Описание
ELSA-2022-10034: kubernetes security update (IMPORTANT)
kubernetes [1.21.14-3]
- Addresses CVE-2022-3294 & CVE-2022-3162
[1.21.14-2]
- Fixed kubernetes-cni version.
[1.21.14-1]
- Addresses CVE-2022-3172
olcne [1.4.9-2]
- Fix 1.21 kubernetes version to align with last upstream release
[1.4.9-1]
- Resolve kubernetes CVE-2022-3294 & CVE-2022-3162 for version 1.21
[1.4.8-3]
- Unpinned podman for OL7
[1.4.8-2]
- Updated Kubernetes package release version to 1.21.6-2
[1.4.8-1]
- Upgraded kubernetes-1.21.6 to 1.21.14
- Resolve Kubernetes CVE-2022-3172 for version 1.21
[1.4.7-1]
- Upgrade Istio from 1.13.5 to 1.13.7 to resolve the CVE-2022-31045
[1.4.6-2]
- Fix bug in gen-certs-helper script to change permission of node.key to allow opc user to copy over
- Update gen-certs-helper script to skip printing olcne_transfer_script execution
- Cleanup grpc connection when node not found and use substr method in case fqdn used for hostname
[1.4.6-1]
- Adress Istio CVE-2022-31045, CVE-2022-29225, CVE-2022-29224,CVE-2022-29226,CVE-2022-29228,CVE-2022-29227
[1.4.5-1]
- Address qemu CVE-2022-26353, CVE-2021-3748
[1.4.4-1]
- Excluded unnecessary directories from k8s backup files
[1.4.3-1]
- Update Istio to 1.13.2
[1.4.2-1]
- Added 1.4 extra images to registry-image-helper.sh script
[1.4.1-4]
- Ensure that the order of items in an upgraded config file is stable with respect to the original file
- Ensure that old olcnectl config files are upgraded
[1.4.1-3]
- Fixed a bug where specifying a port in the container-registry argument to the Kubernetes module would result in pods not being able to start.
[1.4.1-2]
- Allow loadbalancer to be configured regardless of security list mode
[1.4.1-1]
- Fix bug in initialising certs manager when environment name not mentioned
[1.4.0-3]
- Fix bug in fetching report for multi-environment
[1.4.0-2]
- Pause image is 3.4.1
[1.4.0-1]
- CSI plugin
- Reports feature
- Kubernetes-1.20.6 to Kubernetes-1.21.6 upgrade
- Istio-1.9.4 to Istio-1.11.4 upgrade
- Component upgrades
- Config file feature
[1.3.0-13]
- Fix iptables issue when running on OL7 host using OL8 image
[1.3.0-12]
- Address CVE's ISTIO-SECURITY-2021-003, ISTIO-SECURITY-2021-005, ISTIO-SECURITY-2021-006, ISTIO-SECURITY-2021-007
[1.3.0-11]
- Fixed yaml file to stop olcne-nginx and keepalived services at uninstall [Orabug: 32296282]
[1.3.0-10]
- Fixed missing double semicolon in registry image helper
[1.3.0-9]
Обновленные пакеты
Oracle Linux 8
Oracle Linux x86_64
kubeadm
1.21.14-3.el8
kubectl
1.21.14-3.el8
kubelet
1.21.14-3.el8
olcne-agent
1.4.9-2.el8
olcne-api-server
1.4.9-2.el8
olcne-gluster-chart
1.4.9-2.el8
olcne-grafana-chart
1.4.9-2.el8
olcne-istio-chart
1.4.9-2.el8
olcne-nginx
1.4.9-2.el8
olcne-oci-csi-chart
1.4.9-2.el8
olcne-olm-chart
1.4.9-2.el8
olcne-prometheus-chart
1.4.9-2.el8
olcne-utils
1.4.9-2.el8
olcnectl
1.4.9-2.el8
Связанные CVE
Связанные уязвимости
Users may have access to secure endpoints in the control plane network. Kubernetes clusters are only affected if an untrusted user can modify Node objects and send proxy requests to them. Kubernetes supports node proxying, which allows clients of kube-apiserver to access endpoints of a Kubelet to establish connections to Pods, retrieve container logs, and more. While Kubernetes already validates the proxying address for Nodes, a bug in kube-apiserver made it possible to bypass this validation. Bypassing this validation could allow authenticated requests destined for Nodes to to the API server's private network.