ID

VAR-202208-0404

CVE

CVE-2022-37434

TITLE

zlib  Out-of-bounds write vulnerability in

DESCRIPTION

zlib through 1.2.12 has a heap-based buffer over-read or buffer overflow in inflate in inflate.c via a large gzip header extra field. NOTE: only applications that call inflateGetHeader are affected. Some common applications bundle the affected zlib source code but may be unable to call inflateGetHeader (e.g., see the nodejs/node reference). zlib Exists in an out-of-bounds write vulnerability.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. Security fixes: * CVE-2022-32149 golang: golang.org/x/text/language: ParseAcceptLanguage takes a long time to parse complex tags Bugs addressed: * Build Submariner 0.13.3 (ACM-2226) * Verify Submariner with OCP 4.12 (ACM-2435) * Submariner does not support cluster "kube-proxy ipvs mode" (ACM-2821) 3. JIRA issues fixed (https://issues.jboss.org/): ACM-2226 - [ACM 2.6.4] Build Submariner 0.13.3 ACM-2435 - [ACM 2.6.4] Verify Submariner with OCP 4.12 ACM-2821 - [Submariner] - 0.13.3 - Submariner does not support cluster "kube-proxy ipvs mode" 6. Description: Submariner enables direct networking between pods and services on different Kubernetes clusters that are either on-premises or in the cloud. For more information about Submariner, see the Submariner open source community website at: https://submariner.io/. Security fixes: * CVE-2022-27664 golang: net/http: handle server errors after sending GOAWAY * CVE-2022-2880 golang: net/http/httputil: ReverseProxy should not forward unparseable query parameters * CVE-2022-41715 golang: regexp/syntax: limit memory used by parsing regexps * CVE-2022-41717 golang: net/http: An attacker can cause excessive memory growth in a Go server accepting HTTP/2 requests Bugs addressed: * subctl diagnose firewall metrics does not work on merged kubeconfig (BZ# 2013711) * [Submariner] - Fails to increase gateway amount after deployment (BZ# 2097381) * Submariner gateway node does not get deleted with subctl cloud cleanup command (BZ# 2108634) * submariner GW pods are unable to resolve the DNS of the Broker K8s API URL (BZ# 2119362) * Submariner gateway node does not get deployed after applying ManagedClusterAddOn on Openstack (BZ# 2124219) * unable to run subctl benchmark latency, pods fail with ImagePullBackOff (BZ# 2130326) * [IBM Z] - Submariner addon unistallation doesnt work from ACM console (BZ# 2136442) * Tags on AWS security group for gateway node break cloud-controller LoadBalancer (BZ# 2139477) * RHACM - Submariner: UI support for OpenStack #19297 (ACM-1242) * Submariner OVN support (ACM-1358) * Submariner Azure Console support (ACM-1388) * ManagedClusterSet consumers migrate to v1beta2 (ACM-1614) * Submariner on disconnected ACM #22000 (ACM-1678) * Submariner gateway: Error creating AWS security group if already exists (ACM-2055) * Submariner gateway security group in AWS not deleted when uninstalling submariner (ACM-2057) * The submariner-metrics-proxy pod pulls an image with wrong naming convention (ACM-2058) * The submariner-metrics-proxy pod is not part of the Agent readiness check (ACM-2067) * Subctl 0.14.0 prints version "vsubctl" (ACM-2132) * managedclusters "local-cluster" not found and missing Submariner Broker CRD (ACM-2145) * Add support of ARO to Submariner deployment (ACM-2150) * The e2e tests execution fails for "Basic TCP connectivity" tests (ACM-2204) * Gateway error shown "diagnose all" tests (ACM-2206) * Submariner does not support cluster "kube-proxy ipvs mode"(ACM-2211) * Vsphere cluster shows Pod Security admission controller warnings (ACM-2256) * Cannot use submariner with OSP and self signed certs (ACM-2274) * Subctl diagnose tests spawn nettest image with wrong tag nameing convention (ACM-2387) * Subctl 0.14.1 prints version "devel" (ACM-2482) 3. Bugs fixed (https://bugzilla.redhat.com/): 2013711 - subctl diagnose firewall metrics does not work on merged kubeconfig 2097381 - [Submariner] - Fails to increase gateway amount after deployment 2108634 - Submariner gateway node does not get deleted with subctl cloud cleanup command 2119362 - submariner GW pods are unable to resolve the DNS of the Broker K8s API URL 2124219 - Submariner gateway node does not get deployed after applying ManagedClusterAddOn on Openstack 2124669 - CVE-2022-27664 golang: net/http: handle server errors after sending GOAWAY 2130326 - unable to run subctl benchmark latency, pods fail with ImagePullBackOff 2132868 - CVE-2022-2880 golang: net/http/httputil: ReverseProxy should not forward unparseable query parameters 2132872 - CVE-2022-41715 golang: regexp/syntax: limit memory used by parsing regexps 2136442 - [IBM Z] - Submariner addon unistallation doesnt work from ACM console 2139477 - Tags on AWS security group for gateway node break cloud-controller LoadBalancer 2161274 - CVE-2022-41717 golang: net/http: An attacker can cause excessive memory growth in a Go server accepting HTTP/2 requests 5. JIRA issues fixed (https://issues.jboss.org/): ACM-1614 - ManagedClusterSet consumers migrate to v1beta2 (Submariner) ACM-2055 - Submariner gateway: Error creating AWS security group if already exists ACM-2057 - [Submariner] - submariner gateway security group in aws not deleted when uninstalling submariner ACM-2058 - [Submariner] - The submariner-metrics-proxy pod pulls an image with wrong naming convention ACM-2067 - [Submariner] - The submariner-metrics-proxy pod is not part of the Agent readiness check ACM-2132 - Subctl 0.14.0 prints version "vsubctl" ACM-2145 - managedclusters "local-cluster" not found and missing Submariner Broker CRD ACM-2150 - Add support of ARO to Submariner deployment ACM-2204 - [Submariner] - e2e tests execution fails for "Basic TCP connectivity" tests ACM-2206 - [Submariner] - Gateway error shown "diagnose all" tests ACM-2211 - [Submariner] - Submariner does not support cluster "kube-proxy ipvs mode" ACM-2256 - [Submariner] - Vsphere cluster shows Pod Security admission controller warnings ACM-2274 - Cannot use submariner with OSP and self signed certs ACM-2387 - [Submariner] - subctl diagnose tests spawn nettest image with wrong tag nameing convention ACM-2482 - Subctl 0.14.1 prints version "devel" 6. Relevant releases/architectures: Red Hat CodeReady Linux Builder (v. 8) - aarch64, ppc64le, s390x, x86_64 3. Description: The zlib packages provide a general-purpose lossless data compression library that is used by many different programs. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 5. 