A Red Hat OpenShift Data Foundation 4.13.0 security and bug fix update has been released for Red Hat Enterprise Linux 9.

[RHSA-2023:3742-01] Important: Red Hat OpenShift Data Foundation 4.13.0 security and bug fix update

=====================================================================
Red Hat Security Advisory

Synopsis: Important: Red Hat OpenShift Data Foundation 4.13.0 security and bug fix update
Advisory ID: RHSA-2023:3742-02
Product: Red Hat OpenShift Data Foundation
Advisory URL: https://access.redhat.com/errata/RHSA-2023:3742
Issue date: 2023-06-21
CVE Names: CVE-2015-20107 CVE-2018-25032 CVE-2020-10735
CVE-2020-16250 CVE-2020-16251 CVE-2020-17049
CVE-2021-3765 CVE-2021-3807 CVE-2021-4231
CVE-2021-4235 CVE-2021-4238 CVE-2021-28861
CVE-2021-43519 CVE-2021-43998 CVE-2021-44531
CVE-2021-44532 CVE-2021-44533 CVE-2021-44964
CVE-2021-46828 CVE-2021-46848 CVE-2022-0670
CVE-2022-1271 CVE-2022-1304 CVE-2022-1348
CVE-2022-1586 CVE-2022-1587 CVE-2022-2309
CVE-2022-2509 CVE-2022-2795 CVE-2022-2879
CVE-2022-2880 CVE-2022-3094 CVE-2022-3358
CVE-2022-3515 CVE-2022-3517 CVE-2022-3715
CVE-2022-3736 CVE-2022-3821 CVE-2022-3924
CVE-2022-4415 CVE-2022-21824 CVE-2022-23540
CVE-2022-23541 CVE-2022-24903 CVE-2022-26280
CVE-2022-27664 CVE-2022-28805 CVE-2022-29154
CVE-2022-30635 CVE-2022-31129 CVE-2022-32189
CVE-2022-32190 CVE-2022-33099 CVE-2022-34903
CVE-2022-35737 CVE-2022-36227 CVE-2022-37434
CVE-2022-38149 CVE-2022-38900 CVE-2022-40023
CVE-2022-40303 CVE-2022-40304 CVE-2022-40897
CVE-2022-41316 CVE-2022-41715 CVE-2022-41717
CVE-2022-41723 CVE-2022-41724 CVE-2022-41725
CVE-2022-42010 CVE-2022-42011 CVE-2022-42012
CVE-2022-42898 CVE-2022-42919 CVE-2022-43680
CVE-2022-45061 CVE-2022-45873 CVE-2022-46175
CVE-2022-47024 CVE-2022-47629 CVE-2022-48303
CVE-2022-48337 CVE-2022-48338 CVE-2022-48339
CVE-2023-0361 CVE-2023-0620 CVE-2023-0665
CVE-2023-2491 CVE-2023-22809 CVE-2023-24329
CVE-2023-24999 CVE-2023-25000 CVE-2023-25136
=====================================================================

1. Summary:

Updated images that include numerous enhancements, security, and bug fixes
are now available in Red Hat Container Registry for Red Hat OpenShift Data
Foundation 4.13.0 on Red Hat Enterprise Linux 9.

Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.

2. Description:

Red Hat OpenShift Data Foundation is software-defined storage integrated
with and optimized for the Red Hat OpenShift Container Platform. Red Hat
OpenShift Data Foundation is a highly scalable, production-grade persistent
storage for stateful applications running in the Red Hat OpenShift
Container Platform. In addition to persistent storage, Red Hat OpenShift
Data Foundation provisions a multicloud data management service with an S3
compatible API.

