Impact statement for the OCPBUGS-38794 series:

Which 4.y.z to 4.y'.z' updates increase vulnerability?

• Any upgrade of the Hosted Clusters from 4.15.22 or 4.16.3 to 4.15.23+ or 4.16.4+

Which types of clusters?

ROSA with hosted control planes clusters with:

• A Control Plane version 4.15.23 or later or 4.16.4 or later, and
• MachinePools with version 4.14.33 or earlier or 4.15.22 or earlier
  4.16.z MachinePools are not affected, regardless of Control Plane version

For OpenShift clusters with the Hypershift Operator

• A Hosted Cluster version 4.15.23 or later or 4.16.4 or later, and
• Node Pools with version 4.14.33 or earlier or 4.15.22 or earlier
  4.16.z NodePools are not affected, regardless of Hosted cluster version

The difference between the two is just wording based on the customer-facing resource name (ROSA vs Self-managed)

What is the impact? Is it serious enough to warrant removing update recommendations?

• If the Hosted Cluster is upgraded to version 4.15.23+ or 4.16.4+, NodePools in those clusters with version 4.14 (any) and 4.15.22 or less will not be able to create new nodes or update config on those nodes

How involved is remediation?

• Remediation is to upgrade the NodePool to 4.15.23+
• If NodePool upgrade is not possible due to workload constraints, the a new NodePool can be created at 4.15.23+ and workloads can be migrated manually and the old NodePool can be deleted.

Is this a regression?

• Yes. From 4.15.22 to 4.15.23 for the Hosted Cluster version.