Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2016.1277
Important: Red Hat OpenShift Enterprise 3.2 security update and Moderate:
Red Hat OpenShift Enterprise 3.1 security update
20 May 2016
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Red Hat OpenShift Enterprise 3.2
Red Hat OpenShift Enterprise 3.1
Publisher: Red Hat
Operating System: Red Hat
Virtualisation
Impact/Access: Access Privileged Data -- Remote/Unauthenticated
Increased Privileges -- Existing Account
Unauthorised Access -- Existing Account
Resolution: Patch/Upgrade
CVE Names: CVE-2016-3738 CVE-2016-3708 CVE-2016-3703
Original Bulletin:
https://access.redhat.com/errata/RHSA-2016:1094
https://access.redhat.com/errata/RHSA-2016:1095
Comment: This bulletin contains two (2) Red Hat security advisories.
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
=====================================================================
Red Hat Security Advisory
Synopsis: Important: Red Hat OpenShift Enterprise 3.2 security update
Advisory ID: RHSA-2016:1094-01
Product: Red Hat OpenShift Enterprise
Advisory URL: https://access.redhat.com/errata/RHSA-2016:1094
Issue date: 2016-05-19
CVE Names: CVE-2016-3703 CVE-2016-3708 CVE-2016-3738
=====================================================================
1. Summary:
An update for atomic-openshift and nodejs-node-uuid is now available for
Red Hat OpenShift Enterprise 3.2. In addition, all images have been rebuilt
on the new RHEL 7.2.4 base image.
Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.
2. Relevant releases/architectures:
Red Hat OpenShift Enterprise 3.2 - noarch, x86_64
3. Description:
OpenShift Enterprise by Red Hat is the company's cloud computing
Platform-as-a-Service (PaaS) solution designed for on-premise or private
cloud deployments.
Security Fix(es):
* A vulnerability was found in the STI build process in OpenShift
Enterprise. Access to STI builds was not properly restricted, allowing an
attacker to use STI builds to access the Docker socket and escalate their
privileges. (CVE-2016-3738)
* An origin validation vulnerability was found in OpenShift Enterprise. An
attacker could potentially access API credentials stored in a web browser's
localStorage if anonymous access was granted to a service/proxy or
pod/proxy API for a specific pod, and an authorized access_token was
provided in the query parameter. (CVE-2016-3703)
* A flaw was found in OpenShift Enterprise when multi-tenant SDN is enabled
and a build is run within a namespace that would normally be isolated from
pods in other namespaces. If an s2i build is run in such an environment the
container being built can access network resources on pods that should not
be available to it. (CVE-2016-3708)
The CVE-2016-3738 issue was discovered by David Eads (Red Hat); the
CVE-2016-3703 issue was discovered by Jordan Liggitt (Red Hat); and the
CVE-2016-3708 issue was discovered by Ben Parees (Red Hat).
This update includes the following images:
openshift3/ose:v3.2.0.44-2
openshift3/ose-deployer:v3.2.0.44-2
openshift3/ose-docker-builder:v3.2.0.44-2
openshift3/ose-docker-registry:v3.2.0.44-2
openshift3/ose-f5-router:v3.2.0.44-2
openshift3/ose-haproxy-router:v3.2.0.44-2
openshift3/ose-keepalived-ipfailover:v3.2.0.44-2
openshift3/ose-pod:v3.2.0.44-2
openshift3/ose-recycler:v3.2.0.44-2
openshift3/ose-sti-builder:v3.2.0.44-2
openshift3/jenkins-1-rhel7:1.642-32
openshift3/logging-auth-proxy:3.2.0-4
openshift3/logging-deployment:3.2.0-9
openshift3/logging-elasticsearch:3.2.0-8
openshift3/logging-fluentd:3.2.0-8
openshift3/logging-kibana:3.2.0-4
openshift3/metrics-deployer:3.2.0-6
openshift3/metrics-heapster:3.2.0-6
openshift3/mongodb-24-rhel7:2.4-28
openshift3/mysql-55-rhel7:5.5-26
openshift3/nodejs-010-rhel7:0.10-35
openshift3/node:v3.2.0.44-2
openshift3/openvswitch:v3.2.0.44-2
openshift3/perl-516-rhel7:5.16-38
openshift3/php-55-rhel7:5.5-35
openshift3/postgresql-92-rhel7:9.2-25
openshift3/python-33-rhel7:3.3-35
openshift3/ruby-20-rhel7:2.0-35
aep3_beta/aep:v3.2.0.44-2
aep3_beta/aep-deployer:v3.2.0.44-2
aep3_beta/aep-docker-registry:v3.2.0.44-2
aep3_beta/aep-f5-router:v3.2.0.44-2
aep3_beta/aep-haproxy-router:v3.2.0.44-2
aep3_beta/aep-keepalived-ipfailover:v3.2.0.44-2