Security Fix(es):

* goutils: RandomAlphaNumeric and CryptoRandomAlphaNumeric are not as
random as they should be (CVE-2021-4238)

* decode-uri-component: improper input validation resulting in DoS
(CVE-2022-38900)

* vault: Hashicorp Vault AWS IAM Integration Authentication Bypass
(CVE-2020-16250)

* vault: GCP Auth Method Allows Authentication Bypass (CVE-2020-16251)

* nodejs-ansi-regex: Regular expression denial of service (ReDoS) matching
ANSI escape codes (CVE-2021-3807)

* go-yaml: Denial of Service in go-yaml (CVE-2021-4235)

* vault: incorrect policy enforcement (CVE-2021-43998)

* nodejs: Improper handling of URI Subject Alternative Names
(CVE-2021-44531)

* nodejs: Certificate Verification Bypass via String Injection
(CVE-2021-44532)

* nodejs: Incorrect handling of certificate subject and issuer fields
(CVE-2021-44533)

* golang: archive/tar: unbounded memory consumption when reading headers
(CVE-2022-2879)

* golang: net/http/httputil: ReverseProxy should not forward unparseable
query parameters (CVE-2022-2880)

* nodejs-minimatch: ReDoS via the braceExpand function (CVE-2022-3517)

* jsonwebtoken: Insecure default algorithm in jwt.verify() could lead to
signature validation bypass (CVE-2022-23540)

* jsonwebtoken: Insecure implementation of key retrieval function could
lead to Forgeable Public/Private Tokens from RSA to HMAC (CVE-2022-23541)

* golang: net/http: handle server errors after sending GOAWAY
(CVE-2022-27664)

* golang: encoding/gob: stack exhaustion in Decoder.Decode (CVE-2022-30635)

* golang: net/url: JoinPath does not strip relative path components in all
circumstances (CVE-2022-32190)

* consul: Consul Template May Expose Vault Secrets When Processing Invalid
Input (CVE-2022-38149)

* vault: insufficient certificate revocation list checking (CVE-2022-41316)

* golang: regexp/syntax: limit memory used by parsing regexps
(CVE-2022-41715)

* golang: net/http: excessive memory growth in a Go server accepting HTTP/2
requests (CVE-2022-41717)

* net/http, golang.org/x/net/http2: avoid quadratic complexity in HPACK
decoding (CVE-2022-41723)

* golang: crypto/tls: large handshake records may cause panics
(CVE-2022-41724)

* golang: net/http, mime/multipart: denial of service from excessive
resource consumption (CVE-2022-41725)

* json5: Prototype Pollution in JSON5 via Parse Method (CVE-2022-46175)

* vault: Vault’s Microsoft SQL Database Storage Backend Vulnerable to SQL
Injection Via Configuration File (CVE-2023-0620)

* hashicorp/vault: Vault’s PKI Issuer Endpoint Did Not Correctly Authorize
Access to Issuer Metadata (CVE-2023-0665)

* Hashicorp/vault: Vault Fails to Verify if Approle SecretID Belongs to
Role During a Destroy Operation (CVE-2023-24999)

* hashicorp/vault: Cache-Timing Attacks During Seal and Unseal Operations
(CVE-2023-25000)

* validator: Inefficient Regular Expression Complexity in Validator.js
(CVE-2021-3765)

* nodejs: Prototype pollution via console.table properties (CVE-2022-21824)

* golang: math/big: decoding big.Float and big.Rat types can panic if the
encoded message is too short, potentially allowing a denial of service
(CVE-2022-32189)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

3. Solution:

These updated images include numerous enhancements and bug fixes. Space
precludes documenting all of these changes in this advisory. Users are
directed to the Red Hat OpenShift Data Foundation Release Notes for
information on the most significant of these changes:

https://access.redhat.com/documentation/en-us/red_hat_openshift_data_foundation/4.13/html/4.13_release_notes/index

All Red Hat OpenShift Data Foundation users are advised to upgrade to these
updated images that provide numerous bug fixes and enhancements.

