A Red Hat OpenShift Container Storage 4.8.5 Security and Bug Fix Update has been released for Red Hat Enterprise Linux 8.

RHSA-2021:4845-05: Moderate: Red Hat OpenShift Container Storage 4.8.5 Security and Bug Fix Update

=====================================================================
Red Hat Security Advisory

Synopsis: Moderate: Red Hat OpenShift Container Storage 4.8.5 Security and Bug Fix Update
Advisory ID: RHSA-2021:4845-01
Product: Red Hat OpenShift Container Storage
Advisory URL:   https://access.redhat.com/errata/RHSA-2021:4845
Issue date: 2021-11-29
CVE Names: CVE-2019-5827 CVE-2019-13750 CVE-2019-13751
CVE-2019-17594 CVE-2019-17595 CVE-2019-18218
CVE-2019-19603 CVE-2019-20838 CVE-2020-8037
CVE-2020-12762 CVE-2020-13435 CVE-2020-14155
CVE-2020-16135 CVE-2020-24370 CVE-2020-26301
CVE-2020-28493 CVE-2021-3200 CVE-2021-3426
CVE-2021-3445 CVE-2021-3572 CVE-2021-3580
CVE-2021-3778 CVE-2021-3796 CVE-2021-3800
CVE-2021-20095 CVE-2021-20231 CVE-2021-20232
CVE-2021-20266 CVE-2021-22876 CVE-2021-22898
CVE-2021-22925 CVE-2021-23840 CVE-2021-23841
CVE-2021-27645 CVE-2021-28153 CVE-2021-28957
CVE-2021-33560 CVE-2021-33574 CVE-2021-35942
CVE-2021-36084 CVE-2021-36085 CVE-2021-36086
CVE-2021-36087 CVE-2021-42574 CVE-2021-42771
=====================================================================

1. Summary:

An update is now available for Red Hat OpenShift Container Storage 4.8.5 on
Red Hat Enterprise Linux 8.

Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.

2. Description:

Red Hat OpenShift Container Storage is software-defined storage integrated
with and optimized for the Red Hat OpenShift Container Platform.
Red Hat OpenShift Container Storage is highly scalable, production-grade
persistent storage for stateful applications running in the Red Hat
OpenShift Container Platform. In addition to persistent storage, Red Hat
OpenShift Container Storage provides a multicloud data management service
with an S3 compatible API.

Security Fix(es):

* nodejs-ssh2: Command injection by calling vulnerable method with
untrusted input (CVE-2020-26301)

For more details about the security issue(s), including the impact, a
CVSS score, acknowledgments, and other related information, refer to
the CVE page(s) listed in the References section.

Bug Fix(es):

* Previously, when the namespace store target was deleted, no alert was
sent to the namespace bucket because of an issue in calculating the
namespace bucket health. With this update, the issue in calculating the
namespace bucket health is fixed and alerts are triggered as expected.
(BZ#1993873)

* Previously, the Multicloud Object Gateway (MCG) components performed
slowly and there was a lot of pressure on the MCG components due to
non-optimized database queries. With this update the non-optimized
database queries are fixed which reduces the compute resources and time
taken for queries. (BZ#2015939)

Red Hat recommends that all users of OpenShift Container Storage apply this
update to fix these issues.

3. Solution:

For details on how to apply this update, which includes the changes
described in this advisory, refer to:

  https://access.redhat.com/articles/11258

4. Bugs fixed (  https://bugzilla.redhat.com/):

1993873 - [4.8.z clone] Alert NooBaaNamespaceBucketErrorState is not triggered when namespacestore's target bucket is deleted
2006958 - CVE-2020-26301 nodejs-ssh2: Command injection by calling vulnerable method with untrusted input

5. References:

  https://access.redhat.com/security/cve/CVE-2019-5827
  https://access.redhat.com/security/cve/CVE-2019-13750
  https://access.redhat.com/security/cve/CVE-2019-13751
  https://access.redhat.com/security/cve/CVE-2019-17594
  https://access.redhat.com/security/cve/CVE-2019-17595
  https://access.redhat.com/security/cve/CVE-2019-18218
  https://access.redhat.com/security/cve/CVE-2019-19603
  https://access.redhat.com/security/cve/CVE-2019-20838
  https://access.redhat.com/security/cve/CVE-2020-8037
  https://access.redhat.com/security/cve/CVE-2020-12762
  https://access.redhat.com/security/cve/CVE-2020-13435
  https://access.redhat.com/security/cve/CVE-2020-14155
  https://access.redhat.com/security/cve/CVE-2020-16135
  https://access.redhat.com/security/cve/CVE-2020-24370
  https://access.redhat.com/security/cve/CVE-2020-26301
  https://access.redhat.com/security/cve/CVE-2020-28493
  https://access.redhat.com/security/cve/CVE-2021-3200
  https://access.redhat.com/security/cve/CVE-2021-3426
  https://access.redhat.com/security/cve/CVE-2021-3445
  https://access.redhat.com/security/cve/CVE-2021-3572
  https://access.redhat.com/security/cve/CVE-2021-3580
  https://access.redhat.com/security/cve/CVE-2021-3778
  https://access.redhat.com/security/cve/CVE-2021-3796
  https://access.redhat.com/security/cve/CVE-2021-3800
  https://access.redhat.com/security/cve/CVE-2021-20095
  https://access.redhat.com/security/cve/CVE-2021-20231
  https://access.redhat.com/security/cve/CVE-2021-20232
  https://access.redhat.com/security/cve/CVE-2021-20266
  https://access.redhat.com/security/cve/CVE-2021-22876
  https://access.redhat.com/security/cve/CVE-2021-22898
  https://access.redhat.com/security/cve/CVE-2021-22925
  https://access.redhat.com/security/cve/CVE-2021-23840
  https://access.redhat.com/security/cve/CVE-2021-23841
  https://access.redhat.com/security/cve/CVE-2021-27645
  https://access.redhat.com/security/cve/CVE-2021-28153
  https://access.redhat.com/security/cve/CVE-2021-28957
  https://access.redhat.com/security/cve/CVE-2021-33560
  https://access.redhat.com/security/cve/CVE-2021-33574
  https://access.redhat.com/security/cve/CVE-2021-35942
  https://access.redhat.com/security/cve/CVE-2021-36084
  https://access.redhat.com/security/cve/CVE-2021-36085
  https://access.redhat.com/security/cve/CVE-2021-36086
  https://access.redhat.com/security/cve/CVE-2021-36087
  https://access.redhat.com/security/cve/CVE-2021-42574
  https://access.redhat.com/security/cve/CVE-2021-42771
  https://access.redhat.com/security/updates/classification/#moderate

6. Contact:

The Red Hat security contact is . More contact
details at   https://access.redhat.com/security/team/contact/

Copyright 2021 Red Hat, Inc.