Issued:: 2021-09-16
Updated:: 2021-09-16

RHSA-2021:3556 - Moderate: Release of OpenShift Serverless 1.17.0

Synopsis

Moderate: Release of OpenShift Serverless 1.17.0

Type/Severity

Security Advisory Moderate

Topic

Release of OpenShift Serverless 1.17.0

Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

Red Hat OpenShift Serverless 1.17.0 release of the OpenShift Serverless Operator. This version of the OpenShift Serverless Operator is supported on Red Hat OpenShift Container Platform versions 4.6, 4.7 and 4.8, and includes security and bug fixes and enhancements. For more information, see the documentation listed in the References section.

Security Fix(es):

golang: crypto/tls: certificate of wrong type is causing TLS client to panic (CVE-2021-34558)
golang: net: lookup functions may return invalid host names (CVE-2021-33195)
golang: net/http/httputil: ReverseProxy forwards connection headers if first one is empty (CVE-2021-33197)
golang: match/big.Rat: may cause a panic or an unrecoverable fatal error if passed inputs with very large exponents (CVE-2021-33198)
golang: encoding/xml: infinite loop when using xml.NewTokenDecoder with a custom TokenReader (CVE-2021-27918)
golang: net/http: panic in ReadRequest and ReadResponse when reading a very large header (CVE-2021-31525)
golang: archive/zip: malformed archive may cause panic or memory exhaustion (CVE-2021-33196)

It was found that the CVE-2021-27918, CVE-2021-31525 and CVE-2021-33196 have been incorrectly mentioned as fixed in RHSA for Serverless client kn 1.16.0. This has been fixed (CVE-2021-3703).

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Solution

See the Red Hat OpenShift Container Platform 4.6 documentation at: https://access.redhat.com/documentation/en-us/openshift_container_platform/4.6/html/serverless/index See the Red Hat OpenShift Container Platform 4.7 documentation at: https://access.redhat.com/documentation/en-us/openshift_container_platform/4.7/html/serverless/index See the Red Hat OpenShift Container Platform 4.8 documentation at: https://access.redhat.com/documentation/en-us/openshift_container_platform/4.8/html/serverless/index

Affected Products

Product	Version	Arch
Red Hat Openshift Serverless	1	x86_64

Fixes

CVEs

CVE-2016-10228
CVE-2017-14502
CVE-2019-2708
CVE-2019-9169
CVE-2019-25013
CVE-2020-8231
CVE-2020-8284
CVE-2020-8285
CVE-2020-8286
CVE-2020-8927
CVE-2020-13434
CVE-2020-15358
CVE-2020-27618
CVE-2020-28196
CVE-2020-29361
CVE-2020-29362
CVE-2020-29363
CVE-2021-3326
CVE-2021-3421
CVE-2021-3449
CVE-2021-3450
CVE-2021-3516
CVE-2021-3517
CVE-2021-3518
CVE-2021-3520
CVE-2021-3537
CVE-2021-3541
CVE-2021-3703
CVE-2021-20271
CVE-2021-20305
CVE-2021-27218
CVE-2021-27918
CVE-2021-31525
CVE-2021-33195
CVE-2021-33196
CVE-2021-33197
CVE-2021-33198
CVE-2021-34558

References

Additional information

The Red Hat security contact is This content is not included.secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.
Offline Security Data data is available for integration with other systems. See Offline Security Data API to get started.