4. Bugs fixed ( https://bugzilla.redhat.com/):

1786696 - UI->Dashboards->Overview->Alerts shows MON components are at different versions, though they are NOT
1855339 - Wrong version of ocs-storagecluster
1943137 - [Tracker for BZ #1945618] rbd: Storage is not reclaimed after persistentvolumeclaim and job that utilized it are deleted
1944687 - [RFE] KMS server connection lost alert
1989088 - [4.8][Multus] UX experience issues and enhancements
2005040 - Uninstallation of ODF StorageSystem via OCP Console fails, gets stuck in Terminating state
2005830 - [DR] DRPolicy resource should not be editable after creation
2007557 - CVE-2021-3807 nodejs-ansi-regex: Regular expression denial of service (ReDoS) matching ANSI escape codes
2028193 - CVE-2021-43998 vault: incorrect policy enforcement
2040839 - CVE-2021-44531 nodejs: Improper handling of URI Subject Alternative Names
2040846 - CVE-2021-44532 nodejs: Certificate Verification Bypass via String Injection
2040856 - CVE-2021-44533 nodejs: Incorrect handling of certificate subject and issuer fields
2040862 - CVE-2022-21824 nodejs: Prototype pollution via console.table properties
2042914 - [Tracker for BZ #2013109] [UI] Refreshing web console from the pop-up is taking to Install Operator page.
2052252 - CVE-2021-44531 CVE-2021-44532 CVE-2021-44533 CVE-2022-21824 [CVE] nodejs: various flaws [openshift-data-foundation-4]
2101497 - ceph_mon_metadata metrics are not collected properly
2101916 - must-gather is not collecting ceph logs or coredumps
2102304 - [GSS] Remove the entry of removed node from Storagecluster under Node Topology
2104148 - route ocs-storagecluster-cephobjectstore misconfigured to use http and https on same http route in haproxy.config
2107388 - CVE-2022-30635 golang: encoding/gob: stack exhaustion in Decoder.Decode
2113814 - CVE-2022-32189 golang: math/big: decoding big.Float and big.Rat types can panic if the encoded message is too short, potentially allowing a denial of service
2115020 - [RDR] Sync schedule is not removed from mirrorpeer yaml after DR Policy is deleted
2115616 - [GSS] failing to change ownership of the NFS based PVC for PostgreSQL pod by using kube_pv_chown utility
2119551 - CVE-2022-38149 consul: Consul Template May Expose Vault Secrets When Processing Invalid Input
2120098 - [RDR] Even before an action gets fully completed, PeerReady and Available are reported as True in the DRPC yaml
2120944 - Large Omap objects found in pool 'ocs-storagecluster-cephfilesystem-metadata'
2124668 - CVE-2022-32190 golang: net/url: JoinPath does not strip relative path components in all circumstances
2124669 - CVE-2022-27664 golang: net/http: handle server errors after sending GOAWAY
2126299 - CVE-2021-3765 validator: Inefficient Regular Expression Complexity in Validator.js
2132867 - CVE-2022-2879 golang: archive/tar: unbounded memory consumption when reading headers
2132868 - CVE-2022-2880 golang: net/http/httputil: ReverseProxy should not forward unparseable query parameters
2132872 - CVE-2022-41715 golang: regexp/syntax: limit memory used by parsing regexps
2134609 - CVE-2022-3517 nodejs-minimatch: ReDoS via the braceExpand function
2135339 - CVE-2022-41316 vault: insufficient certificate revocation list checking
2139037 - [cee/sd]Unable to access s3 via RGW route ocs-storagecluster-cephobjectstore
2141095 - [RDR] Storage System page on ACM Hub is visible even when data observability is not enabled
2142651 - RFE: OSDs need ability to bind to a service IP instead of the pod IP to support RBD mirroring in OCP clusters
2142894 - Credentials are ignored when creating a Backing/Namespace store after prompted to enter a name for the resource
