RHSA-2022:0855: Red Hat Security Advisory: OpenShift sandboxed containers 1.2.0 security update

Skip to navigation Skip to main content

Utilities

• Subscriptions
• Downloads
• Containers
• Support Cases

Infrastructure and Management

• Red Hat Enterprise Linux
• Red Hat Virtualization
• Red Hat Identity Management
• Red Hat Directory Server
• Red Hat Certificate System
• Red Hat Satellite
• Red Hat Subscription Management
• Red Hat Update Infrastructure
• Red Hat Insights
• Red Hat Ansible Automation Platform

Cloud Computing

• Red Hat OpenShift
• Red Hat CloudForms
• Red Hat OpenStack Platform
• Red Hat OpenShift Container Platform
• Red Hat OpenShift Data Science
• Red Hat OpenShift Online
• Red Hat OpenShift Dedicated
• Red Hat Advanced Cluster Security for Kubernetes
• Red Hat Advanced Cluster Management for Kubernetes
• Red Hat Quay
• Red Hat CodeReady Workspaces
• Red Hat OpenShift Service on AWS

Storage

• Red Hat Gluster Storage
• Red Hat Hyperconverged Infrastructure
• Red Hat Ceph Storage
• Red Hat OpenShift Data Foundation

Runtimes

• Red Hat Runtimes
• Red Hat JBoss Enterprise Application Platform
• Red Hat Data Grid
• Red Hat JBoss Web Server
• Red Hat Single Sign On
• Red Hat support for Spring Boot
• Red Hat build of Node.js
• Red Hat build of Thorntail
• Red Hat build of Eclipse Vert.x
• Red Hat build of OpenJDK
• Red Hat build of Quarkus
• Red Hat CodeReady Studio

Integration and Automation

• Red Hat Process Automation
• Red Hat Process Automation Manager
• Red Hat Decision Manager

All Products

Issued:

2022-03-14

Updated:

2022-03-14

RHSA-2022:0855 - Security Advisory

• Overview
• Updated Packages

Synopsis

Moderate: OpenShift sandboxed containers 1.2.0 security update

Type/Severity

Security Advisory: Moderate

Topic

OpenShift sandboxed containers 1.2.0 is now available.

Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE links in the References section.

Description

OpenShift sandboxed containers support for OpenShift Container Platform
provides users with built-in support for running Kata containers as an
additional, optional runtime.

This advisory contains an update for OpenShift sandboxed containers with enhancements, security updates, and bug fixes.

Space precludes documenting all of the updates to OpenShift sandboxed
containers in this advisory. See the following Release Notes documentation,
which will be updated shortly for this release, for details about these
changes:

https://docs.openshift.com/container-platform/4.10/sandboxed_containers/sandboxed-containers-release-notes.html

Security Fixes:

• net/http: limit growth of header canonicalization cache (CVE-2021-44716)
• net/http/httputil: panic due to racy read of persistConn after handler panic (CVE-2021-36221)

For more details about the security issues, including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
pages listed in the References section.

Affected Products

• Red Hat OpenShift Container Platform 4.10 for RHEL 8 x86_64

Fixes

• BZ - 1995656 - CVE-2021-36221 golang: net/http/httputil: panic due to racy read of persistConn after handler panic
• BZ - 2030801 - CVE-2021-44716 golang: net/http: limit growth of header canonicalization cache
• KATA-1015 - 1.2: unused sourceImage field in KataConfig is confusing
• KATA-1019 - 1.2: annotations state Operator is only supported on OCP 4.8
• KATA-1027 - Newer kata-containers shimv2 (from kata-2.2.0 onwards) doesn’t work with OCP.
• KATA-1118 - Attempt to uninstall while installation is in progress blocks
• KATA-1134 - Metrics doesn’t work with the latest runtime cgroups improvements and simplifications
• KATA-1183 - security warning when creating daemonset for kata-monitor
• KATA-1184 - MachineConfigPool kata-oc is not removed with KataConfig CRD is deleted
• KATA-1189 - pods for kata-monitor daemonset don’t start: SCC issues
• KATA-1190 - Operator not reconciling when node labels are changed
• KATA-1195 - Error: CreateContainer failed: Permission denied (os error 13): unknown
• KATA-1205 - openshift-sandboxed-containers-operator namespace not labelled for kata metrics
• KATA-1219 - kata-monitor will forget about a kata pod if an error happens while retrieving the metrics
• KATA-1222 - daemonset creation fails with reconciler error
• KATA-1224 - wrong channels and default version in internal build
• KATA-1225 - upgrade from 1.1.0 to 1.2.0 failed
• KATA-1247 - kataconfig can’t be applied due to syntax error
• KATA-1288 - changes to spec.kataMonitorImage are not reconciled
• KATA-1334 - Unable to loop mount file based image inside Kata container
• KATA-1340 - runtime installation shows no progress after creating kataconfig
• KATA-553 - Worker node is not being created when scaling up a cluster with the Kata operator installed
• KATA-588 - kata 2.0: stop a container spam crio logs continously
• KATA-817 - There are no logs coming from kata-containers agent
• KATA-1249 - use official pullspec for metrics daemonset as default in kataconfig CRD
• KATA-1383 - fix RHSA-2022:0658 (cyrus-sasl)

Red Hat OpenShift Container Platform 4.10 for RHEL 8

SRPM

x86_64

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.