A Red Hat OpenShift Data Foundation 4.12.3 Security and Bug fix update has been released for Red Hat Enterprise Linux 8.

RHSA-2023:3265-01: Moderate: Red Hat OpenShift Data Foundation 4.12.3 Security and Bug fix update

=====================================================================
Red Hat Security Advisory

Synopsis: Moderate: Red Hat OpenShift Data Foundation 4.12.3 Security and Bug fix update
Advisory ID: RHSA-2023:3265-01
Product: RHODF
Advisory URL:   https://access.redhat.com/errata/RHSA-2023:3265
Issue date: 2023-05-23
CVE Names: CVE-2022-23539 CVE-2022-24999 CVE-2022-36227
CVE-2022-40023 CVE-2023-0361 CVE-2023-27535
CVE-2023-28617
=====================================================================

1. Summary:

Updated images that fix several bugs are now available for Red Hat
OpenShift Data Foundation 4.12.3 on Red Hat Enterprise Linux 8 from Red Hat
Container Registry.

Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.

2. Description:

Red Hat OpenShift Data Foundation is software-defined storage integrated
with and optimized for the Red Hat OpenShift Data Foundation. Red Hat
OpenShift Data Foundation is a highly scalable, production-grade persistent
storage for stateful applications running in the Red Hat OpenShift
Container Platform. In addition to persistent storage, Red Hat OpenShift
Data Foundation provisions a multi-cloud data management service with an
S3-compatible API.

Security Fix(es):

* jsonwebtoken: Unrestricted key type could lead to legacy keys usagen
(CVE-2022-23539)

* express: "qs" prototype poisoning causes the hang of the node process
(CVE-2022-24999)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

Bug Fix(es):

* Previously, odf-csi-addons-operator had low memory resource limit and as
a result the odf-csi-addons-operator pod was OOMKilled (out of memory).
With this fix, the default memory and the CPU resource limit has been
increased and odf-csi-addons-operator OOMKills are not observed.
(BZ#2177184)

* Previously, non optimized database related flows on deletions caused
Multicloud Object Gateway to spike in CPU usage and perform slowly on mass
delete scenarios. For example, reclaiming a deleted object bucket claim
(OBC). With this fix, indexes for the bucket reclaimer process are
optimized, a new index is added to the database to speed up the database
cleaner flows, and bucket reclaimer changes are introduced to work on
batches of objects. (BZ#2186482)

* Previously, the list of regions for creating the default Multicloud
Object Gateway backing store on AWS did not have the new regions that were
added recently to AWS. With this fix, the new regions are included to the
list of regions and it is possible to deploy default backing store on the
new regions. (BZ#2187637)

* Previously, creating a storage system in OpenShift Data Foundation using
an external Ceph cluster would fail if the RADOS block device (RBD) pool
name contained an underscore (_) or a period(.). With this fix, the Python
script (`ceph-external-cluster-details-exporter.py`) is enhanced to contain
underscore (_) and period (.) so that an alias for the RBD pool names can
be passed in. This alias allows the OpenShift Data Foundation to adopt an
external Ceph cluster with RBD pool names containing an underscore(_) or a
period(.). (BZ#2188379)

All users of Red Hat OpenShift Data Foundation are advised to upgrade to
these updated images, which provide these bug fixes.

3. Solution:

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

For details on how to apply this update, refer to:

  https://access.redhat.com/articles/11258

4. Bugs fixed (  https://bugzilla.redhat.com/):

2150323 - CVE-2022-24999 express: "qs" prototype poisoning causes the hang of the node process
2155978 - CVE-2022-23539 jsonwebtoken: Unrestricted key type could lead to legacy keys usagen
2167304 - [4.12 clone] [rook clone] Security and VA issues with ODF operator
2174336 - [Backport to 4.12.z] Placeholder bug to backport the odf changes of Managed services epic RHSTOR-3194 to 4.12.z
2177184 - [csi-addons] odf-csi-addons-operator oomkilled with fresh installation 4.12
2179235 - [Fusion-aaS][4.12.z clone] Within 'prometheus-ceph-rules' the namespace for 'rook-ceph-mgr' jobs should be configurable.
2180685 - [4.12 clone] Security and VA issues with ODF operator
2180724 - [4.12 clone] [mcg-clone] Security and VA issues with ODF operator
2183687 - [Fusion-aaS][Backport to 4.12.3]failed to mount the the cephfs subvolume as subvolumegroup name is not sent in the GetStorageConfig RPC call
2185190 - [4.12.z]Fix storagecluster watch request for OCSInitialization
2185725 - [Fusion-aaS][Backport to 4.12.3]OCS-Operator expects NooBaa CRDs to be present on the cluster when installed directly without ODF Operator
2186443 - [Backport bug for 4.12.3][Fusion-aaS]Remove storageclassclaim cr and create new cr storageclass request cr
2186482 - [GSS] [4.12 backport] Object storage in degraded state
2187765 - [Fusion aaS Rook][backport bug for 4.12.3] Rook-ceph-operator pod should allow OBC CRDs to be optional instead of causing a crash when not present
2187796 - [Fusion-aaS] [Backport for 4.12.3] Collect Must-gather logs from the managed-fusion agent namesapce
2187799 - [Fusion-aaS][backport to 4.12.3]must-gather does not collect relevant logs when storage cluster is not in openshift-storage namespace
2188228 - [Fusion-aaS][Backport to 4.12.z] ocs-metrics-exporter cannot list/watch StorageCluster, StorageClass, CephBlockPool and other resources
2188327 - [IBM Z ] Multi Cluster Orchestrator operator is not available in the Operator Hub
2188667 - [Backport to 4.12.3][Fusion-aaS]wrong label in new storageclassrequest cr
2190005 - Update to RHCS 5.3z2 Ceph container image at ODF-4.12.3
2190140 - Include at ODF 4.12 ?Multi-Cloud Object Gateway Core? container image the RHEL8 CVE fix on "nodejs:14"
2190393 - Include at ODF 4.12 Container images (2) the RHEL8 CVE fix on "emacs/emacs-filesystem"
2192821 - Fix Multisite in external cluster

5. References:

  https://access.redhat.com/security/cve/CVE-2022-23539
  https://access.redhat.com/security/cve/CVE-2022-24999
  https://access.redhat.com/security/cve/CVE-2022-36227
  https://access.redhat.com/security/cve/CVE-2022-40023
  https://access.redhat.com/security/cve/CVE-2023-0361
  https://access.redhat.com/security/cve/CVE-2023-27535
  https://access.redhat.com/security/cve/CVE-2023-28617
  https://access.redhat.com/security/updates/classification/#moderate

6. Contact:

The Red Hat security contact is . More contact
details at   https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.