2142941 - RGW cloud Transition. HEAD/GET requests to MCG are failing with 403 error
2143944 - [GSS] unknown parameter name "FORCE_OSD_REMOVAL"
2144256 - [RDR] [UI] DR Application applied to a single DRPolicy starts showing connected to multiple policies due to console flickering
2151903 - [MCG] Azure bs/ns creation fails with target bucket does not exists
2152143 - [Noobaa Clone] Secrets are used in env variables
2154250 - NooBaa Bucket Quota alerts are not working
2155507 - RBD reclaimspace job fails when the PVC is not mounted
2155743 - ODF Dashboard fails to load
2156067 - [RDR] [UI] When Peer Ready isn't True, UI doesn't reset the error message even when no subscription group is selected
2156069 - [UI] Instances of OCS can be seen on BlockPool action modals
2156263 - CVE-2022-46175 json5: Prototype Pollution in JSON5 via Parse Method
2156519 - 4.13: odf-csi-addons-operator failed with OwnNamespace InstallModeType not supported
2156727 - CVE-2021-4235 go-yaml: Denial of Service in go-yaml
2156729 - CVE-2021-4238 goutils: RandomAlphaNumeric and CryptoRandomAlphaNumeric are not as random as they should be
2157876 - [OCP Tracker] [UI] When OCP and ODF are upgraded, refresh web console pop-up doesn't appear after ODF upgrade resulting in dashboard crash
2158922 - Namespace store fails to get created via the ODF UI
2159676 - rbd-mirror logs are rotated very frequently, increase the default maxlogsize for rbd-mirror
2161274 - CVE-2022-41717 golang: net/http: excessive memory growth in a Go server accepting HTTP/2 requests
2161879 - logging issue when deleting webhook resources
2161937 - collect kernel and journal logs from all worker nodes
2162257 - [RDR][CEPHFS] sync/replication is getting stopped for some pvc
2164617 - Unable to expand ocs-storagecluster-ceph-rbd PVCs provisioned in Filesystem mode
2165495 - Placement scheduler is using too much resources
2165504 - Sizer sharing link is broken
2165929 - [RFE] ODF bluewash introduction in 4.12.x
2165938 - ocs-operator CSV is missing disconnected env annotation.
2165984 - [RDR] Replication stopped for images is represented with incorrect color
2166222 - CSV is missing disconnected env annotation and relatedImages spec
2166234 - Application user unable to invoke Failover and Relocate actions
2166869 - Match the version of consoleplugin to odf operator
2167299 - [RFE] ODF bluewash introduction in 4.12.x
2167308 - [mcg-clone] Security and VA issues with ODF operator
2167337 - CVE-2020-16250 vault: Hashicorp Vault AWS IAM Integration Authentication Bypass
2167340 - CVE-2020-16251 vault: GCP Auth Method Allows Authentication Bypass
2167946 - CSV is missing disconnected env annotation and relatedImages spec
2168113 - [Ceph Tracker BZ #2141110] [cee/sd][Bluestore] Newly deployed bluestore OSD's showing high fragmentation score
2168635 - fix redirect link to operator details page (OCS dashboard)
2168840 - [Fusion-aaS][ODF 4.13]Within 'prometheus-ceph-rules' the namespace for 'rook-ceph-mgr' jobs should be configurable.
2168849 - Must-gather doesn't collect coredump logs crucial for OSD crash events
2169375 - CVE-2022-23541 jsonwebtoken: Insecure implementation of key retrieval function could lead to Forgeable Public/Private Tokens from RSA to HMAC
2169378 - CVE-2022-23540 jsonwebtoken: Insecure default algorithm in jwt.verify() could lead to signature validation bypass
2169779 - [vSphere]: rook-ceph-mon-* pvc are in pending state
2170644 - CVE-2022-38900 decode-uri-component: improper input validation resulting in DoS
2170673 - [RDR] Different replication states of PVC images aren't correctly distinguished and representated on UI
