Red Hat 8833 Published by

A Red Hat OpenShift Data Foundation 4.12.2 Bug Fix and security update has been released.



RHSA-2023:1816-01: Moderate: Red Hat OpenShift Data Foundation 4.12.2 Bug Fix and security update



=====================================================================
Red Hat Security Advisory

Synopsis: Moderate: Red Hat OpenShift Data Foundation 4.12.2 Bug Fix and security update
Advisory ID: RHSA-2023:1816-01
Product: RHODF
Advisory URL:   https://access.redhat.com/errata/RHSA-2023:1816
Issue date: 2023-04-17
CVE Names: CVE-2020-10735 CVE-2021-28861 CVE-2022-4304
CVE-2022-4415 CVE-2022-4450 CVE-2022-40897
CVE-2022-41717 CVE-2022-45061 CVE-2022-48303
CVE-2023-0215 CVE-2023-0286 CVE-2023-23916
=====================================================================

1. Summary:

Updated images that fix several bugs are now available for Red Hat
OpenShift Data Foundation 4.12.2 on Red Hat Enterprise Linux 8 from Red Hat
Container Registry.

Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.

2. Description:

Red Hat OpenShift Data Foundation is software-defined storage integrated
with and optimized for the Red Hat OpenShift Data Foundation. Red Hat
OpenShift Data Foundation is a highly scalable, production-grade persistent
storage for stateful applications running in the Red Hat OpenShift
Container Platform. In addition to persistent storage, Red Hat OpenShift
Data Foundation provisions a multicloud data management service with an S3
compatible API.

Security Fix(es):

* golang: net/http: An attacker can cause excessive memory growth in a Go
server accepting HTTP/2 requests (CVE-2022-41717)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

Bug Fix(es):

* [backport 4.12] s3 sync directory to a bucket fails with Internal Error
in between the upload operation (BZ#2170416)

* [4.12 clone] [Noobaa] Secrets are used in env variables (BZ#2171968)

* [Backport to 4.12.z] Placeholder bug to backport the odf changes for
Managed services epic RHSTOR-2442 to 4.12.z (BZ#2174335)

* [ODF 4.12] Missing the status-reporter binary causing pods
"report-status-to-provider" remain in CreateContainerError on ODF to ODF
cluster on ROSA (BZ#2179978)

* [MDR] After upgrade(redhat-operators) on hub from 4.12.1 to 4.12.2
noticed 2 token-exchange-agent pods on managed clusters and one of them on
CBLO (BZ#2183198)

3. Solution:

For details on how to apply this update, which includes the changes
described in this advisory, refer to:

  https://access.redhat.com/articles/11258

4. Bugs fixed (  https://bugzilla.redhat.com/):

2161274 - CVE-2022-41717 golang: net/http: An attacker can cause excessive memory growth in a Go server accepting HTTP/2 requests
2171968 - [4.12 clone] [Noobaa] Secrets are used in env variables
2174335 - [Backport to 4.12.z] Placeholder bug to backport the odf changes for Managed services epic RHSTOR-2442 to 4.12.z
2175365 - [4.12.z] Upgrade from 4.12.0 to 4.12.1 doesn't work
2179978 - [ODF 4.12] Missing the status-reporter binary causing pods "report-status-to-provider" remain in CreateContainerError on ODF to ODF cluster on ROSA
2183198 - [MDR] After upgrade(redhat-operators) on hub from 4.12.1 to 4.12.2 noticed 2 token-exchange-agent pods on managed clusters and one of them on CBLO
2186455 - Include at ODF 4.12 container images the RHEL8 CVE fix on "openssl"

5. References:

  https://access.redhat.com/security/cve/CVE-2020-10735
  https://access.redhat.com/security/cve/CVE-2021-28861
  https://access.redhat.com/security/cve/CVE-2022-4304
  https://access.redhat.com/security/cve/CVE-2022-4415
  https://access.redhat.com/security/cve/CVE-2022-4450
  https://access.redhat.com/security/cve/CVE-2022-40897
  https://access.redhat.com/security/cve/CVE-2022-41717
  https://access.redhat.com/security/cve/CVE-2022-45061
  https://access.redhat.com/security/cve/CVE-2022-48303
  https://access.redhat.com/security/cve/CVE-2023-0215
  https://access.redhat.com/security/cve/CVE-2023-0286
  https://access.redhat.com/security/cve/CVE-2023-23916
  https://access.redhat.com/security/updates/classification/#moderate

6. Contact:

The Red Hat security contact is . More contact
details at   https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.