This advisory covers security fixes in Red Hat OpenShift Container Platform 4.20.10, addressing five CVEs: CVE-2025-8677 (bind resource exhaustion via malformed DNSKEY handling), CVE-2025-40778 (bind cache poisoning via unsolicited resource records), CVE-2025-40780 (bind cache poisoning due to weak PRNG), CVE-2025-59375 (libexpat large dynamic memory allocations triggered by small XML documents), and CVE-2025-9230 (OpenSSL out-of-bounds read and write in RFC 3211 KEK unwrap). These vulnerabilities affect core components used in the platform and could impact stability and security. Red Hat provides updated container images and RPM packages to remediate these issues. The advisory includes instructions for upgrading clusters using OpenShift CLI or web console.

The vulnerabilities fixed in this update could allow attackers to cause resource exhaustion, perform cache poisoning attacks, trigger excessive memory allocations, or exploit out-of-bounds memory access in critical components of the OpenShift Container Platform. These issues may lead to denial of service or compromise of data integrity within the platform. Red Hat rates the overall security impact of this update as Important (high severity). There are no known exploits in the wild at the time of this advisory.

Red Hat has released updated container images and RPM packages for OpenShift Container Platform 4.20.10 that address these vulnerabilities. Users should upgrade to these updated packages and images as soon as they are available in their release channels. Upgrades can be performed using the OpenShift CLI (oc) or the web console. Detailed upgrade instructions are available in the official Red Hat documentation. No additional mitigations are specified beyond applying the official update.