2172089 - [Tracker for Ceph BZ 2174461] rook-ceph-nfs pod is stuck at status 'CreateContainerError' after enabling NFS in ODF 4.13
2172365 - [csi-addons] odf-csi-addons-operator oomkilled with fresh installation 4.12
2172521 - No OSD pods are created for 4.13 LSO deployment
2173161 - ODF-console can not start when you disable IPv6 on Node with kernel parameter.
2173528 - Creation of OCS operator tag automatically for verified commits
2173534 - When on StorageSystem details click on History back btn it shows blank body
2173926 - [RFE] Include changes in MCG for new Ceph RGW transition headers
2175612 - noobaa-core-0 crashing and storagecluster not getting to ready state during ODF deployment with FIPS enabled in 4.13cluster
2175685 - RGW OBC creation via the UI is blocked by "Address form errors to proceed" error
2175714 - UI fix- capitalization
2175867 - Rook sets cephfs kernel mount options even when mon is using v1 port
2176080 - odf must-gather should collect output of oc get hpa -n openshift-storage
2176456 - [RDR] ramen-hub-operator and ramen-dr-cluster-operator is going into CLBO post deployment
2176739 - [UI] CSI Addons operator icon is broken
2176776 - Enable save options only when the protected apps has labels for manage DRPolicy
2176798 - [IBM Z ] Multi Cluster Orchestrator operator is not available in the Operator Hub
2176809 - [IBM Z ] DR operator is not available in the Operator Hub
2177134 - Next button if disabled for storage system deployment flow for IBM Ceph Storage security and network step when there is no OCS installed already
2177221 - Enable DR dashboard only when ACM observability is enabled
2177325 - Noobaa-db pod is taking longer time to start up in ODF 4.13
2177695 - DR dashbaord showing incorrect RPO data
2177844 - CVE-2023-24999 Hashicorp/vault: Vault Fails to Verify if Approle SecretID Belongs to Role During a Destroy Operation
2178033 - node topology warnings tab doesn't show pod warnings
2178358 - CVE-2022-41723 net/http, golang.org/x/net/http2: avoid quadratic complexity in HPACK decoding
2178488 - CVE-2022-41725 golang: net/http, mime/multipart: denial of service from excessive resource consumption
2178492 - CVE-2022-41724 golang: crypto/tls: large handshake records may cause panics
2178588 - No rack names on ODF Topology
2178619 - odf-operator failing to resolve its sub-dependencies leaving the ocs-consumer/provider addon in a failed and halted state
2178682 - [GSS] Add the valid AWS GovCloud regions in OCS UI.
2179133 - [UI] A blank page appears while selecting Storage Pool for creating Encrypted Storage Class
2179337 - Invalid storage system href link on the ODF multicluster dashboard
2179403 - (4.13) Mons are failing to start when msgr2 is required with RHCS 6.1
2179846 - [IBM Z] In RHCS external mode Cephobjectstore creation fails as it reports that the "object store name cannot be longer than 38 characters"
2179860 - [MCG] Bucket replication with deletion sync isn't complete
2179976 - [ODF 4.13] Missing the status-reporter binary causing pods "report-status-to-provider" remain in CreateContainerError on ODF to ODF cluster on ROSA
2179981 - ODF Topology search bar mistakes to find searched node/pod
2179997 - Topology. Exit full screen does not appear in Full screen mode
2180211 - StorageCluster stuck in progressing state for Thales KMS deployment
2180397 - Last sync time is missing on application set's disaster recovery status popover
2180440 - odf-monitoring-tool. YAML file misjudged as corrupted
2180921 - Deployment with external cluster in ODF 4.13 with unable to use cephfs as backing store for image_registry
