A Windows Container Support for Red Hat OpenShift 5.0.0 security update has been released.
RHSA-2022:0577-01: Moderate: Windows Container Support for Red Hat OpenShift 5.0.0 security update:
=====================================================================
Red Hat Security Advisory
Synopsis: Moderate: Windows Container Support for Red Hat OpenShift 5.0.0 [security update]
Advisory ID: RHSA-2022:0577-01
Product: Red Hat OpenShift Enterprise
Advisory URL: https://access.redhat.com/errata/RHSA-2022:0577
Issue date: 2022-03-28
CVE Names: CVE-2020-28851 CVE-2020-28852 CVE-2021-3121
CVE-2021-3521 CVE-2021-3712 CVE-2021-29923
CVE-2021-31525 CVE-2021-33195 CVE-2021-33197
CVE-2021-33198 CVE-2021-34558 CVE-2021-36221
CVE-2021-42574 CVE-2022-24407
=====================================================================
1. Summary:
The components for Windows Container Support for Red Hat OpenShift 5.0.0
are now available. This product release includes bug fixes and a moderate
security update for the following packages: windows-machine-config-operator
and windows-machine-config-operator-bundle.
Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.
2. Description:
Windows Container Support for Red Hat OpenShift allows you to deploy
Windows container workloads running on Windows Server containers.
Security Fix(es):
* gogo/protobuf: plugin/unmarshal/unmarshal.go lacks certain index
validation (CVE-2021-3121)
* golang.org/x/text: Panic in language.ParseAcceptLanguage while parsing
- -u- extension (CVE-2020-28851)
* golang.org/x/text: Panic in language.ParseAcceptLanguage while processing
bcp47 tag (CVE-2020-28852)
* golang: net: incorrect parsing of extraneous zero characters at the
beginning of an IP address octet (CVE-2021-29923)
* golang: net/http: panic in ReadRequest and ReadResponse when reading a
very large header (CVE-2021-31525)
* golang: net: lookup functions may return invalid host names
(CVE-2021-33195)
* golang: net/http/httputil: ReverseProxy forwards connection headers if
first one is empty (CVE-2021-33197)
* golang: math/big.Rat: may cause a panic or an unrecoverable fatal error
if passed inputs with very large exponents (CVE-2021-33198)
* golang: crypto/tls: certificate of wrong type is causing TLS client to
panic (CVE-2021-34558)
* golang: net/http/httputil: panic due to racy read of persistConn after
handler panic (CVE-2021-36221)
For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.
3. Solution:
For Windows Machine Config Operator upgrades, see the following
documentation:
https://docs.openshift.com/container-platform/latest/windows_containers/windows-node-upgrades.html
4. Bugs fixed ( https://bugzilla.redhat.com/):
1913333 - CVE-2020-28851 golang.org/x/text: Panic in language.ParseAcceptLanguage while parsing -u- extension
1913338 - CVE-2020-28852 golang.org/x/text: Panic in language.ParseAcceptLanguage while processing bcp47 tag
1921650 - CVE-2021-3121 gogo/protobuf: plugin/unmarshal/unmarshal.go lacks certain index validation
1958341 - CVE-2021-31525 golang: net/http: panic in ReadRequest and ReadResponse when reading a very large header
1983596 - CVE-2021-34558 golang: crypto/tls: certificate of wrong type is causing TLS client to panic
1989564 - CVE-2021-33195 golang: net: lookup functions may return invalid host names
1989570 - CVE-2021-33197 golang: net/http/httputil: ReverseProxy forwards connection headers if first one is empty
1989575 - CVE-2021-33198 golang: math/big.Rat: may cause a panic or an unrecoverable fatal error if passed inputs with very large exponents
1990573 - Username annotation error when byoh Windows have uppercase hostname
1992006 - CVE-2021-29923 golang: net: incorrect parsing of extraneous zero characters at the beginning of an IP address octet
1992841 - Deleting Machine Node object throws reconciliation error after WMCO restart
1994859 - Windows Containers on Windows Nodes get assigned the DNS Server IP “172.30.0.10”, which is wrong, if the default kubernetes subnet is not used
1995656 - CVE-2021-36221 golang: net/http/httputil: panic due to racy read of persistConn after handler panic
2000772 - WMCO fails to configure VMs with Powershell set as the default SSH shell
2001547 - BYOH Windows instance configured with DNS name got deconfigured immediately on UPI baremetal
2002961 - CSR reconciler report error constantly when BYOH CSR approved by other Approver
2005360 - BYOH Windows instance configured twice with DNS name
2008601 - WMCO ignores delete events for machines with invalid IP addresses
2015772 - Replacing private key reconcile 2 Windows nodes in parallel
2032048 - CSR approval failures caused by update conflicts
5. JIRA issues fixed ( https://issues.jboss.org/):
WINC-747 - Windows Container Support for Red Hat OpenShift 5.0.0 release
6. References:
https://access.redhat.com/security/cve/CVE-2020-28851
https://access.redhat.com/security/cve/CVE-2020-28852
https://access.redhat.com/security/cve/CVE-2021-3121
https://access.redhat.com/security/cve/CVE-2021-3521
https://access.redhat.com/security/cve/CVE-2021-3712
https://access.redhat.com/security/cve/CVE-2021-29923
https://access.redhat.com/security/cve/CVE-2021-31525
https://access.redhat.com/security/cve/CVE-2021-33195
https://access.redhat.com/security/cve/CVE-2021-33197
https://access.redhat.com/security/cve/CVE-2021-33198
https://access.redhat.com/security/cve/CVE-2021-34558
https://access.redhat.com/security/cve/CVE-2021-36221
https://access.redhat.com/security/cve/CVE-2021-42574
https://access.redhat.com/security/cve/CVE-2022-24407
https://access.redhat.com/security/updates/classification/#moderate
7. Contact:
The Red Hat security contact is . More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2022 Red Hat, Inc.
