rhea-2021_3941
Vulnerability from csaf_redhat
Published
2021-10-20 09:58
Modified
2024-09-18 04:08
Summary
Red Hat Enhancement Advisory: OpenShift Sandboxed Containers 1.1.0 update

Notes

Topic
An update to OpenShift sandboxed containers 1.1.0 is now available.
Details
OpenShift sandboxed containers support for OpenShift Container Platform provides users with built-in support for running Kata containers as an additional optional runtime. This advisory contains an update for OpenShift sandboxed containers with bug fixes. Space precludes documenting all of the updates to OpenShift sandboxed containers in this advisory. See the following Release Notes documentation, which will be updated shortly for this release, for details about these changes: https://docs.openshift.com/container-platform/4.9/sandboxed_containers/sandboxed-containers-4.9-release-notes.html
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.


To clipboard 

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://access.redhat.com/security/updates/classification/",
      "text": "Moderate"
    },
    "category": "csaf_vex",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "An update to OpenShift sandboxed containers 1.1.0 is now available.",
        "title": "Topic"
      },
      {
        "category": "general",
        "text": "OpenShift sandboxed containers support for OpenShift Container Platform\nprovides users with built-in support for running Kata containers as an\nadditional optional runtime.\n\nThis advisory contains an update for OpenShift sandboxed containers with\nbug fixes.\n\nSpace precludes documenting all of the updates to OpenShift sandboxed\ncontainers in this advisory. See the following Release Notes documentation,\nwhich will be updated shortly for this release, for details about these\nchanges:\n\nhttps://docs.openshift.com/container-platform/4.9/sandboxed_containers/sandboxed-containers-4.9-release-notes.html",
        "title": "Details"
      },
      {
        "category": "legal_disclaimer",
        "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
        "title": "Terms of Use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://access.redhat.com/security/team/contact/",
      "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat offerings.",
      "name": "Red Hat Product Security",
      "namespace": "https://www.redhat.com"
    },
    "references": [
      {
        "category": "self",
        "summary": "https://access.redhat.com/errata/RHEA-2021:3941",
        "url": "https://access.redhat.com/errata/RHEA-2021:3941"
      },
      {
        "category": "self",
        "summary": "Canonical URL",
        "url": "https://access.redhat.com/security/data/csaf/v2/advisories/2021/rhea-2021_3941.json"
      }
    ],
    "title": "Red Hat Enhancement Advisory: OpenShift Sandboxed Containers 1.1.0 update",
    "tracking": {
      "current_release_date": "2024-09-18T04:08:34+00:00",
      "generator": {
        "date": "2024-09-18T04:08:34+00:00",
        "engine": {
          "name": "Red Hat SDEngine",
          "version": "3.33.3"
        }
      },
      "id": "RHEA-2021:3941",
      "initial_release_date": "2021-10-20T09:58:26+00:00",
      "revision_history": [
        {
          "date": "2021-10-20T09:58:26+00:00",
          "number": "1",
          "summary": "Initial version"
        },
        {
          "date": "2021-10-20T09:58:26+00:00",
          "number": "2",
          "summary": "Last updated version"
        },
        {
          "date": "2024-09-18T04:08:34+00:00",
          "number": "3",
          "summary": "Last generated version"
        }
      ],
      "status": "final",
      "version": "3"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_name",
                "name": "OpenShift Sandboxed Containers 1.1.0",
                "product": {
                  "name": "OpenShift Sandboxed Containers 1.1.0",
                  "product_id": "8Base-OSE-OSC-1.1.0",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:redhat:openshift_sandboxed_containers:1.1.0::el8"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "Red Hat OpenShift Enterprise"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "openshift-sandboxed-containers-tech-preview/osc-must-gather-rhel8@sha256:379aa6f59d25af015dba6a450851e7efb5b6ec6ac03e07f6325a00ab4cc43e3d_amd64",
                "product": {
                  "name": "openshift-sandboxed-containers-tech-preview/osc-must-gather-rhel8@sha256:379aa6f59d25af015dba6a450851e7efb5b6ec6ac03e07f6325a00ab4cc43e3d_amd64",
                  "product_id": "openshift-sandboxed-containers-tech-preview/osc-must-gather-rhel8@sha256:379aa6f59d25af015dba6a450851e7efb5b6ec6ac03e07f6325a00ab4cc43e3d_amd64",
                  "product_identification_helper": {
