A security issue was discovered in kube-apiserver that could allow node updates to bypass a Validating Admission Webhook. You are only affected by this vulnerability if you run a Validating Admission Webhook for Nodes that denies admission based at least partially on the old state of the Node object. Note: This only impacts validating admission plugins that rely on old values in certain fields, and does not impact calls from kubelets that go through the built-in NodeRestriction admission plugin. Upstream placeholder issue: https://github.com/kubernetes/kubernetes/issues/100096 Upstream PR: https://github.com/kubernetes/kubernetes/pull/99946
Acknowledgments: Name: the Kubernetes Product Security Committee Upstream: Rogerio Bastos (Red Hat), Ari Lima (Red Hat)
Created origin tracking bugs for this issue: Affects: fedora-all [bug 1949608]
External References: https://groups.google.com/g/kubernetes-security-announce/c/FKAGqT4jx9Y
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.8 Via RHSA-2021:2437 https://access.redhat.com/errata/RHSA-2021:2437
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2021-25735
https://access.redhat.com/security/cve/CVE-2021-25735 only references OpenShift version 4.8 as being fixed. There are no details on earlier OpenShift version 4.x releases. Are these releases not impacted, still vulnerable or fixed?
(In reply to Richard Theis from comment #15) > https://access.redhat.com/security/cve/CVE-2021-25735 only references > OpenShift version 4.8 as being fixed. There are no details on earlier > OpenShift version 4.x releases. Are these releases not impacted, still > vulnerable or fixed? OpenShift 4.8.2 is the first released version of OpenShift 4 that has been fixed. Earlier released versions of OpenShift 4 are affected.
Can anyone tell me whether CVE-2021-25735 has been fixed in for OpenShift 4.7 and 4.6, and if so which security errata its documented in? I can't see any updated details on https://access.redhat.com/security/cve/CVE-2021-25735, only that OpenShift v4 is still affected. Or is this a similar case to https://bugzilla.redhat.com/show_bug.cgi?id=1963232#c26 (CVE-2021-33194) where this vulnerability won't be addressed in OpenShift (OCP) 4.7 and 4.6 as both these releases are already in the maintenance support phase?
In reply to comment #17: > Can anyone tell me whether CVE-2021-25735 has been fixed in for OpenShift > 4.7 and 4.6, and if so which security errata its documented in? I can't see > any updated details on > https://access.redhat.com/security/cve/CVE-2021-25735, only that OpenShift > v4 is still affected. OpenShift 4.8.2 is the first released version of OpenShift 4 that has been fixed. Earlier released versions of OpenShift 4 are affected. > Or is this a similar case to > https://bugzilla.redhat.com/show_bug.cgi?id=1963232#c26 (CVE-2021-33194) > where this vulnerability won't be addressed in OpenShift (OCP) 4.7 and 4.6 > as both these releases are already in the maintenance support phase? Even in Full Support phase, only Important and Critical rated vulnerabilities are covered under our support policy: https://access.redhat.com/support/policy/updates/openshift That said, Low and Moderate rated CVEs do sometimes get fixed, but this is dependent on many factors. If you would like to request a fix for this CVE in earlier versions of OpenShift, please raise a support ticket.
Thank you. Is a support ticket separate from a bugzilla? If so, should we open both a support ticket and an associated bugzilla?
(In reply to Richard Theis from comment #19) > Thank you. Is a support ticket separate from a bugzilla? If so, should we > open both a support ticket and an associated bugzilla? A support ticket is separate from bugzilla. On this page, please use the "Open a Support Case" link: https://access.redhat.com/
Done. Thank you.