Impact statement for the OCPBUGS-55978 series:

Which 4.y.z to 4.y'.z' updates increase vulnerability?

All 4.18 to 4.19

Which types of clusters?

Clusters running on the vSphere platform with the vSphere CSI driver mounting VSAN Files volumes whenever VSAN is not fully patched and up to date, our experience is that VMWare services are rarely completely up to date.

What is the impact? Is it serious enough to warrant removing update recommendations?

Customers typically use vSAN file storage for image registries. Any customer who will upgrade to OCP 4.19 without fixed version of vSAN (or RHEL kernel), will not be able to use underlying volumes at all. Customers image registries will go offline.

How involved is remediation?

The remediation is pretty complicated, which requires upgrades to vCenter, ESXi hosts and vSAN service. The full process is documented by Broadcom.

The remediation process requires downtime of customer's workload.

Is this a regression?

Yes this a regression. Mounting of same volume works fine with OCP 4.18. Updating to 4.19 on unpatched vSAN versions will definitely increase the risk of exposure the bug.