                    "purl": "pkg:oci/osc-must-gather-rhel8@sha256:379aa6f59d25af015dba6a450851e7efb5b6ec6ac03e07f6325a00ab4cc43e3d?arch=amd64\u0026repository_url=registry.redhat.io/openshift-sandboxed-containers-tech-preview/osc-must-gather-rhel8\u0026tag=1.1.0-2"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "openshift-sandboxed-containers-tech-preview/osc-operator-bundle@sha256:a91cee14f47824ce49759628d06bf4e48276e67dae00b50123d3233d78531720_amd64",
                "product": {
                  "name": "openshift-sandboxed-containers-tech-preview/osc-operator-bundle@sha256:a91cee14f47824ce49759628d06bf4e48276e67dae00b50123d3233d78531720_amd64",
                  "product_id": "openshift-sandboxed-containers-tech-preview/osc-operator-bundle@sha256:a91cee14f47824ce49759628d06bf4e48276e67dae00b50123d3233d78531720_amd64",
                  "product_identification_helper": {
                    "purl": "pkg:oci/osc-operator-bundle@sha256:a91cee14f47824ce49759628d06bf4e48276e67dae00b50123d3233d78531720?arch=amd64\u0026repository_url=registry.redhat.io/openshift-sandboxed-containers-tech-preview/osc-operator-bundle\u0026tag=1.1.0-11"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "openshift-sandboxed-containers-tech-preview/osc-rhel8-operator@sha256:743499367a4891d0f6d4aae9bb1b370893c3b2ea492c59464192da305145f1b7_amd64",
                "product": {
                  "name": "openshift-sandboxed-containers-tech-preview/osc-rhel8-operator@sha256:743499367a4891d0f6d4aae9bb1b370893c3b2ea492c59464192da305145f1b7_amd64",
                  "product_id": "openshift-sandboxed-containers-tech-preview/osc-rhel8-operator@sha256:743499367a4891d0f6d4aae9bb1b370893c3b2ea492c59464192da305145f1b7_amd64",
                  "product_identification_helper": {
                    "purl": "pkg:oci/osc-rhel8-operator@sha256:743499367a4891d0f6d4aae9bb1b370893c3b2ea492c59464192da305145f1b7?arch=amd64\u0026repository_url=registry.redhat.io/openshift-sandboxed-containers-tech-preview/osc-rhel8-operator\u0026tag=1.1.0-3"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "amd64"
          }
        ],
        "category": "vendor",
        "name": "Red Hat"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "openshift-sandboxed-containers-tech-preview/osc-must-gather-rhel8@sha256:379aa6f59d25af015dba6a450851e7efb5b6ec6ac03e07f6325a00ab4cc43e3d_amd64 as a component of OpenShift Sandboxed Containers 1.1.0",
          "product_id": "8Base-OSE-OSC-1.1.0:openshift-sandboxed-containers-tech-preview/osc-must-gather-rhel8@sha256:379aa6f59d25af015dba6a450851e7efb5b6ec6ac03e07f6325a00ab4cc43e3d_amd64"
        },
        "product_reference": "openshift-sandboxed-containers-tech-preview/osc-must-gather-rhel8@sha256:379aa6f59d25af015dba6a450851e7efb5b6ec6ac03e07f6325a00ab4cc43e3d_amd64",
        "relates_to_product_reference": "8Base-OSE-OSC-1.1.0"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "openshift-sandboxed-containers-tech-preview/osc-operator-bundle@sha256:a91cee14f47824ce49759628d06bf4e48276e67dae00b50123d3233d78531720_amd64 as a component of OpenShift Sandboxed Containers 1.1.0",
          "product_id": "8Base-OSE-OSC-1.1.0:openshift-sandboxed-containers-tech-preview/osc-operator-bundle@sha256:a91cee14f47824ce49759628d06bf4e48276e67dae00b50123d3233d78531720_amd64"
        },
        "product_reference": "openshift-sandboxed-containers-tech-preview/osc-operator-bundle@sha256:a91cee14f47824ce49759628d06bf4e48276e67dae00b50123d3233d78531720_amd64",
        "relates_to_product_reference": "8Base-OSE-OSC-1.1.0"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "openshift-sandboxed-containers-tech-preview/osc-rhel8-operator@sha256:743499367a4891d0f6d4aae9bb1b370893c3b2ea492c59464192da305145f1b7_amd64 as a component of OpenShift Sandboxed Containers 1.1.0",
          "product_id": "8Base-OSE-OSC-1.1.0:openshift-sandboxed-containers-tech-preview/osc-rhel8-operator@sha256:743499367a4891d0f6d4aae9bb1b370893c3b2ea492c59464192da305145f1b7_amd64"
        },
        "product_reference": "openshift-sandboxed-containers-tech-preview/osc-rhel8-operator@sha256:743499367a4891d0f6d4aae9bb1b370893c3b2ea492c59464192da305145f1b7_amd64",
        "relates_to_product_reference": "8Base-OSE-OSC-1.1.0"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2021-34558",
      "cwe": {
        "id": "CWE-20",
        "name": "Improper Input Validation"
      },
      "discovery_date": "2021-07-14T00:00:00+00:00",
      "flags": [
        {
          "label": "vulnerable_code_not_present",
          "product_ids": [
            "8Base-OSE-OSC-1.1.0:openshift-sandboxed-containers-tech-preview/osc-must-gather-rhel8@sha256:379aa6f59d25af015dba6a450851e7efb5b6ec6ac03e07f6325a00ab4cc43e3d_amd64",
            "8Base-OSE-OSC-1.1.0:openshift-sandboxed-containers-tech-preview/osc-operator-bundle@sha256:a91cee14f47824ce49759628d06bf4e48276e67dae00b50123d3233d78531720_amd64"