2181112 - [RDR] [UI] Hide disable DR functionality as it would be un-tested in 4.13
2181133 - CI: backport E2E job improvements
2181446 - [KMS][UI] PVC provisioning failed in case of vault kubernetes authentication is configured.
2181535 - [GSS] Object storage in degraded state
2181551 - Build: move to 'dependencies' the ones required for running a build
2181832 - Create OBC via UI, placeholder on StorageClass dropped
2181949 - [ODF Tracker] [RFE] Catch MDS damage to the dentry's first snapid
2182041 - OCS-Operator expects NooBaa CRDs to be present on the cluster when installed directly without ODF Operator
2182296 - [Fusion-aaS][ODF 4.13]must-gather does not collect relevant logs when storage cluster is not in openshift-storage namespace
2182375 - [MDR] Not able to fence DR clusters
2182644 - [IBM Z] MDR policy creation fails unless the ocs-operator pod is restarted on the managed clusters
2182664 - Topology view should hide the sidebar when changing levels
2182703 - [RDR] After upgrading from 4.12.2 to 4.13.0 version.odf.openshift.io cr is not getting updated with latest ODF version
2182972 - CVE-2023-25000 hashicorp/vault: Cache-Timing Attacks During Seal and Unseal Operations
2182981 - CVE-2023-0665 hashicorp/vault: Vault?s PKI Issuer Endpoint Did Not Correctly Authorize Access to Issuer Metadata
2183155 - failed to mount the the cephfs subvolume as subvolumegroup name is not sent in the GetStorageConfig RPC call
2183196 - [Fusion-aaS] Collect Must-gather logs from the managed-fusion agent namesapce
2183266 - [Fusion aaS Rook ODF 4.13]] Rook-ceph-operator pod should allow OBC CRDs to be optional instead of causing a crash when not present
2183457 - [RDR] when running any ceph cmd we see error 2023-03-31T08:25:31.844+0000 7f8deaffd640 -1 monclient(hunting): handle_auth_bad_method server allowed_methods [2] but i only support [2,1]
2183478 - [MDR][UI] Cannot relocate subscription based apps, Appset based apps are possible to relocate
2183520 - [Fusion-aaS] csi-cephfs-plugin pods are not created after installing ocs-client-operator
2184068 - [Fusion-aaS] Failed to mount CephFS volumes while creating pods
2184605 - [ODF 4.13][Fusion-aaS] OpenShift Data Foundation Client operator is listed in OperatorHub and installable from UI
2184663 - CVE-2023-0620 vault: Vault?s Microsoft SQL Database Storage Backend Vulnerable to SQL Injection Via Configuration File
2184769 - {Fusion-aaS][ODF 4.13]Remove storageclassclaim cr and create new cr storageclass request cr
2184773 - multicluster-orchestrator should not reset spec.network.multiClusterService.Enabled field added by user
2184892 - Don't pass encryption options to ceph cluster in odf external mode to provider/consumer cluster
2184984 - Topology Sidebar alerts panel: alerts accordion does not toggle when clicking on alert severity text
2185164 - [KMS][VAULT] PVC provisioning is failing when the Vault (HCP) Kubernetes authentication is set.
2185188 - Fix storagecluster watch request for OCSInitialization
2185757 - add NFS dashboard
2185871 - [MDR][ACM-Tracker] Deleting an Appset based application does not delete its placement
2186171 - [GSS] "disableLoadBalancerService: true" config is reconciled after modifying the number of NooBaa endpoints
2186225 - [RDR] when running any ceph cmd we see error 2023-03-31T08:25:31.844+0000 7f8deaffd640 -1 monclient(hunting): handle_auth_bad_method server allowed_methods [2] but i only support [2,1]
2186475 - handle different network connection spec & Pass appropriate options for all the cases of Network Spec
2186752 - [translations] add translations for 4.13
2187251 - sync ocs and odf with the latest rook
