Bug 1952333

Summary: openshift/kubernetes vulnerable to CVE-2021-3121
Product: OpenShift Container Platform Reporter: Joel Smith <joelsmith>
Component: kube-apiserverAssignee: Joel Smith <joelsmith>
Status: CLOSED ERRATA QA Contact: Ke Wang <kewang>
Severity: medium Docs Contact:
Priority: medium    
Version: 4.8CC: aos-bugs, mfojtik, xxia
Target Milestone: ---   
Target Release: 4.8.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-07-27 23:02:52 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Joel Smith 2021-04-22 04:59:43 UTC 
Description of problem:

In addition to the vulnerabilities created by the buggy protobuf compiler, there is another instance where a protobuf handler was copied from old generated code, then modified by hand.  That instance also needs to be updated to fix CVE-2021-3121.
Comment 2 Ke Wang 2021-04-27 05:54:29 UTC 
From PR https://github.com/openshift/kubernetes/pull/699, less thing QE can do, QE can mare sure if the PR is landed on the latest payload,

$ cd kubernetes/
$ git pull
$ oc login --token=<Tocken> --server=https://api.ci.l2s4.p1.openshiftapps.com:6443
$ docker login -u <github-id> -p $(oc whoami -t) registry.ci.openshift.org

$  oc adm release info --commits registry.ci.openshift.org/ocp/release:4.8.0-0.nightly-2021-04-26-151924 | grep hyper
  hyperkube                                      https://github.com/openshift/kubernetes                                     6143dea8e6a5046b467a67f7d1fda8e63833a2e7

$ git log --date=local --pretty="%h %an %cd - %s" 6143dea8 | grep ' #699 ' 
98e21e7baaa OpenShift Merge Robot Sun Apr 25 04:12:12 2021 - Merge pull request #699 from joelsmith/oomaster

The PR has been landed on the latest payload, so move the bug VERIFIED.
Comment 5 errata-xmlrpc 2021-07-27 23:02:52 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: OpenShift Container Platform 4.8.2 bug fix and security update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2021:2438