8): Source: zlib-1.2.11-19.el8_6.src.rpm aarch64: zlib-1.2.11-19.el8_6.aarch64.rpm zlib-debuginfo-1.2.11-19.el8_6.aarch64.rpm zlib-debugsource-1.2.11-19.el8_6.aarch64.rpm zlib-devel-1.2.11-19.el8_6.aarch64.rpm ppc64le: zlib-1.2.11-19.el8_6.ppc64le.rpm zlib-debuginfo-1.2.11-19.el8_6.ppc64le.rpm zlib-debugsource-1.2.11-19.el8_6.ppc64le.rpm zlib-devel-1.2.11-19.el8_6.ppc64le.rpm s390x: zlib-1.2.11-19.el8_6.s390x.rpm zlib-debuginfo-1.2.11-19.el8_6.s390x.rpm zlib-debugsource-1.2.11-19.el8_6.s390x.rpm zlib-devel-1.2.11-19.el8_6.s390x.rpm x86_64: zlib-1.2.11-19.el8_6.i686.rpm zlib-1.2.11-19.el8_6.x86_64.rpm zlib-debuginfo-1.2.11-19.el8_6.i686.rpm zlib-debuginfo-1.2.11-19.el8_6.x86_64.rpm zlib-debugsource-1.2.11-19.el8_6.i686.rpm zlib-debugsource-1.2.11-19.el8_6.x86_64.rpm zlib-devel-1.2.11-19.el8_6.i686.rpm zlib-devel-1.2.11-19.el8_6.x86_64.rpm Red Hat CodeReady Linux Builder (v. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. Bugs fixed (https://bugzilla.redhat.com/): 2064698 - CVE-2020-36518 jackson-databind: denial of service via a large depth of nested objects 2134010 - CVE-2022-32149 golang: golang.org/x/text/language: ParseAcceptLanguage takes a long time to parse complex tags 2135244 - CVE-2022-42003 jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS 2135247 - CVE-2022-42004 jackson-databind: use of deeply nested arrays 5. JIRA issues fixed (https://issues.jboss.org/): LOG-3250 - [release-5.4] FluentdQueueLengthIncreasing rule failing to be evaluated. LOG-3252 - [release-5.4]Adding Valid Subscription Annotation 6. ========================================================================== Ubuntu Security Notice USN-6736-2 May 23, 2024 klibc vulnerabilities ========================================================================== A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 24.04 LTS Summary: Several security issues were fixed in klibc. Software Description: - klibc: small utilities built with klibc for early boot Details: USN-6736-1 fixed vulnerabilities in klibc. This update provides the corresponding updates for Ubuntu 24.04 LTS. Original advisory details: It was discovered that zlib, vendored in klibc, incorrectly handled pointer arithmetic. An attacker could use this issue to cause klibc to crash or to possibly execute arbitrary code. (CVE-2016-9840, CVE-2016-9841) Danilo Ramos discovered that zlib, vendored in klibc, incorrectly handled memory when performing certain deflating operations. An attacker could use this issue to cause klibc to crash or to possibly execute arbitrary code. (CVE-2018-25032) Evgeny Legerov discovered that zlib, vendored in klibc, incorrectly handled memory when performing certain inflate operations. An attacker could use this issue to cause klibc to crash or to possibly execute arbitrary code. (CVE-2022-37434) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 24.04 LTS klibc-utils 2.0.13-4ubuntu0.1 libklibc 2.0.13-4ubuntu0.1 In general, a standard system update will make all the necessary changes. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 APPLE-SA-2022-10-27-1 iOS 15.7.1 and iPadOS 15.7.1 iOS 15.7.1 and iPadOS 15.7.1 addresses the following issues. Information about the security content is also available at https://support.apple.com/HT213490. Apple Neural Engine Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation) Impact: An app may be able to execute arbitrary code with kernel privileges Description: The issue was addressed with improved memory handling. CVE-2022-32932: Mohamed Ghannam (@_simo36) Audio Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation) Impact: Parsing a maliciously crafted audio file may lead to disclosure of user information Description: The issue was addressed with improved memory handling. CVE-2022-42798: Anonymous working with Trend Micro Zero Day Initiative Backup Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation) Impact: An app may be able to access iOS backups Description: A permissions issue was addressed with additional restrictions. CVE-2022-32929: Csaba Fitzl (@theevilbit) of Offensive Security FaceTime Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation) Impact: A user may be able to view restricted content from the lock screen Description: A lock screen issue was addressed with improved state management. CVE-2022-32935: Bistrit Dahal Graphics Driver Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation) Impact: An app may be able to execute arbitrary code with kernel privileges Description: The issue was addressed with improved bounds checks. CVE-2022-32939: Willy R. Vasquez of The University of Texas at Austin Image Processing Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation) Impact: An app may be able to execute arbitrary code with kernel privileges Description: This issue was addressed with improved checks. CVE-2022-32949: Tingting Yin of Tsinghua University Kernel Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation) Impact: An app may be able to execute arbitrary code with kernel privileges Description: A memory corruption issue was addressed with improved state management. CVE-2022-32944: Tim Michaud (@TimGMichaud) of Moveworks.ai Kernel Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation) Impact: An app may be able to execute arbitrary code with kernel privileges Description: A race condition was addressed with improved locking. CVE-2022-42803: Xinru Chi of Pangu Lab, John Aakerblom (@jaakerblom) Kernel Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation) Impact: An app with root privileges may be able to execute arbitrary code with kernel privileges Description: The issue was addressed with improved bounds checks. CVE-2022-32926: Tim Michaud (@TimGMichaud) of Moveworks.ai Kernel Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation) Impact: An application may be able to execute arbitrary code with kernel privileges. Apple is aware of a report that this issue may have been actively exploited. Description: An out-of-bounds write issue was addressed with improved bounds checking. CVE-2022-42827: an anonymous researcher Kernel Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation) Impact: An app may be able to execute arbitrary code with kernel privileges Description: A logic issue was addressed with improved checks. CVE-2022-42801: Ian Beer of Google Project Zero Model I/O Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation) Impact: Processing a maliciously crafted USD file may disclose memory contents Description: The issue was addressed with improved memory handling. CVE-2022-42810: Xingwei Lin (@xwlin_roy) and Yinyi Wu of Ant Security Light-Year Lab ppp Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation) Impact: A buffer overflow may result in arbitrary code execution Description: The issue was addressed with improved bounds checks. CVE-2022-32941: an anonymous researcher Safari Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation) Impact: Visiting a maliciously crafted website may leak sensitive data Description: A logic issue was addressed with improved state management. CVE-2022-42817: Mir Masood Ali, PhD student, University of Illinois at Chicago; Binoy Chitale, MS student, Stony Brook University; Mohammad Ghasemisharif, PhD Candidate, University of Illinois at Chicago; Chris Kanich, Associate Professor, University of Illinois at Chicago WebKit Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation) Impact: Processing maliciously crafted web content may disclose internal states of the app Description: A correctness issue in the JIT was addressed with improved checks. WebKit Bugzilla: 242964 CVE-2022-32923: Wonyoung Jung (@nonetype_pwn) of KAIST Hacking Lab Wi-Fi Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation) Impact: Joining a malicious Wi-Fi network may result in a denial-of- service of the Settings app Description: The issue was addressed with improved memory handling. CVE-2022-32927: Dr Hideaki Goto of Tohoku University, Japan zlib Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation) Impact: A user may be able to cause unexpected app termination or arbitrary code execution Description: This issue was addressed with improved checks. CVE-2022-37434: Evgeny Legerov CVE-2022-42800: Evgeny Legerov This update is available through iTunes and Software Update on your iOS device, and will not appear in your computer's Software Update application, or in the Apple Downloads site. Make sure you have an Internet connection and have installed the latest version of iTunes from https://www.apple.com/itunes/ iTunes and Software Update on the device will automatically check Apple's update server on its weekly schedule. When an update is detected, it is downloaded and the option to be installed is presented to the user when the iOS device is docked. We recommend applying the update immediately if possible. Selecting Don't Install will present the option the next time you connect your iOS device. The automatic update process may take up to a week depending on the day that iTunes or the device checks for updates. You may manually obtain the update via the Check for Updates button within iTunes, or the Software Update on your device. To check that the iPhone, iPod touch, or iPad has been updated: * Navigate to Settings * Select General * Select About. The version after applying this update will be "iOS 15.7.1 and iPadOS 15.7.1". All information is also posted on the Apple Security Updates web site: https://support.apple.com/en-us/HT201222. This message is signed with Apple's Product Security PGP key, and details are available at: https://www.apple.com/support/security/pgp/ All information is also posted on the Apple Security Updates web site: https://support.apple.com/en-us/HT201222. This message is signed with Apple's Product Security PGP key, and details are available at: https://www.apple.com/support/security/pgp/ -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEBP+4DupqR5Sgt1DB4RjMIDkeNxkFAmNbJvAACgkQ4RjMIDke Nxmw3Q/+MtMTloTngI/i4DiNLW/HFq92T6kxTZ8i6MUm+RJfEvhaI2zTLCchnhiR thpoVqcA76i+eLsVGenk37S6daFhszAj1596tOv50KbTZYwBLJKM+TI2YQxH4vLq pODEyxL6gTp9tyJR+DK6u3iXHhbDPYlTXYKGqlZ79gaF8JcYwiS/4pn2+3P+wwEN kLMcAoLXPGzptHgZUcuRtLYH0Go0WCLIFHYh7a9gYK34f8VwgOdJCl9NJkuSPIB2 wsiqkUXUkfIZhnVthuYAt43SNZf0uadUjw6Bg8PUBydqL/5/OkuDcQGxKFQRJqEA Yo1rJvqOuaTz2gcfquLdE1zg5OwUjKHAeMTzUwVUHMoxUIWfuMTBb+K7rxX0i/9X FHm3f1N66GMYZPeTmFH44eUmWA5YZaccBCX5+/eluOt/y6/mVvsn+UTWa4vqI3Sa xzWYOU8xsAMfJuWdp0m1CBGDFxOmhS4PsMctRh0ToVlV0KJLoW7ZOB4wUVf3ZtNC mQ67XRAuvxDa83weRpmgSk5Vs3WrqAUEA0sO+SMiNGuLdlk9bj7TSjmThwMFuQ/3 L0JsYgJIIWEtQ+hFSY6o7Iqd2j1KMtSwk4BALohdhpl51f5MhKpeW6TWrXIoLt0E cDStPsnFSyyzJyamnM53MOEuwetfBu6b09Fbb27te6fsRFcb1fM= =kyGi -----END PGP SIGNATURE----- . Description: Red Hat Advanced Cluster Management for Kubernetes 2.6.2 images Red Hat Advanced Cluster Management for Kubernetes provides the capabilities to address common challenges that administrators and site reliability engineers face as they work across a range of public and private cloud environments. Clusters and applications are all visible and managed from a single console—with security policy built in. See the following Release Notes documentation, which will be updated shortly for this release, for additional details about this release: https://access.redhat.com/documentation/en-us/red_hat_advanced_cluster_management_for_kubernetes/2.6/html/release_notes/ Security fixes: * moment: inefficient parsing algorithm resulting in DoS (CVE-2022-31129) * passport: incorrect session regeneration (CVE-2022-25896) * sanitize-html: insecure global regular expression replacement logic may lead to ReDoS (CVE-2022-25887) * terser: insecure use of regular expressions leads to ReDoS (CVE-2022-25858) * search-api: SQL injection leads to remote denial of service (CVE-2022-2238) Bug fixes: * ACM 2.6.2 images (BZ# 2126195) * Infra MachineSet Replicate Taint (BZ# 2116528) * Work agent panic when apply the manifestwork (BZ# 2120920) * unexpected difference of behavior in inform policies with lists of apiGroups for ClusterRole resources (BZ# 2130985) 3. Solution: For Red Hat Advanced Cluster Management for Kubernetes, see the following documentation, which will be updated shortly for this release, for important instructions on installing this release: https://access.redhat.com/documentation/en-us/red_hat_advanced_cluster_management_for_kubernetes/2.6/html-single/install/index#installing 4. Bugs fixed (https://bugzilla.redhat.com/): 2101669 - CVE-2022-2238 search-api: SQL injection leads to remote denial of service 2105075 - CVE-2022-31129 moment: inefficient parsing algorithm resulting in DoS 2111862 - CVE-2022-25896 passport: incorrect session regeneration 2116528 - Infra MachineSet Replicate Taint 2120920 - work agent panic when apply the manifestwork 2123376 - CVE-2022-25887 sanitize-html: insecure global regular expression replacement logic may lead to ReDoS 2126277 - CVE-2022-25858 terser: insecure use of regular expressions leads to ReDoS 2130985 - unexpected difference of behaviour in inform policies with lists of apiGroups for ClusterRole ressources 5. This software, such