-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Important: Red Hat OpenShift Data Foundation 4.11.7 Bug Fix and security update
Advisory ID:       RHSA-2023:2023-01
Product:           RHODF
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:2023
Issue date:        2023-04-26
CVE Names:         CVE-2020-10735 CVE-2021-28861 CVE-2022-4304 
                   CVE-2022-4415 CVE-2022-4450 CVE-2022-40186 
                   CVE-2022-40897 CVE-2022-45061 CVE-2022-48303 
                   CVE-2023-0215 CVE-2023-0286 CVE-2023-0361 
                   CVE-2023-23916 
=====================================================================

1. Summary:

Updated images that fix several bugs are now available for Red Hat
OpenShift Data Foundation 4.11.7 on Red Hat Enterprise Linux 8 from Red Hat
Container Registry.

Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.

2. Description:

Red Hat OpenShift Data Foundation is software-defined storage integrated
with and optimized for the Red Hat OpenShift Data Foundation. Red Hat
OpenShift Data Foundation is a highly scalable, production-grade persistent
storage for stateful applications running in the Red Hat OpenShift
Container Platform. In addition to persistent storage, Red Hat OpenShift
Data Foundation provisions a multicloud data management service with an S3
compatible API.

Security Fix(es):

* vault: Vault Entity Alias Metadata May Leak Between Aliases With The Same
Name Assigned To The Same Entity (CVE-2022-40186)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

All users of Red Hat OpenShift Data Foundation are advised to upgrade to
these updated images, which provide several bug fixes.

3. Solution:

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

For details on how to apply this update, refer to:

https://access.redhat.com/articles/11258

4. Bugs fixed (https://bugzilla.redhat.com/):

2171965 - [4.11 clone] Secrets are used in env variables
2176012 - [ODF 4.11] Move the defaults for rookceph operator from configmap to csv
2181405 - CVE-2022-40186 vault: Vault Entity Alias Metadata May Leak Between Aliases With The Same Name Assigned To The Same Entity
2183683 - [ODF 4.11] Deployment of ODF 4.9 over external mode failing with: panic: assignment to entry in nil map in ocs-operator logs
2186456 - Include at ODF 4.11 container images the RHEL8 CVE fix on "openssl"

5. References:

https://access.redhat.com/security/cve/CVE-2020-10735
https://access.redhat.com/security/cve/CVE-2021-28861
https://access.redhat.com/security/cve/CVE-2022-4304
https://access.redhat.com/security/cve/CVE-2022-4415
https://access.redhat.com/security/cve/CVE-2022-4450
https://access.redhat.com/security/cve/CVE-2022-40186
https://access.redhat.com/security/cve/CVE-2022-40897
https://access.redhat.com/security/cve/CVE-2022-45061
https://access.redhat.com/security/cve/CVE-2022-48303
https://access.redhat.com/security/cve/CVE-2023-0215
https://access.redhat.com/security/cve/CVE-2023-0286
https://access.redhat.com/security/cve/CVE-2023-0361
https://access.redhat.com/security/cve/CVE-2023-23916
https://access.redhat.com/security/updates/classification/#important

6. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBZEkQztzjgjWX9erEAQgqiQ//QNYPbRoFnC155vDFDqfb/Xen4MISMAL3
0ttVhQtlpAFvDpawOGKSU6VpSg5RTdjMebmGdJ33CiP/BQTyU+jA0jwVFlo47mqi
gfMKWhyn36+Y/Jy/n3QAbM3AoZpojuqHHac+nu5PipUVo2qUe8CvqG/yqb/bx/0P
mAMpbC2CWead2YRsWRAyTtwODCp5LV12X9zKQN4lLd04KEsYHBxKM4FnMA/FuY25
j39k/hGLvH7bH45okcnE/36aiGtiwPMnpg8Vilt0kBCGlSZTnhbs1wrJ7rsdoECi
+g2jA62Rfnb4I8/u9L16RZeKagM76nNlkeCPvgW7SyXOcuHiE/uK3e6XkrqxT9I/
v1bjt7w3KVuJKIz48XOsIVnUZ6XpbMdHUQAmTjYOBR59Fpjh3eKlV294XY97FqSk
LWH9PC6A347xrwEPx8A0xtVAYH91Kxn2IL5qHB9NxQpUffZhBHj5er8gowIpGvUN
PyhjibxA38UFhNNVYvgDNFC547V56KlJGwczuTAMVdyVLCPId86Rvo3PqM1gv567
iS14t91UNPWhkPkfibQy+jnI2YJuIKjuDYEIBto3Ys4Zmf8ha2WKx8B+PN7KNe8R
0z6xsMUrj+CHbBkuq1rPE+CW0XbXqsb1vRP2H2ucTByStag163Ll833x//FvOE/l
SN9bgU5rjbk=
=T/2V
-----END PGP SIGNATURE-----
--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://listman.redhat.com/mailman/listinfo/rhsa-announce