aep3_beta/aep-pod:v3.2.0.44-2
aep3_beta/aep-recycler:v3.2.0.44-2
aep3_beta/logging-auth-proxy:3.2.0-4
aep3_beta/logging-deployment:3.2.0-9
aep3_beta/logging-elasticsearch:3.2.0-8
aep3_beta/logging-fluentd:3.2.0-8
aep3_beta/logging-kibana:3.2.0-4
aep3_beta/metrics-deployer:3.2.0-6
aep3_beta/metrics-heapster:3.2.0-6
aep3_beta/node:v3.2.0.44-2
aep3_beta/openvswitch:v3.2.0.44-2
4. Solution:
For details on how to apply this update, which includes the changes
described in this advisory, refer to:
https://access.redhat.com/articles/11258
5. Bugs fixed (https://bugzilla.redhat.com/):
1306011 - Deployer pods incorrectly using the host entry from openshiftLoopbackKubeconfig
1318974 - Creating pods on OSE with awsElasticBlockStore only assigns devices /dev/xvdb - /dev/xvdp to openshift node
1324996 - JSON message fields are getting overwritten
1329044 - console.dev-preview-int.openshift.com setting of memory limit confusing
1330233 - CVE-2016-3703 OpenShift Enterprise 3: Untrusted content loaded via the API proxy can access web console credentials on the same domain
1330364 - Should update the role name in the prompt on the web console
1331229 - CVE-2016-3708 OpenShiftEnterprise 3: s2i builds implicitly perform docker builds
1333168 - Node.js images crash with DEV_MODE=true
1333461 - CVE-2016-3738 origin: pod update allows docker socket access via build-pod
6. Package List:
Red Hat OpenShift Enterprise 3.2:
Source:
atomic-openshift-3.2.0.44-1.git.0.a4463d9.el7.src.rpm
nodejs-node-uuid-1.4.7-1.el7.src.rpm
noarch:
nodejs-node-uuid-1.4.7-1.el7.noarch.rpm
x86_64:
atomic-openshift-3.2.0.44-1.git.0.a4463d9.el7.x86_64.rpm
atomic-openshift-clients-3.2.0.44-1.git.0.a4463d9.el7.x86_64.rpm
atomic-openshift-clients-redistributable-3.2.0.44-1.git.0.a4463d9.el7.x86_64.rpm
atomic-openshift-dockerregistry-3.2.0.44-1.git.0.a4463d9.el7.x86_64.rpm
atomic-openshift-master-3.2.0.44-1.git.0.a4463d9.el7.x86_64.rpm
atomic-openshift-node-3.2.0.44-1.git.0.a4463d9.el7.x86_64.rpm
atomic-openshift-pod-3.2.0.44-1.git.0.a4463d9.el7.x86_64.rpm
atomic-openshift-recycle-3.2.0.44-1.git.0.a4463d9.el7.x86_64.rpm
atomic-openshift-sdn-ovs-3.2.0.44-1.git.0.a4463d9.el7.x86_64.rpm
atomic-openshift-tests-3.2.0.44-1.git.0.a4463d9.el7.x86_64.rpm
tuned-profiles-atomic-openshift-node-3.2.0.44-1.git.0.a4463d9.el7.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/
7. References:
https://access.redhat.com/security/cve/CVE-2016-3703
https://access.redhat.com/security/cve/CVE-2016-3708
https://access.redhat.com/security/cve/CVE-2016-3738
https://access.redhat.com/security/updates/classification/#important
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2016 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iD8DBQFXPkiKXlSAg2UNWIIRAsa4AKDBVV9n5rX0BrQhspq/Kd1wNoTr8wCguVmp
9WTmxUn/XuRDJFzqxtZpCVI=
=n+fK
- -----END PGP SIGNATURE-----
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
=====================================================================
Red Hat Security Advisory
Synopsis: Moderate: Red Hat OpenShift Enterprise 3.1 security update
Advisory ID: RHSA-2016:1095-01
Product: Red Hat OpenShift Enterprise
Advisory URL: https://access.redhat.com/errata/RHSA-2016:1095
Issue date: 2016-05-19
CVE Names: CVE-2016-3703
=====================================================================
1. Summary:
An update for atomic-openshift is now available for Red Hat OpenShift
Enterprise 3.1. In addition, all images have been rebuilt on the new RHEL
7.2.4 base image.
Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.
2. Relevant releases/architectures:
Red Hat OpenShift Enterprise 3.1 - x86_64
3. Description:
OpenShift Enterprise by Red Hat is the company's cloud computing
Platform-as-a-Service (PaaS) solution designed for on-premise or private
cloud deployments.
Security Fix(es):
* An origin validation vulnerability was found in OpenShift Enterprise. An
attacker could potentially access API credentials stored in a web browser's
localStorage if anonymous access was granted to a service/proxy or
pod/proxy API for a specific pod, and an authorized access_token was
provided in the query parameter. (CVE-2016-3703)
This issue was discovered by Jordan Liggitt (Red Hat).