as Apache HTTP Server, is common to multiple JBoss middleware products, and is packaged under Red Hat JBoss Core Services to allow for faster distribution of updates, and for a more consistent update experience. Bugs fixed (https://bugzilla.redhat.com/): 2064319 - CVE-2022-23943 httpd: mod_sed: Read/write beyond bounds 2064320 - CVE-2022-22721 httpd: core: Possible buffer overflow with very large or unlimited LimitXMLRequestBody 2081494 - CVE-2022-1292 openssl: c_rehash script allows command injection 2094997 - CVE-2022-26377 httpd: mod_proxy_ajp: Possible request smuggling 2095000 - CVE-2022-28330 httpd: mod_isapi: out-of-bounds read 2095002 - CVE-2022-28614 httpd: Out-of-bounds read via ap_rwrite() 2095006 - CVE-2022-28615 httpd: Out-of-bounds read in ap_strcmp_match() 2095015 - CVE-2022-30522 httpd: mod_sed: DoS vulnerability 2095020 - CVE-2022-31813 httpd: mod_proxy: X-Forwarded-For dropped by hop-by-hop mechanism 2097310 - CVE-2022-2068 openssl: the c_rehash script allows command injection 2099300 - CVE-2022-32206 curl: HTTP compression denial of service 2099305 - CVE-2022-32207 curl: Unpreserved file permissions 2099306 - CVE-2022-32208 curl: FTP-KRB bad message verification 2116639 - CVE-2022-37434 zlib: heap-based buffer over-read and overflow in inflate() in inflate.c via a large gzip header extra field 2120718 - CVE-2022-35252 curl: control code in cookie denial of service 2130769 - CVE-2022-40674 expat: a use-after-free in the doContent function in xmlparse.c 2135411 - CVE-2022-32221 curl: POST following PUT confusion 2135413 - CVE-2022-42915 curl: HTTP proxy double-free 2135416 - CVE-2022-42916 curl: HSTS bypass via IDN 2136266 - CVE-2022-40303 libxml2: integer overflows with XML_PARSE_HUGE 2136288 - CVE-2022-40304 libxml2: dict corruption caused by entity reference cycles 5. JIRA issues fixed (https://issues.jboss.org/): LOG-2860 - Error on LokiStack Components when forwarding logs to Loki on proxy cluster LOG-3131 - vector: kube API server certificate validation failure due to hostname mismatch LOG-3222 - [release-5.5] fluentd plugin for kafka ca-bundle secret doesn't support multiple CAs LOG-3226 - FluentdQueueLengthIncreasing rule failing to be evaluated. LOG-3284 - [release-5.5][Vector] logs parsed into structured when json is set without structured types. LOG-3287 - [release-5.5] Increase value of cluster-logging PriorityClass to move closer to system-cluster-critical value LOG-3301 - [release-5.5][ClusterLogging] elasticsearchStatus in ClusterLogging instance CR is not updated when Elasticsearch status is changed LOG-3305 - [release-5.5] Kibana Authentication Exception cookie issue LOG-3310 - [release-5.5] Can't choose correct CA ConfigMap Key when creating lokistack in Console LOG-3332 - [release-5.5] Reconcile error on controller when creating LokiStack with tls config 6. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Important: Red Hat OpenShift Data Foundation 4.13.0 security and bug fix update Advisory ID: RHSA-2023:3742-02 Product: Red Hat OpenShift Data Foundation Advisory URL: https://access.redhat.com/errata/RHSA-2023:3742 Issue date: 2023-06-21 CVE Names: CVE-2015-20107 CVE-2018-25032 CVE-2020-10735 CVE-2020-16250 CVE-2020-16251 CVE-2020-17049 CVE-2021-3765 CVE-2021-3807 CVE-2021-4231 CVE-2021-4235 CVE-2021-4238 CVE-2021-28861 CVE-2021-43519 CVE-2021-43998 CVE-2021-44531 CVE-2021-44532 CVE-2021-44533 CVE-2021-44964 CVE-2021-46828 CVE-2021-46848 CVE-2022-0670 CVE-2022-1271 CVE-2022-1304 CVE-2022-1348 CVE-2022-1586 CVE-2022-1587 CVE-2022-2309 CVE-2022-2509 CVE-2022-2795 CVE-2022-2879 CVE-2022-2880 CVE-2022-3094 CVE-2022-3358 CVE-2022-3515 CVE-2022-3517 CVE-2022-3715 CVE-2022-3736 CVE-2022-3821 CVE-2022-3924 CVE-2022-4415 CVE-2022-21824 CVE-2022-23540 CVE-2022-23541 CVE-2022-24903 CVE-2022-26280 CVE-2022-27664 CVE-2022-28805 CVE-2022-29154 CVE-2022-30635 CVE-2022-31129 CVE-2022-32189 CVE-2022-32190 CVE-2022-33099 CVE-2022-34903 CVE-2022-35737 CVE-2022-36227 CVE-2022-37434 CVE-2022-38149 CVE-2022-38900 CVE-2022-40023 CVE-2022-40303 CVE-2022-40304 CVE-2022-40897 CVE-2022-41316 CVE-2022-41715 CVE-2022-41717 CVE-2022-41723 CVE-2022-41724 CVE-2022-41725 CVE-2022-42010 CVE-2022-42011 CVE-2022-42012 CVE-2022-42898 CVE-2022-42919 CVE-2022-43680 CVE-2022-45061 CVE-2022-45873 CVE-2022-46175 CVE-2022-47024 CVE-2022-47629 CVE-2022-48303 CVE-2022-48337 CVE-2022-48338 CVE-2022-48339 CVE-2023-0361 CVE-2023-0620 CVE-2023-0665 CVE-2023-2491 CVE-2023-22809 CVE-2023-24329 CVE-2023-24999 CVE-2023-25000 CVE-2023-25136 ===================================================================== 1. Summary: Updated images that include numerous enhancements, security, and bug fixes are now available in Red Hat Container Registry for Red Hat OpenShift Data Foundation 4.13.0 on Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Description: Red Hat OpenShift Data Foundation is software-defined storage integrated with and optimized for the Red Hat OpenShift Container Platform. Red Hat OpenShift Data Foundation is a highly scalable, production-grade persistent storage for stateful applications running in the Red Hat OpenShift Container Platform. In addition to persistent storage, Red Hat OpenShift Data Foundation provisions a multicloud data management service with an S3 compatible API. Security Fix(es): * goutils: RandomAlphaNumeric and CryptoRandomAlphaNumeric are not as random as they should be (CVE-2021-4238) * decode-uri-component: improper input validation resulting in DoS (CVE-2022-38900) * vault: Hashicorp Vault AWS IAM Integration Authentication Bypass (CVE-2020-16250) * vault: GCP Auth Method Allows Authentication Bypass (CVE-2020-16251) * nodejs-ansi-regex: Regular expression denial of service (ReDoS) matching ANSI escape codes (CVE-2021-3807) * go-yaml: Denial of Service in go-yaml (CVE-2021-4235) * vault: incorrect policy enforcement (CVE-2021-43998) * nodejs: Improper handling of URI Subject Alternative Names (CVE-2021-44531) * nodejs: Certificate Verification Bypass via String Injection (CVE-2021-44532) * nodejs: Incorrect handling of certificate subject and issuer fields (CVE-2021-44533) * golang: archive/tar: unbounded memory consumption when reading headers (CVE-2022-2879) * golang: net/http/httputil: ReverseProxy should not forward unparseable query parameters (CVE-2022-2880) * nodejs-minimatch: ReDoS via the braceExpand function (CVE-2022-3517) * jsonwebtoken: Insecure default algorithm in jwt.verify() could lead to signature validation bypass (CVE-2022-23540) * jsonwebtoken: Insecure implementation of