RHSA-2021:3262: Important: OpenShift Container Platform 4.7.28 security update

First published: Wed Sep 01 2021(Updated: )

Red Hat OpenShift Container Platform is Red Hat's cloud computing<br>Kubernetes application platform solution designed for on-premise or private<br>cloud deployments.<br>This advisory contains the container images for Red Hat OpenShift Container<br>Platform 4.7.28. See the following advisory for the RPM packages for this<br>release:<br><a href="https://access.redhat.com/errata/RHBA-2021:3263" target="_blank">https://access.redhat.com/errata/RHBA-2021:3263</a> Space precludes documenting all of the container images in this advisory.<br>See the following Release Notes documentation for details about these<br>changes:<br><a href="https://docs.openshift.com/container-platform/4.7/release_notes/ocp-4-7-rel" target="_blank">https://docs.openshift.com/container-platform/4.7/release_notes/ocp-4-7-rel</a> ease-notes.html<br>Security Fix(es):<br><li> gogo/protobuf: plugin/unmarshal/unmarshal.go lacks certain index</li> validation (CVE-2021-3121)<br>For more details about the security issue(s), including the impact, a CVSS<br>score, acknowledgments, and other related information, refer to the CVE<br>page(s) listed in the References section.<br>Bug Fix(es):<br><li> Machine Config Operator degrades during cluster update with failed to</li> convert Ignition config spec v2 to v3 (BZ#1956462)<br><li> OCP IPI Publish Internal - GCP: Load Balancer service with External</li> Traffic Policy as Local is not working (BZ#1971669)<br><li> [4.7] Unable to attach Vsphere volume shows the error "failed to get</li> canonical path" (BZ#1973766)<br><li> oc logs doesn't work with piepeline builds (BZ#1974264)</li> <li> "provisioned registration errors" cannot be reported (BZ#1976924)</li> <li> AWS Elastic IP permissions are incorrectly required (BZ#1981553)</li> <li> Memory consumption (container_memory_rss) steadily growing for</li> /system.slice/kubelet.service when FIPS enabled [ocp 4.7] (BZ#1981580)<br><li> Problematic Deployment creates infinite number Replicasets causing etcd</li> to reach quota limit (BZ#1981775)<br><li> Size of the hostname was preventing proper DNS resolution of the worker</li> node names (BZ#1983695)<br><li> (release-4.7) Insights status card shows nothing when 0 issues found</li> (BZ#1986724)<br><li> drop-icmp pod blocks direct SSH access to cluster nodes (BZ#1988426)</li> <li> Editing a Deployment drops annotations (BZ#1989642)</li> <li> [Kuryr][4.7] Duplicated egress rule for service network in knp object</li> (BZ#1990175)<br><li> Update failed - ovn-nbctl: duplicate nexthop for the same ECMP route</li> (BZ#1991445)<br><li> Unable to install a zVM hosted OCP 4.7.24 on Z Cluster based on new RHCOS</li> 47 RHEL 8.4 based build (BZ#1992240)<br><li> alerts: SystemMemoryExceedsReservation triggers too quickly (BZ#1992687)</li> <li> failed to start cri-o service due to /usr/libexec/crio/conmon is missing</li> (BZ#1993386)<br><li> Thanos build failure: vendor/ ignored (BZ#1994123)</li> <li> Ipv6 IP addresses are not accepted for whitelisting (BZ#1994645)</li> <li> upgrade from 4.6 to 4.7 to 4.8 with mcp worker "paused=true", crio</li> report "panic: close of closed channel" which lead to a master Node go into<br>Restart loop (BZ#1994729)<br><li> linuxptp-daemon crash on 4.8 (BZ#1995579)</li> <li> long living clusters may fail to upgrade because of an invalid conmon</li> path (BZ#1995810)<br>For more details about the security issue(s), refer to the CVE<br>page(s) listed in the References section.<br>You may download the oc tool and use it to inspect release image metadata<br>as follows:<br>(For x86_64 architecture)<br>$ oc adm release info<br>quay.io/openshift-release-dev/ocp-release:4.7.28-x86_64<br>The image digest is<br>sha256:b3f38d58057a12b0477bf28971390db3e3391ce1af8ac06e35d0aa9e8d8e5966<br>(For s390x architecture)<br>$ oc adm release info<br>quay.io/openshift-release-dev/ocp-release:4.7.28-s390x<br>The image digest is<br>sha256:30c2011f6d84b16960b981a07558f96a55e59a281449d25c5ccc778aaeb2f970<br>(For ppc64le architecture)<br>$ oc adm release info<br>quay.io/openshift-release-dev/ocp-release:4.7.28-ppc64le<br>The image digest is<br>sha256:52ebf0db5a36434357c24a64863025730d2159a94997333f15fbe1444fa88f4f<br>Instructions for upgrading a cluster are available<br>at<br><a href="https://docs.openshift.com/container-platform/4.7/updating/updating-cluster" target="_blank">https://docs.openshift.com/container-platform/4.7/updating/updating-cluster</a> <li>between-minor.html#understanding-upgrade-channels_updating-cluster-between</li> <li>minor</li>

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.

Read MoreStart Free Trial

• agent/severity
• agent/type
• agent/event
• agent/last-modified-date
• agent/first-publish-date
• collector/redhat-errata
• source/Red Hat
• anchor-id/RHSA-2021:3262
• agent/remedy
• agent/title
• agent/references
• agent/description
• agent/trending
• agent/source
• agent/softwarecombine
• agent/tags
• agent/guess-ai
• agent/software-canonical-lookup
• agent/software-canonical-lookup-request
• vendor/red hat
• canonical/red hat openshift container platform for ibm linuxone