2187296 - [MCG] Can't opt out of deletions sync once log-based replication with deletions sync is set
2187736 - [RDR] Replication history graph is showing incorrect value
2187952 - When cluster controller is cancelled frequently, multiple simultaneous controllers cause issues since need to wait for shutdown before continuing new controller
2187969 - [ODFMS-Migration ] [OCS Client Operator] csi-rbdplugin stuck in ImagePullBackOff on consumer clusters after Migration
2187986 - [MDR] ramen-dr-cluster-operator pod is in CLBO after assigning dr policy to an appset based app
2188053 - ocs-metrics-exporter cannot list/watch StorageCluster, StorageClass, CephBlockPool and other resources
2188238 - [RDR] Avoid using the terminologies "SLA" in DR dashbaord
2188303 - [RDR] Maintenance mode is not enabled after initiating failover action
2188427 - [External mode upgrade]: Upgrade from 4.12 -> 4.13 external mode is failing because rook-ceph-operator is not reaching clean state
2188666 - wrong label in new storageclassrequest cr
2189483 - After upgrade noobaa-db-pg-0 pod using old image in one of container
2189929 - [RDR/MDR] [UI] Dashboard fon size are very uneven
2189982 - [RDR] ocs_rbd_client_blocklisted datapoints and the corresponding alert is not getting generated
2189984 - [KMS][VAULT] Storage cluster remains in 'Progressing' state during deployment with storage class encryption, despite all pods being up and running.
2190129 - OCS Provider Server logs are incorrect
2190241 - nfs metric details are unavailable and server health is displaying as "Degraded" under Network file system tab in UI
2192088 - [IBM P] rbd_default_map_options value not set to ms_mode=secure in in-transit encryption enabled ODF cluster
2192670 - Details tab for nodes inside Topology throws "Something went wrong" on IBM Power platform
2192824 - [4.13] Fix Multisite in external cluster
2192875 - Enable ceph-exporter in rook
2193114 - MCG replication is failing due to OC binary incompatible on Power platform
2193220 - [Stretch cluster] CephCluster is updated frequently due to changing ordering of zones
2196176 - MULTUS UI, There is no option to change the multus configuration after we configure the params
2196236 - [RDR] With ACM 2.8 User is not able to apply Drpolicy to subscription workload
2196298 - [RDR] DRPolicy doesn't show connected application when subscription based workloads are deployed via CLI
2203795 - ODF Monitoring is missing some of the ceph_* metric values
2208029 - nfs server health is always displaying as "Degraded" under Network file system tab in UI.
2208079 - rbd mirror daemon is commonly not upgraded
2208269 - [RHCS Tracker] After add capacity the rebalance does not complete, and we see 2 PGs in active+clean+scrubbing and 1 active+clean+scrubbing+deep
2208558 - [MDR] ramen-dr-cluster-operator pod crashes during failover
2208962 - [UI] ODF Topology. Degraded cluster don't show red canvas on cluster level
2209364 - ODF dashboard crashes when OCP and ODF are upgraded
2209643 - Multus, Cephobjectstore stuck on Progressing state because " failed to create or retrieve rgw admin ops user"
2209695 - When collecting Must-gather logs shows /usr/bin/gather_ceph_resources: line 341: jq: command not found
2210964 - [UI][MDR] After hub recovery in overview tab of data policies Application set apps count is not showing
2211334 - The replication history graph is very unclear
2211343 - [MCG-Only]: upgrade failed from 4.12 to 4.13 due to missing CSI_ENABLE_READ_AFFINITY in ConfigMap openshift-storage/ocs-operator-config
2211704 - Multipart uploads fail to a Azure namespace bucket when user MD is sent as part of the upload