key retrieval function could lead to Forgeable Public/Private Tokens from RSA to HMAC (CVE-2022-23541) * golang: net/http: handle server errors after sending GOAWAY (CVE-2022-27664) * golang: encoding/gob: stack exhaustion in Decoder.Decode (CVE-2022-30635) * golang: net/url: JoinPath does not strip relative path components in all circumstances (CVE-2022-32190) * consul: Consul Template May Expose Vault Secrets When Processing Invalid Input (CVE-2022-38149) * vault: insufficient certificate revocation list checking (CVE-2022-41316) * golang: regexp/syntax: limit memory used by parsing regexps (CVE-2022-41715) * golang: net/http: excessive memory growth in a Go server accepting HTTP/2 requests (CVE-2022-41717) * net/http, golang.org/x/net/http2: avoid quadratic complexity in HPACK decoding (CVE-2022-41723) * golang: crypto/tls: large handshake records may cause panics (CVE-2022-41724) * golang: net/http, mime/multipart: denial of service from excessive resource consumption (CVE-2022-41725) * json5: Prototype Pollution in JSON5 via Parse Method (CVE-2022-46175) * vault: Vault’s Microsoft SQL Database Storage Backend Vulnerable to SQL Injection Via Configuration File (CVE-2023-0620) * hashicorp/vault: Vault’s PKI Issuer Endpoint Did Not Correctly Authorize Access to Issuer Metadata (CVE-2023-0665) * Hashicorp/vault: Vault Fails to Verify if Approle SecretID Belongs to Role During a Destroy Operation (CVE-2023-24999) * hashicorp/vault: Cache-Timing Attacks During Seal and Unseal Operations (CVE-2023-25000) * validator: Inefficient Regular Expression Complexity in Validator.js (CVE-2021-3765) * nodejs: Prototype pollution via console.table properties (CVE-2022-21824) * golang: math/big: decoding big.Float and big.Rat types can panic if the encoded message is too short, potentially allowing a denial of service (CVE-2022-32189) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. 3. Solution: These updated images include numerous enhancements and bug fixes. Space precludes documenting all of these changes in this advisory. Users are directed to the Red Hat OpenShift Data Foundation Release Notes for information on the most significant of these changes: https://access.redhat.com/documentation/en-us/red_hat_openshift_data_foundation/4.13/html/4.13_release_notes/index All Red Hat OpenShift Data Foundation users are advised to upgrade to these updated images that provide numerous bug fixes and enhancements. 4. Bugs fixed (https://bugzilla.redhat.com/): 1786696 - UI->Dashboards->Overview->Alerts shows MON components are at different versions, though they are NOT 1855339 - Wrong version of ocs-storagecluster 1943137 - [Tracker for BZ #1945618] rbd: Storage is not reclaimed after persistentvolumeclaim and job that utilized it are deleted 1944687 - [RFE] KMS server connection lost alert 1989088 - [4.8][Multus] UX experience issues and enhancements 2005040 - Uninstallation of ODF StorageSystem via OCP Console fails, gets stuck in Terminating state 2005830 - [DR] DRPolicy resource should not be editable after creation 2007557 - CVE-2021-3807 nodejs-ansi-regex: Regular expression denial of service (ReDoS) matching ANSI escape codes 2028193 - CVE-2021-43998 vault: incorrect policy enforcement 2040839 - CVE-2021-44531 nodejs: Improper handling of URI Subject Alternative Names 2040846 - CVE-2021-44532 nodejs: Certificate Verification Bypass via String Injection 2040856 - CVE-2021-44533 nodejs: Incorrect handling of certificate subject and issuer fields 2040862 - CVE-2022-21824 nodejs: Prototype pollution via console.table properties 2042914 - [Tracker for BZ #2013109] [UI] Refreshing web console from the pop-up is taking to Install Operator page. 2052252 - CVE-2021-44531 CVE-2021-44532 CVE-2021-44533 CVE-2022-21824 [CVE] nodejs: various flaws [openshift-data-foundation-4] 2101497 - ceph_mon_metadata metrics are not collected properly 2101916 - must-gather is not collecting ceph logs or coredumps 2102304 - [GSS] Remove the entry of removed node from Storagecluster under Node Topology 2104148 - route ocs-storagecluster-cephobjectstore misconfigured to use http and https on same http route in haproxy.config 2107388 - CVE-2022-30635 golang: encoding/gob: stack exhaustion in Decoder.Decode 2113814 - CVE-2022-32189 golang: math/big: decoding big.Float and big.Rat types can panic if the encoded message is too short, potentially allowing a denial of service 2115020 - [RDR] Sync schedule is not removed from mirrorpeer yaml after DR Policy is deleted 2115616 - [GSS] failing to change ownership of the NFS based PVC for PostgreSQL pod by using kube_pv_chown utility 2119551 - CVE-2022-38149 consul: Consul Template May Expose Vault Secrets When Processing Invalid Input 2120098 - [RDR] Even before an action gets fully completed, PeerReady and Available are reported as True in the DRPC yaml 2120944 - Large Omap objects found in pool 'ocs-storagecluster-cephfilesystem-metadata' 2124668 - CVE-2022-32190 golang: net/url: JoinPath does not strip relative path components in all circumstances 2124669 - CVE-2022-27664 golang: net/http: handle server errors after sending GOAWAY 2126299 - CVE-2021-3765 validator: Inefficient Regular Expression Complexity in Validator.js 2132867 - CVE-2022-2879 golang: archive/tar: unbounded memory consumption when reading headers 2132868 - CVE-2022-2880 golang: net/http/httputil: ReverseProxy should not forward unparseable query parameters 2132872 - CVE-2022-41715 golang: regexp/syntax: limit memory used by parsing regexps 2134609 - CVE-2022-3517 nodejs-minimatch: ReDoS via the braceExpand function 2135339 - CVE-2022-41316 vault: insufficient certificate revocation list checking 2139037 - [cee/sd]Unable to access s3 via RGW route ocs-storagecluster-cephobjectstore 2141095 - [RDR] Storage System page on ACM Hub is visible even when data observability is not enabled 2142651 - RFE: OSDs need ability to bind to a service IP instead of the pod IP to support RBD mirroring in OCP clusters 2142894 - Credentials are ignored when creating a Backing/Namespace store after prompted to enter a name for the resource 2142941 - RGW cloud Transition. HEAD/GET requests to MCG are failing with 403 error 2143944 - [GSS] unknown parameter name "FORCE_OSD_REMOVAL" 2144256 - [RDR] [UI] DR Application applied to a single DRPolicy starts showing connected to multiple policies due to console flickering 2151903 - [MCG] Azure bs/ns creation fails with target bucket does not exists 2152143 - [Noobaa Clone] Secrets are used in env variables 2154250 - NooBaa Bucket Quota