Impact statement for the OCPBUGS-37987 series:

Which 4.y.z to 4.y'.z' updates increase vulnerability?

• 4.15.(z<25) or 4.16.(z<7) into 4.16.(z>=7), until OCPBUGS-38089 brings a fix back to 4.16.z.
• 4.14.(z<34) or 4.15.(z<25) into 4.15.(z>=25), until OCPBUGS-38090 brings a fix back to 4.15.z.
• 4.13 or 4.14.(z<34) into 4.14.(z>=34), until OCPBUGS-38091 brings a fix back to 4.14.z.

Which types of clusters?

• Clusters which utilize SRIOV operator for VF functions

What is the impact? Is it serious enough to warrant removing update recommendations?

• SRIOV VF will not work properly, and pods with a secondary interface of SRI-OV VF will fail to create a pod sandbox and thus will not function.

How involved is remediation?

• The problem is introduced via a CVE fix in the kernel, you may roll back RHCOS to previous version or layer in a different kernel until a fix has been delivered. Or update to an OpenShift release with a patched kernel.

Is this a regression?

• Yes, introduced in 4.14.34 and 4.15.25