Red Hat 8833 Published by

An OpenShift Container Platform 4.7.13 bug fix and security update has been released.

RHSA-2021:2121-01: Moderate: OpenShift Container Platform 4.7.13 bug fix and security update

Red Hat Security Advisory

Synopsis: Moderate: OpenShift Container Platform 4.7.13 bug fix and security update
Advisory ID: RHSA-2021:2121-01
Product: Red Hat OpenShift Enterprise
Advisory URL:
Issue date: 2021-06-01
CVE Names: CVE-2016-10228 CVE-2019-2708 CVE-2019-3842
CVE-2019-9169 CVE-2019-13012 CVE-2019-14866
CVE-2019-18811 CVE-2019-19523 CVE-2019-19528
CVE-2019-25013 CVE-2019-25032 CVE-2019-25034
CVE-2019-25035 CVE-2019-25036 CVE-2019-25037
CVE-2019-25038 CVE-2019-25039 CVE-2019-25040
CVE-2019-25041 CVE-2019-25042 CVE-2020-0431
CVE-2020-8231 CVE-2020-8284 CVE-2020-8285
CVE-2020-8286 CVE-2020-8927 CVE-2020-9948
CVE-2020-9951 CVE-2020-9983 CVE-2020-10543
CVE-2020-10878 CVE-2020-11608 CVE-2020-12114
CVE-2020-12362 CVE-2020-12464 CVE-2020-13434
CVE-2020-13543 CVE-2020-13584 CVE-2020-13776
CVE-2020-14314 CVE-2020-14344 CVE-2020-14345
CVE-2020-14346 CVE-2020-14347 CVE-2020-14356
CVE-2020-14360 CVE-2020-14361 CVE-2020-14362
CVE-2020-14363 CVE-2020-15358 CVE-2020-15437
CVE-2020-15586 CVE-2020-16845 CVE-2020-24330
CVE-2020-24331 CVE-2020-24332 CVE-2020-24394
CVE-2020-24977 CVE-2020-25212 CVE-2020-25284
CVE-2020-25285 CVE-2020-25643 CVE-2020-25659
CVE-2020-25704 CVE-2020-25712 CVE-2020-26116
CVE-2020-26137 CVE-2020-27618 CVE-2020-27619
CVE-2020-27783 CVE-2020-27786 CVE-2020-27835
CVE-2020-28196 CVE-2020-28935 CVE-2020-28974
CVE-2020-29361 CVE-2020-29362 CVE-2020-29363
CVE-2020-35508 CVE-2020-36242 CVE-2020-36322
CVE-2021-0342 CVE-2021-3121 CVE-2021-3177
CVE-2021-3326 CVE-2021-21642 CVE-2021-21643
CVE-2021-21644 CVE-2021-21645 CVE-2021-23336
CVE-2021-25215 CVE-2021-30465

1. Summary:

Red Hat OpenShift Container Platform release 4.7.13 is now available with
updates to packages and images that fix several bugs.

This release includes a security update for Red Hat OpenShift Container
Platform 4.7.

Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.

2. Description:

Red Hat OpenShift Container Platform is Red Hat's cloud computing
Kubernetes application platform solution designed for on-premise or private
cloud deployments.

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

This advisory contains the container images for Red Hat OpenShift Container
Platform 4.7.13. See the following advisory for the RPM packages for this

Space precludes documenting all of the container images in this advisory.
See the following Release Notes documentation, which will be updated
shortly for this release, for details about these changes:

This update fixes the following bug among others:

* Previously, resources for the ClusterOperator were being created early in
the update process, which led to update failures when the ClusterOperator
had no status condition while Operators were updating. This bug fix changes
the timing of when these resources are created. As a result, updates can
take place without errors. (BZ#1959238)

Security Fix(es):

* gogo/protobuf: plugin/unmarshal/unmarshal.go lacks certain index
validation (CVE-2021-3121)

You may download the oc tool and use it to inspect release image metadata
as follows:

(For x86_64 architecture)

$ oc adm release info

The image digest is

(For s390x architecture)

$ oc adm release info

The image digest is

(For ppc64le architecture)

$ oc adm release info

The image digest is

All OpenShift Container Platform 4.7 users are advised to upgrade to these
updated packages and images when they are available in the appropriate
release channel. To check for available updates, use the OpenShift Console
or the CLI oc command. Instructions for upgrading a cluster are available
- -between-minor.html#understanding-upgrade-channels_updating-cluster-between
- -minor

3. Solution:

For OpenShift Container Platform 4.7 see the following documentation, which
will be updated shortly for this release, for important instructions on how
to upgrade your cluster and fully apply this asynchronous errata update:

Details on how to access this content are available at
- -cli.html

4. Bugs fixed (

1921650 - CVE-2021-3121 gogo/protobuf: plugin/unmarshal/unmarshal.go lacks certain index validation
1923268 - [Assisted-4.7] [Staging] Using two both spelling "canceled" "cancelled"
1947216 - [AWS] Missing iam:ListAttachedRolePolicies permission in permissions.go
1953963 - Enable/Disable host operations returns cluster resource with incomplete hosts list
1957749 - ovn-kubernetes pod should have CPU and memory requests set but not limits
1959238 - CVO creating cloud-controller-manager too early causing upgrade failures
1960103 - SR-IOV obliviously reboot the node
1961941 - Local Storage Operator using LocalVolume CR fails to create PV's when backend storage failure is simulated
1962302 - packageserver clusteroperator does not set reason or message for Available condition
1962312 - Deployment considered unhealthy despite being available and at latest generation
1962435 - Public DNS records were not deleted when destroying a cluster which is using byo private hosted zone
1963115 - Test verify /run filesystem contents failing

5. References:

6. Contact:

The Red Hat security contact is . More contact
details at

Copyright 2021 Red Hat, Inc.