaa: noobaa-operator leaking RPC AuthToken into log files
1957187 - Update to RHCS 4.2z1 Ceph container image at OCS 4.7.0
1957639 - Noobaa migrate job is failing when upgrading OCS 4.6.4 to 4.7 on FIPS environment

5. References:

  https://access.redhat.com/security/cve/CVE-2020-7608
  https://access.redhat.com/security/cve/CVE-2020-7774
  https://access.redhat.com/security/cve/CVE-2020-8565
  https://access.redhat.com/security/cve/CVE-2020-25678
  https://access.redhat.com/security/cve/CVE-2020-26160
  https://access.redhat.com/security/cve/CVE-2020-26289
  https://access.redhat.com/security/cve/CVE-2020-28362
  https://access.redhat.com/security/cve/CVE-2021-3114
  https://access.redhat.com/security/cve/CVE-2021-3139
  https://access.redhat.com/security/cve/CVE-2021-3449
  https://access.redhat.com/security/cve/CVE-2021-3450
  https://access.redhat.com/security/cve/CVE-2021-3528
  https://access.redhat.com/security/cve/CVE-2021-20305
  https://access.redhat.com/security/updates/classification/#moderate

6. Contact:

The Red Hat security contact is . More contact
details at   https://access.redhat.com/security/team/contact/

Copyright 2021 Red Hat, Inc.