This update includes the following images:
openshift3/ose:v3.1.1.6-21
openshift3/ose-deployer:v3.1.1.6-20
openshift3/ose-docker-builder:v3.1.1.6-19
openshift3/ose-docker-registry:v3.1.1.6-9
openshift3/ose-f5-router:v3.1.1.6-20
openshift3/ose-haproxy-router:v3.1.1.6-9
openshift3/ose-keepalived-ipfailover:v3.1.1.6-9
openshift3/ose-pod:v3.1.1.6-9
openshift3/ose-recycler:v3.1.1.6-9
openshift3/ose-sti-builder:v3.1.1.6-19
openshift3/logging-auth-proxy:3.1.1-9
openshift3/logging-deployment:3.1.1-17
openshift3/logging-elasticsearch:3.1.1-11
openshift3/logging-fluentd:3.1.1-11
openshift3/logging-kibana:3.1.1-8
openshift3/metrics-deployer:3.1.1-7
openshift3/metrics-heapster:3.1.1-7
openshift3/node:v3.1.1.6-20
openshift3/openvswitch:v3.1.1.6-10
4. Solution:
For details on how to apply this update, which includes the changes
described in this advisory, refer to:
https://access.redhat.com/articles/11258
5. Bugs fixed (https://bugzilla.redhat.com/):
1330233 - CVE-2016-3703 OpenShift Enterprise 3: Untrusted content loaded via the API proxy can access web console credentials on the same domain
6. Package List:
Red Hat OpenShift Enterprise 3.1:
Source:
atomic-openshift-3.1.1.6-8.git.64.80b61da.el7aos.src.rpm
x86_64:
atomic-openshift-3.1.1.6-8.git.64.80b61da.el7aos.x86_64.rpm
atomic-openshift-clients-3.1.1.6-8.git.64.80b61da.el7aos.x86_64.rpm
atomic-openshift-clients-redistributable-3.1.1.6-8.git.64.80b61da.el7aos.x86_64.rpm
atomic-openshift-dockerregistry-3.1.1.6-8.git.64.80b61da.el7aos.x86_64.rpm
atomic-openshift-master-3.1.1.6-8.git.64.80b61da.el7aos.x86_64.rpm
atomic-openshift-node-3.1.1.6-8.git.64.80b61da.el7aos.x86_64.rpm
atomic-openshift-pod-3.1.1.6-8.git.64.80b61da.el7aos.x86_64.rpm
atomic-openshift-recycle-3.1.1.6-8.git.64.80b61da.el7aos.x86_64.rpm
atomic-openshift-sdn-ovs-3.1.1.6-8.git.64.80b61da.el7aos.x86_64.rpm
tuned-profiles-atomic-openshift-node-3.1.1.6-8.git.64.80b61da.el7aos.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/
7. References:
https://access.redhat.com/security/cve/CVE-2016-3703
https://access.redhat.com/security/updates/classification/#moderate
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2016 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iD8DBQFXPkigXlSAg2UNWIIRAhFEAJ4qTXT3KjhykUCw862jtc30PaJKLwCeK/+Y
SKLTdLV3ELGncfFP8s+oaMg=
=ZMQp
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBVz5lpX6ZAP0PgtI9AQKwJRAAvTRb8w4vYEm3MjQzcnQmmGOxd3PTsIHr
8WnJesJMMmqH+nkIH/zmm456TcSuxeb3dIQZ+l620hTawAEIJ/25STLypB+K6JUN
RMxhSdZysoQjJ0zDRSdPg5L/N3S+ogS5Nxd3R1PsTenSDdMeHeJBcVR4sy26QL0x
0nx2HPwqUMJUixowul/VPVYlDu9ssBgVIzRBl7YlterwX6MVyYHo5huofnybpmcI
f/VwGZZDo+8YFsT/5BrRcu9WXfKY9o28ctAvL3UeqrKr5fZC9kfUyN/XE2Vz5oER
Jtc6uBpboOQI++fuMYqQAlr3WLzLKKLD2G4/Ll41dI++jUW+Tpe1kUcwJFSswL3G
aLY+Yqocc5c0QrUaxrhtZV13hwwZre+f8gmT7hzro2MdoVQxnKmDQKJroI6Z/DeA
88JvTiYV5CRuBhRqR4o+X3fbJV69JqJsG1Pe256KVF76A9UhsOfzPjaIG9NI9cFg
ATlS0V+zrjEOff1KQ3+Oi2C42wB2EV87QDTerDwXNVcfAHw3Eee98GuaE8nC1kDZ
t25KK/MEkAAIyqYCShZWaJ8Y9+zbELSTqxDPIdoehIEmAmv16heC8NJFLipRUMCz
9opbx5uzOkCkkNHoOEMvT8s45IgD0sDew/Rox/zQGCCl3qW+CE21wZqPo5GQZkYS
72lfZBheTrk=
=jFJi
-----END PGP SIGNATURE-----