Impact statement for the OCPBUGS-28974 series:

Which 4.y.z to 4.y'.z' updates increase vulnerability?

Clusters updating from 4.15 to 4.16.(z<3). 4.16.3 addresses the issue via OCPBUGS-36330.

Which types of clusters?

Any OCP 4.1 and 4.2 based cluster that would want to scale-up new node having bootimage older that v4.3 using machine-api

What is the impact? Is it serious enough to warrant removing update recommendations?

Machine boot images from 4.1 and 4.2 are not compatible with some 4.16 OpenShift releases, and machines created with them will fail to become nodes. This risk does not apply if a cluster was installed as version 4.3 or later, or otherwise uses 4.3 or later boot images.

How involved is remediation?

OCP cluster installed originally with 4.1 or 4.2 will need to manually update their bootimage in their machineset before doing node scale-up, which completely mitigates the exposure.

Is this a regression

Yes, this is a regression. We'd thought the regression was introduced with:

• We confirmed the behavior happens on 4.16 likely via a regression in mco#4241