alerts are not working 2155507 - RBD reclaimspace job fails when the PVC is not mounted 2155743 - ODF Dashboard fails to load 2156067 - [RDR] [UI] When Peer Ready isn't True, UI doesn't reset the error message even when no subscription group is selected 2156069 - [UI] Instances of OCS can be seen on BlockPool action modals 2156263 - CVE-2022-46175 json5: Prototype Pollution in JSON5 via Parse Method 2156519 - 4.13: odf-csi-addons-operator failed with OwnNamespace InstallModeType not supported 2156727 - CVE-2021-4235 go-yaml: Denial of Service in go-yaml 2156729 - CVE-2021-4238 goutils: RandomAlphaNumeric and CryptoRandomAlphaNumeric are not as random as they should be 2157876 - [OCP Tracker] [UI] When OCP and ODF are upgraded, refresh web console pop-up doesn't appear after ODF upgrade resulting in dashboard crash 2158922 - Namespace store fails to get created via the ODF UI 2159676 - rbd-mirror logs are rotated very frequently, increase the default maxlogsize for rbd-mirror 2161274 - CVE-2022-41717 golang: net/http: excessive memory growth in a Go server accepting HTTP/2 requests 2161879 - logging issue when deleting webhook resources 2161937 - collect kernel and journal logs from all worker nodes 2162257 - [RDR][CEPHFS] sync/replication is getting stopped for some pvc 2164617 - Unable to expand ocs-storagecluster-ceph-rbd PVCs provisioned in Filesystem mode 2165495 - Placement scheduler is using too much resources 2165504 - Sizer sharing link is broken 2165929 - [RFE] ODF bluewash introduction in 4.12.x 2165938 - ocs-operator CSV is missing disconnected env annotation. 2165984 - [RDR] Replication stopped for images is represented with incorrect color 2166222 - CSV is missing disconnected env annotation and relatedImages spec 2166234 - Application user unable to invoke Failover and Relocate actions 2166869 - Match the version of consoleplugin to odf operator 2167299 - [RFE] ODF bluewash introduction in 4.12.x 2167308 - [mcg-clone] Security and VA issues with ODF operator 2167337 - CVE-2020-16250 vault: Hashicorp Vault AWS IAM Integration Authentication Bypass 2167340 - CVE-2020-16251 vault: GCP Auth Method Allows Authentication Bypass 2167946 - CSV is missing disconnected env annotation and relatedImages spec 2168113 - [Ceph Tracker BZ #2141110] [cee/sd][Bluestore] Newly deployed bluestore OSD's showing high fragmentation score 2168635 - fix redirect link to operator details page (OCS dashboard) 2168840 - [Fusion-aaS][ODF 4.13]Within 'prometheus-ceph-rules' the namespace for 'rook-ceph-mgr' jobs should be configurable. 2168849 - Must-gather doesn't collect coredump logs crucial for OSD crash events 2169375 - CVE-2022-23541 jsonwebtoken: Insecure implementation of key retrieval function could lead to Forgeable Public/Private Tokens from RSA to HMAC 2169378 - CVE-2022-23540 jsonwebtoken: Insecure default algorithm in jwt.verify() could lead to signature validation bypass 2169779 - [vSphere]: rook-ceph-mon-* pvc are in pending state 2170644 - CVE-2022-38900 decode-uri-component: improper input validation resulting in DoS 2170673 - [RDR] Different replication states of PVC images aren't correctly distinguished and representated on UI 2172089 - [Tracker for Ceph BZ 2174461] rook-ceph-nfs pod is stuck at status 'CreateContainerError' after enabling NFS in ODF 4.13 2172365 - [csi-addons] odf-csi-addons-operator oomkilled with fresh installation 4.12 2172521 - No OSD pods are created for 4.13 LSO deployment 2173161 - ODF-console can not start when you disable IPv6 on Node with kernel parameter. 2173528 - Creation of OCS operator tag automatically for verified commits 2173534 - When on StorageSystem details click on History back btn it shows blank body 2173926 - [RFE] Include changes in MCG for new Ceph RGW transition headers 2175612 - noobaa-core-0 crashing and storagecluster not getting to ready state during ODF deployment with FIPS enabled in 4.13cluster 2175685 - RGW OBC creation via the UI is blocked by "Address form errors to proceed" error 2175714 - UI fix- capitalization 2175867 - Rook sets cephfs kernel mount options even when mon is using v1 port 2176080 - odf must-gather should collect output of oc get hpa -n openshift-storage 2176456 - [RDR] ramen-hub-operator and ramen-dr-cluster-operator is going into CLBO post deployment 2176739 - [UI] CSI Addons operator icon is broken 2176776 - Enable save options only when the protected apps has labels for manage DRPolicy 2176798 - [IBM Z ] Multi Cluster Orchestrator operator is not available in the Operator Hub 2176809 - [IBM Z ] DR operator is not available in the Operator Hub 2177134 - Next button if disabled for storage system deployment flow for IBM Ceph Storage security and network step when there is no OCS installed already 2177221 - Enable DR dashboard only when ACM observability is enabled 2177325 - Noobaa-db pod is taking longer time to start up in ODF 4.13 2177695 - DR dashbaord showing incorrect RPO data 2177844 - CVE-2023-24999 Hashicorp/vault: Vault Fails to Verify if Approle SecretID Belongs to Role During a Destroy Operation 2178033 - node topology warnings tab doesn't show pod warnings 2178358 - CVE-2022-41723 net/http, golang.org/x/net/http2: avoid quadratic complexity in HPACK decoding 2178488 - CVE-2022-41725 golang: net/http, mime/multipart: denial of service from excessive resource consumption 2178492 - CVE-2022-41724 golang: crypto/tls: large handshake records may cause panics 2178588 - No rack names on ODF Topology 2178619 - odf-operator failing to resolve its sub-dependencies leaving the ocs-consumer/provider addon in a failed and halted state 2178682 - [GSS] Add the valid AWS GovCloud regions in OCS UI. 2179133 - [UI] A blank page appears while selecting Storage Pool for creating Encrypted Storage Class 2179337 - Invalid storage system href link on the ODF multicluster dashboard 2179403 - (4.13) Mons are failing to start when msgr2 is required with RHCS 6.1 2179846 - [IBM Z] In RHCS external mode Cephobjectstore creation fails as it reports that the "object store name cannot be longer than 38 characters" 2179860 - [MCG] Bucket replication with deletion sync isn't complete 2179976 - [ODF 4.13] Missing the status-reporter binary causing pods "report-status-to-provider" remain in CreateContainerError on ODF to ODF cluster on ROSA 2179981 - ODF Topology search bar mistakes to find searched node/pod 2179997 - Topology. Exit full screen does not appear in Full screen mode 2180211 - StorageCluster stuck in progressing state for Thales KMS deployment 2180397 - Last sync time is missing on application set's disaster recovery status popover 2180440 - odf-monitoring-tool. YAML file misjudged as corrupted 2180921 - Deployment with external cluster in ODF 4.13 with unable to use cephfs as backing store for image_registry 2181112 - [RDR] [UI] Hide disable DR functionality as it would be un-tested in 4.13 2181133 - CI: backport E2E job improvements 2181446 - [KMS][UI] PVC provisioning failed in case of vault kubernetes authentication is configured. 