          ]
        }
      ],
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "1983596"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in golang. A panic can be triggered by an attacker in a privileged network position without access to the server certificate\u0027s private key, as long as a trusted ECDSA or Ed25519 certificate for the server exists (or can be issued), or the client is configured with Config.InsecureSkipVerify. Clients that disable all TLS_RSA cipher suites (that is, TLS 1.0\u20131.2 cipher suites without ECDHE), as well as TLS 1.3-only clients, are unaffected.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "golang: crypto/tls: certificate of wrong type is causing TLS client to panic",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "* This vulnerability potentially affects any component written in Go that uses crypto/tls from the standard library. It is possible for components that make client connections to malicious servers to be exploited, however the maximum impact is a crash. This vulnerability is rated Low for the following components: \n    - OpenShift Container Platform\n    - OpenShift distributed tracing (formerly OpenShift Jaeger)\n    - OpenShift Migration Toolkit for Containers\n    - Red Hat Advanced Cluster Management for Kubernetes\n    - Red Hat OpenShift on AWS\n    - Red Hat OpenShift Virtualization\n\n* Because OpenShift Container Platform 3.11 is in Maintenance Phase of the support, only Important and Critical severity vulnerabilities will be addressed at this time.\n\n* Because Service Telemetry Framework1.2 will be retiring soon and the flaw\u0027s impact is lower, no update will be provided at this time for STF1.2\u0027s containers.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "8Base-OSE-OSC-1.1.0:openshift-sandboxed-containers-tech-preview/osc-rhel8-operator@sha256:743499367a4891d0f6d4aae9bb1b370893c3b2ea492c59464192da305145f1b7_amd64"
        ],
        "known_not_affected": [
          "8Base-OSE-OSC-1.1.0:openshift-sandboxed-containers-tech-preview/osc-must-gather-rhel8@sha256:379aa6f59d25af015dba6a450851e7efb5b6ec6ac03e07f6325a00ab4cc43e3d_amd64",
          "8Base-OSE-OSC-1.1.0:openshift-sandboxed-containers-tech-preview/osc-operator-bundle@sha256:a91cee14f47824ce49759628d06bf4e48276e67dae00b50123d3233d78531720_amd64"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2021-34558"
        },
        {
          "category": "external",
          "summary": "RHBZ#1983596",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1983596"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2021-34558",
          "url": "https://www.cve.org/CVERecord?id=CVE-2021-34558"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-34558",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-34558"
        },
        {
          "category": "external",
          "summary": "https://golang.org/doc/devel/release#go1.15.minor",
          "url": "https://golang.org/doc/devel/release#go1.15.minor"
        },
        {
          "category": "external",
          "summary": "https://golang.org/doc/devel/release#go1.16.minor",
          "url": "https://golang.org/doc/devel/release#go1.16.minor"
        }
      ],
      "release_date": "2021-07-13T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
          "product_ids": [
            "8Base-OSE-OSC-1.1.0:openshift-sandboxed-containers-tech-preview/osc-rhel8-operator@sha256:743499367a4891d0f6d4aae9bb1b370893c3b2ea492c59464192da305145f1b7_amd64"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHEA-2021:3941"
        },
        {
          "category": "workaround",
          "details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
          "product_ids": [
            "8Base-OSE-OSC-1.1.0:openshift-sandboxed-containers-tech-preview/osc-must-gather-rhel8@sha256:379aa6f59d25af015dba6a450851e7efb5b6ec6ac03e07f6325a00ab4cc43e3d_amd64",
            "8Base-OSE-OSC-1.1.0:openshift-sandboxed-containers-tech-preview/osc-operator-bundle@sha256:a91cee14f47824ce49759628d06bf4e48276e67dae00b50123d3233d78531720_amd64",
            "8Base-OSE-OSC-1.1.0:openshift-sandboxed-containers-tech-preview/osc-rhel8-operator@sha256:743499367a4891d0f6d4aae9bb1b370893c3b2ea492c59464192da305145f1b7_amd64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 6.5,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "8Base-OSE-OSC-1.1.0:openshift-sandboxed-containers-tech-preview/osc-rhel8-operator@sha256:743499367a4891d0f6d4aae9bb1b370893c3b2ea492c59464192da305145f1b7_amd64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "golang: crypto/tls: certificate of wrong type is causing TLS client to panic"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.