5. References:

https://access.redhat.com/security/cve/CVE-2015-20107
https://access.redhat.com/security/cve/CVE-2018-25032
https://access.redhat.com/security/cve/CVE-2020-10735
https://access.redhat.com/security/cve/CVE-2020-16250
https://access.redhat.com/security/cve/CVE-2020-16251
https://access.redhat.com/security/cve/CVE-2020-17049
https://access.redhat.com/security/cve/CVE-2021-3765
https://access.redhat.com/security/cve/CVE-2021-3807
https://access.redhat.com/security/cve/CVE-2021-4231
https://access.redhat.com/security/cve/CVE-2021-4235
https://access.redhat.com/security/cve/CVE-2021-4238
https://access.redhat.com/security/cve/CVE-2021-28861
https://access.redhat.com/security/cve/CVE-2021-43519
https://access.redhat.com/security/cve/CVE-2021-43998
https://access.redhat.com/security/cve/CVE-2021-44531
https://access.redhat.com/security/cve/CVE-2021-44532
https://access.redhat.com/security/cve/CVE-2021-44533
https://access.redhat.com/security/cve/CVE-2021-44964
https://access.redhat.com/security/cve/CVE-2021-46828
https://access.redhat.com/security/cve/CVE-2021-46848
https://access.redhat.com/security/cve/CVE-2022-0670
https://access.redhat.com/security/cve/CVE-2022-1271
https://access.redhat.com/security/cve/CVE-2022-1304
https://access.redhat.com/security/cve/CVE-2022-1348
https://access.redhat.com/security/cve/CVE-2022-1586
https://access.redhat.com/security/cve/CVE-2022-1587
https://access.redhat.com/security/cve/CVE-2022-2309
https://access.redhat.com/security/cve/CVE-2022-2509
https://access.redhat.com/security/cve/CVE-2022-2795
https://access.redhat.com/security/cve/CVE-2022-2879
https://access.redhat.com/security/cve/CVE-2022-2880
https://access.redhat.com/security/cve/CVE-2022-3094
https://access.redhat.com/security/cve/CVE-2022-3358
https://access.redhat.com/security/cve/CVE-2022-3515
https://access.redhat.com/security/cve/CVE-2022-3517
https://access.redhat.com/security/cve/CVE-2022-3715
https://access.redhat.com/security/cve/CVE-2022-3736
https://access.redhat.com/security/cve/CVE-2022-3821
https://access.redhat.com/security/cve/CVE-2022-3924
https://access.redhat.com/security/cve/CVE-2022-4415
https://access.redhat.com/security/cve/CVE-2022-21824
https://access.redhat.com/security/cve/CVE-2022-23540
https://access.redhat.com/security/cve/CVE-2022-23541
https://access.redhat.com/security/cve/CVE-2022-24903
https://access.redhat.com/security/cve/CVE-2022-26280
https://access.redhat.com/security/cve/CVE-2022-27664
https://access.redhat.com/security/cve/CVE-2022-28805
https://access.redhat.com/security/cve/CVE-2022-29154
https://access.redhat.com/security/cve/CVE-2022-30635
https://access.redhat.com/security/cve/CVE-2022-31129
https://access.redhat.com/security/cve/CVE-2022-32189
https://access.redhat.com/security/cve/CVE-2022-32190
https://access.redhat.com/security/cve/CVE-2022-33099
https://access.redhat.com/security/cve/CVE-2022-34903
https://access.redhat.com/security/cve/CVE-2022-35737
https://access.redhat.com/security/cve/CVE-2022-36227
https://access.redhat.com/security/cve/CVE-2022-37434
https://access.redhat.com/security/cve/CVE-2022-38149
https://access.redhat.com/security/cve/CVE-2022-38900
https://access.redhat.com/security/cve/CVE-2022-40023
https://access.redhat.com/security/cve/CVE-2022-40303
https://access.redhat.com/security/cve/CVE-2022-40304
https://access.redhat.com/security/cve/CVE-2022-40897
https://access.redhat.com/security/cve/CVE-2022-41316
https://access.redhat.com/security/cve/CVE-2022-41715
https://access.redhat.com/security/cve/CVE-2022-41717
https://access.redhat.com/security/cve/CVE-2022-41723
https://access.redhat.com/security/cve/CVE-2022-41724
https://access.redhat.com/security/cve/CVE-2022-41725
https://access.redhat.com/security/cve/CVE-2022-42010
https://access.redhat.com/security/cve/CVE-2022-42011
https://access.redhat.com/security/cve/CVE-2022-42012
https://access.redhat.com/security/cve/CVE-2022-42898
https://access.redhat.com/security/cve/CVE-2022-42919
https://access.redhat.com/security/cve/CVE-2022-43680
https://access.redhat.com/security/cve/CVE-2022-45061
https://access.redhat.com/security/cve/CVE-2022-45873
https://access.redhat.com/security/cve/CVE-2022-46175
https://access.redhat.com/security/cve/CVE-2022-47024
https://access.redhat.com/security/cve/CVE-2022-47629
https://access.redhat.com/security/cve/CVE-2022-48303
https://access.redhat.com/security/cve/CVE-2022-48337
https://access.redhat.com/security/cve/CVE-2022-48338
https://access.redhat.com/security/cve/CVE-2022-48339
https://access.redhat.com/security/cve/CVE-2023-0361
https://access.redhat.com/security/cve/CVE-2023-0620
https://access.redhat.com/security/cve/CVE-2023-0665
https://access.redhat.com/security/cve/CVE-2023-2491
https://access.redhat.com/security/cve/CVE-2023-22809
https://access.redhat.com/security/cve/CVE-2023-24329
https://access.redhat.com/security/cve/CVE-2023-24999
https://access.redhat.com/security/cve/CVE-2023-25000
https://access.redhat.com/security/cve/CVE-2023-25136
https://access.redhat.com/security/updates/classification/#important
https://access.redhat.com/documentation/en-us/red_hat_openshift_data_foundation/4.13/html/4.13_release_notes/index

6. Contact:

The Red Hat security contact is [secalert@redhat.com]. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.

--