2181535 - [GSS] Object storage in degraded state 2181551 - Build: move to 'dependencies' the ones required for running a build 2181832 - Create OBC via UI, placeholder on StorageClass dropped 2181949 - [ODF Tracker] [RFE] Catch MDS damage to the dentry's first snapid 2182041 - OCS-Operator expects NooBaa CRDs to be present on the cluster when installed directly without ODF Operator 2182296 - [Fusion-aaS][ODF 4.13]must-gather does not collect relevant logs when storage cluster is not in openshift-storage namespace 2182375 - [MDR] Not able to fence DR clusters 2182644 - [IBM Z] MDR policy creation fails unless the ocs-operator pod is restarted on the managed clusters 2182664 - Topology view should hide the sidebar when changing levels 2182703 - [RDR] After upgrading from 4.12.2 to 4.13.0 version.odf.openshift.io cr is not getting updated with latest ODF version 2182972 - CVE-2023-25000 hashicorp/vault: Cache-Timing Attacks During Seal and Unseal Operations 2182981 - CVE-2023-0665 hashicorp/vault: Vault?s PKI Issuer Endpoint Did Not Correctly Authorize Access to Issuer Metadata 2183155 - failed to mount the the cephfs subvolume as subvolumegroup name is not sent in the GetStorageConfig RPC call 2183196 - [Fusion-aaS] Collect Must-gather logs from the managed-fusion agent namesapce 2183266 - [Fusion aaS Rook ODF 4.13]] Rook-ceph-operator pod should allow OBC CRDs to be optional instead of causing a crash when not present 2183457 - [RDR] when running any ceph cmd we see error 2023-03-31T08:25:31.844+0000 7f8deaffd640 -1 monclient(hunting): handle_auth_bad_method server allowed_methods [2] but i only support [2,1] 2183478 - [MDR][UI] Cannot relocate subscription based apps, Appset based apps are possible to relocate 2183520 - [Fusion-aaS] csi-cephfs-plugin pods are not created after installing ocs-client-operator 2184068 - [Fusion-aaS] Failed to mount CephFS volumes while creating pods 2184605 - [ODF 4.13][Fusion-aaS] OpenShift Data Foundation Client operator is listed in OperatorHub and installable from UI 2184663 - CVE-2023-0620 vault: Vault?s Microsoft SQL Database Storage Backend Vulnerable to SQL Injection Via Configuration File 2184769 - {Fusion-aaS][ODF 4.13]Remove storageclassclaim cr and create new cr storageclass request cr 2184773 - multicluster-orchestrator should not reset spec.network.multiClusterService.Enabled field added by user 2184892 - Don't pass encryption options to ceph cluster in odf external mode to provider/consumer cluster 2184984 - Topology Sidebar alerts panel: alerts accordion does not toggle when clicking on alert severity text 2185164 - [KMS][VAULT] PVC provisioning is failing when the Vault (HCP) Kubernetes authentication is set. 2185188 - Fix storagecluster watch request for OCSInitialization 2185757 - add NFS dashboard 2185871 - [MDR][ACM-Tracker] Deleting an Appset based application does not delete its placement 2186171 - [GSS] "disableLoadBalancerService: true" config is reconciled after modifying the number of NooBaa endpoints 2186225 - [RDR] when running any ceph cmd we see error 2023-03-31T08:25:31.844+0000 7f8deaffd640 -1 monclient(hunting): handle_auth_bad_method server allowed_methods [2] but i only support [2,1] 2186475 - handle different network connection spec & Pass appropriate options for all the cases of Network Spec 2186752 - [translations] add translations for 4.13 2187251 - sync ocs and odf with the latest rook 2187296 - [MCG] Can't opt out of deletions sync once log-based replication with deletions sync is set 2187736 - [RDR] Replication history graph is showing incorrect value 2187952 - When cluster controller is cancelled frequently, multiple simultaneous controllers cause issues since need to wait for shutdown before continuing new controller 2187969 - [ODFMS-Migration ] [OCS Client Operator] csi-rbdplugin stuck in ImagePullBackOff on consumer clusters after Migration 2187986 - [MDR] ramen-dr-cluster-operator pod is in CLBO after assigning dr policy to an appset based app 2188053 - ocs-metrics-exporter cannot list/watch StorageCluster, StorageClass, CephBlockPool and other resources 2188238 - [RDR] Avoid using the terminologies "SLA" in DR dashbaord 2188303 - [RDR] Maintenance mode is not enabled after initiating failover action 2188427 - [External mode upgrade]: Upgrade from 4.12 -> 4.13 external mode is failing because rook-ceph-operator is not reaching clean state 2188666 - wrong label in new storageclassrequest cr 2189483 - After upgrade noobaa-db-pg-0 pod using old image in one of container 2189929 - [RDR/MDR] [UI] Dashboard fon size are very uneven 2189982 - [RDR] ocs_rbd_client_blocklisted datapoints and the corresponding alert is not getting generated 2189984 - [KMS][VAULT] Storage cluster remains in 'Progressing' state during deployment with storage class encryption, despite all pods being up and running. 2190129 - OCS Provider Server logs are incorrect 2190241 - nfs metric details are unavailable and server health is displaying as "Degraded" under Network file system tab in UI 2192088 - [IBM P] rbd_default_map_options value not set to ms_mode=secure in in-transit encryption enabled ODF cluster 2192670 - Details tab for nodes inside Topology throws "Something went wrong" on IBM Power platform 2192824 - [4.13] Fix Multisite in external cluster 2192875 - Enable ceph-exporter in rook 2193114 - MCG replication is failing due to OC binary incompatible on Power platform 2193220 - [Stretch cluster] CephCluster is updated frequently due to changing ordering of zones 2196176 - MULTUS UI, There is no option to change the multus configuration after we configure the params 2196236 - [RDR] With ACM 2.8 User is not able to apply Drpolicy to subscription workload 2196298 - [RDR] DRPolicy doesn't show connected application when subscription based workloads are deployed via CLI 2203795 - ODF Monitoring is missing some of the ceph_* metric values 2208029 - nfs server health is always displaying as "Degraded" under Network file system tab in UI. 2208079 - rbd mirror daemon is commonly not upgraded 2208269 - [RHCS Tracker] After add capacity the rebalance does not complete, and we see 2 PGs in active+clean+scrubbing and 1 active+clean+scrubbing+deep 2208558 - [MDR] ramen-dr-cluster-operator pod crashes during failover 2208962 - [UI] ODF Topology. Degraded cluster don't show red canvas on cluster level 2209364 - ODF dashboard crashes when OCP and ODF are upgraded 2209643 - Multus, Cephobjectstore stuck on Progressing state because " failed to create or retrieve rgw admin ops user" 2209695 - When collecting Must-gather logs shows /usr/bin/gather_ceph_resources: line 341: jq: command not found 2210964 - [UI][MDR] After hub recovery in overview tab of data policies Application set apps count is not showing 2211334 - The replication history graph is very unclear 2211343 - [MCG-Only]: upgrade failed from 4.12 to 4.13 due to missing CSI_ENABLE_READ_AFFINITY in ConfigMap openshift-storage/ocs-operator-config 2211704 - Multipart uploads fail to a Azure namespace bucket when user MD is sent as part of the upload 5. References: https://access.redhat.com/security/cve/CVE-2015-20107 https://access.redhat.com/security/cve/CVE-2018-25032 https://access.redhat.com/security/cve/CVE-2020-10735 https://access.redhat.com/security/cve/CVE-2020-16250 https://access.redhat.com/security/cve/CVE-2020-16251 https://access.redhat.com/security/cve/CVE-2020-17049 https://access.redhat.com/security/cve/CVE-2021-3765 https://access.redhat.com/security/cve/CVE-2021-3807 https://access.redhat.com/security/cve/CVE-2021-4231 https://access.redhat.com/security/cve/CVE-2021-4235 https://access.redhat.com/security/cve/CVE-2021-4238 https://access.redhat.com/security/cve/CVE-2021-28861 https://access.redhat.com/security/cve/CVE-2021-43519 https://access.redhat.com/security/cve/CVE-2021-43998 https://access.redhat.com/security/cve/CVE-2021-44531 https://access.redhat.com/security/cve/CVE-2021-44532 https://access.redhat.com/security/cve/CVE-2021-44533 https://access.redhat.com/security/cve/CVE-2021-44964 https://access.redhat.com/security/cve/CVE-2021-46828 https://access.redhat.com/security/cve/CVE-2021-46848 https://access.redhat.com/security/cve/CVE-2022-0670 https://access.redhat.com/security/cve/CVE-2022-1271 https://access.redhat.com/security/cve/CVE-2022-1304 https://access.redhat.com/security/cve/CVE-2022-1348 https://access.redhat.com/security/cve/CVE-2022-1586 https://access.redhat.com/security/cve/CVE-2022-1587 https://access.redhat.com/security/cve/CVE-2022-2309 https://access.redhat.com/security/cve/CVE-2022-2509 https://access.redhat.com/security/cve/CVE-2022-2795 https://access.redhat.com/security/cve/CVE-2022-2879 https://access.redhat.com/security/cve/CVE-2022-2880 https://access.redhat.com/security/cve/CVE-2022-3094 https://access.redhat.com/security/cve/CVE-2022-3358 https://access.redhat.com/security/cve/CVE-2022-3515 https://access.redhat.com/security/cve/CVE-2022-3517 https://access.redhat.com/security/cve/CVE-2022-3715 https://access.redhat.com/security/cve/CVE-2022-3736 https://access.redhat.com/security/cve/CVE-2022-3821 https://access.redhat.com/security/cve/CVE-2022-3924 https://access.redhat.com/security/cve/CVE-2022-4415 https://access.redhat.com/security/cve/CVE-2022-21824 https://access.redhat.com/security/cve/CVE-2022-23540 https://access.redhat.com/security/cve/CVE-2022-23541 https://access.redhat.com/security/cve/CVE-2022-24903 https://access.redhat.com/security/cve/CVE-2022-26280 https://access.redhat.com/security/cve/CVE-2022-27664 https://access.redhat.com/security/cve/CVE-2022-28805 https://access.redhat.com/security/cve/CVE-2022-29154 https://access.redhat.com/security/cve/CVE-2022-30635 https://access.redhat.com/security/cve/CVE-2022-31129 https://access.redhat.com/security/cve/CVE-2022-32189 https://access.redhat.com/security/cve/CVE-2022-32190 https://access.redhat.com/security/cve/CVE-2022-33099 https://access.redhat.com/security/cve/CVE-2022-34903 https://access.redhat.com/security/cve/CVE-2022-35737 https://access.redhat.com/security/cve/CVE-2022-36227 https://access.redhat.com/security/cve/CVE-2022-37434 https://access.redhat.com/security/cve/CVE-2022-38149 https://access.redhat.com/security/cve/CVE-2022-38900 https://access.redhat.com/security/cve/CVE-2022-40023 https://access.redhat.com/security/cve/CVE-2022-40303 https://access.redhat.com/security/cve/CVE-2022-40304 https://access.redhat.com/security/cve/CVE-2022-40897 https://access.redhat.com/security/cve/CVE-2022-41316 https://access.redhat.com/security/cve/CVE-2022-41715 https://access.redhat.com/security/cve/CVE-2022-41717 https://access.redhat.com/security/cve/CVE-2022-41723 https://access.redhat.com/security/cve/CVE-2022-41724 https://access.redhat.com/security/cve/CVE-2022-41725 https://access.redhat.com/security/cve/CVE-2022-42010 https://access.redhat.com/security/cve/CVE-2022-42011 https://access.redhat.com/security/cve/CVE-2022-42012 https://access.redhat.com/security/cve/CVE-2022-42898 https://access.redhat.com/security/cve/CVE-2022-42919 https://access.redhat.com/security/cve/CVE-2022-43680 https://access.redhat.com/security/cve/CVE-2022-45061 https://access.redhat.com/security/cve/CVE-2022-45873 https://access.redhat.com/security/cve/CVE-2022-46175 https://access.redhat.com/security/cve/CVE-2022-47024 https://access.redhat.com/security/cve/CVE-2022-47629 https://access.redhat.com/security/cve/CVE-2022-48303 https://access.redhat.com/security/cve/CVE-2022-48337 https://access.redhat.com/security/cve/CVE-2022-48338 https://access.redhat.com/security/cve/CVE-2022-48339 https://access.redhat.com/security/cve/CVE-2023-0361 https://access.redhat.com/security/cve/CVE-2023-0620 https://access.redhat.com/security/cve/CVE-2023-0665 https://access.redhat.com/security/cve/CVE-2023-2491 https://access.redhat.com/security/cve/CVE-2023-22809 https://access.redhat.com/security/cve/CVE-2023-24329 https://access.redhat.com/security/cve/CVE-2023-24999 https://access.redhat.com/security/cve/CVE-2023-25000 https://access.redhat.com/security/cve/CVE-2023-25136 https://access.redhat.com/security/updates/classification/#important https://access.redhat.com/documentation/en-us/red_hat_openshift_data_foundation/4.13/html/4.13_release_notes/index 6. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2023 Red Hat, Inc

AFFECTED PRODUCTS

CVSS

PROBLEMTYPE DATA

THREAT TYPE

remote

TYPE

overflow, code execution

EXPLOIT AVAILABILITY

PATCH

EXTERNAL IDS

REFERENCES

CREDITS

Red Hat

SOURCES

LAST UPDATE DATE

2025-09-26T22:36:38.226000+00:00

SOURCES UPDATE DATE

SOURCES RELEASE DATE