Impact statement for the OCPBUGS-44379 series:

Which 4.y.z to 4.y'.z' updates increase vulnerability?

• Customers upgrading from any 4.13 or 4.14.z to 4.14.40 with IPSec enabled
• A fresh installation of 4.14 with IPsec configured (spec.defaultNetwork.ovnKubernetesConfig.ipsecConfig: {})

Which types of clusters?

• IPSec OCP enabled clusters

What is the impact? Is it serious enough to warrant removing update recommendations?

• customers upgrading to 4.14.40 will be exposed with the following vulnerabilities exist for packages in ovnk container:
  • Important CVE-2023-2295 RHSA-2023:3148 
  • Important CVE-2023-30570 RHSA-2023:2120 
  • Moderate CVE-2023-23009 RHSA-2023:2633 
  • Moderate CVE-2024-2357 RHSA-2024:2085 
  • Moderate CVE-2024-3652 RHSA-2024:4431 

How involved is remediation?

• Disable IPSec: https://docs.openshift.com/container-platform/4.14/networking/ovn_kubernetes_network_provider/configuring-ipsec-ovn.html#nw-ovn-ipsec-disable_configuring-ipsec-ovn

Is this a regression?

• Yes, this regression was introduced by pinning the libreswan package in ovnk container on 4.14.40