Published:
19 October 2018
Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2018.3182
Important: Red Hat OpenShift Application Runtimes Spring Boot 1.5.16 update
19 October 2018
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Red Hat OpenShift Application Runtimes
Publisher: Red Hat
Impact/Access: Denial of Service -- Remote/Unauthenticated
Reduced Security -- Existing Account
Resolution: Patch/Upgrade
CVE Names: CVE-2018-12544 CVE-2018-12541 CVE-2018-1336
Reference: ESB-2018.3165
ESB-2018.3132
ESB-2018.3129
ESB-2018.2879
Original Bulletin:
https://access.redhat.com/errata/RHSA-2018:2945
https://access.redhat.com/errata/RHSA-2018:2946
Comment: This bulletin contains two (2) Red Hat security advisories.
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
=====================================================================
Red Hat Security Advisory
Synopsis: Important: Red Hat OpenShift Application Runtimes Spring Boot 1.5.16 update
Advisory ID: RHSA-2018:2945-01
Product: Red Hat OpenShift Application Runtimes
Advisory URL: https://access.redhat.com/errata/RHSA-2018:2945
Issue date: 2018-10-18
CVE Names: CVE-2018-1336
=====================================================================
1. Summary:
An update is now available for Red Hat OpenShift Application Runtimes.
Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.
2. Description:
Red Hat Openshift Application Runtimes provides an application platform
that reduces the complexity of developing and operating applications
(monoliths and microservices) for OpenShift as a containerized platform.
This release of RHOAR Spring Boot 1.5.16 serves as a replacement for RHOAR
Spring Boot 1.5.15, and includes bug fixes and enhancements. For further
information, refer to the Release Notes linked to in the References
section.
Security Fix(es):
* tomcat: A bug in the UTF-8 decoder can lead to DoS (CVE-2018-1336)
For more details about the security issue(s), including the impact, a CVSS
score, and other related information, refer to the CVE page(s) listed in
the References section.
3. Solution:
Before applying the update, back up your existing installation, including
all applications, configuration files, databases and database settings, and
so on.
The References section of this erratum contains a download link (you must
log in to download the update).
4. Bugs fixed (https://bugzilla.redhat.com/):
1607591 - CVE-2018-1336 tomcat: A bug in the UTF-8 decoder can lead to DoS
5. JIRA issues fixed (https://issues.jboss.org/):
SB-949 - Release SB 1.5.16 BOM.
6. References:
https://access.redhat.com/security/cve/CVE-2018-1336
https://access.redhat.com/security/updates/classification/#important
https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=catRhoar.spring.boot&downloadType=distributions&version=1.5.16
https://access.redhat.com/documentation/en-us/red_hat_openshift_application_runtimes/1/html-single/red_hat_openshift_application_runtimes_release_notes/
7. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2018 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIVAwUBW8gzONzjgjWX9erEAQjpJQ/+M7MRRywhsxAsiFRwze2WZ79lsd/zoR0g
knxFxrO9AoP51THIxRfMgNyKkr/0MT3GDpQR+ZStQfqmZj/HszYN0ByxgQPa4dlq
cTy6tV8LWn/Bu6mMB4k8Rmk819qIAjh9dd3NVAmaridHIHlHvyA6zymo9cPpzYvh
jO1uqO+oWKoNloEm4zPgtmsYqjCNY91GS2m3cHQ4B78igOUlDclKztg1SBs5P8r0
Sjw6MEh1DANf+sA/s+XCm0yumCWORERJ4NFb6dAjxdooazVmmtMzURzT18XWcfY6
P+fA/Q8ylmsRkAW4Ecuo+Flm8Ns5qVSrFXDqlTg5cRdpzEQqoc0pRnS1D5FXs7U3
NI9WmbUffPtlCtFT26S/VH0M96GJrXrCTLRJssXcPhCc1Tw61WJX9BP/zuz0tLQA
0ov3zX/dUdRiOWmz4BKSq4y9/Wh7ldIgKsQv3+r30OABOsi6UaqPAI6InPixLai6
+hqIv7kNKPVq/EveKsrb98ScdjkqRwulVgu8Rwj4o3JvTuCnoXmZKjsK8XazzsrF
91KEZBKSgltmdoYiC9wKauFBI8RayF97tULVJHD9CwJhdBwAXUH47tMCxPJ9Kweu
wvzIz26KFKb4XOF8Xjm1L51Hxge91F+AoEPoG0WNiIv3yzEWqn/G9XDYftQyLoYN
b0xGZi+VJdM=
=EGyS
- -----END PGP SIGNATURE-----
=============================================================================
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
=====================================================================
Red Hat Security Advisory
Synopsis: Moderate: Red Hat OpenShift Application Runtimes security and bug fix update
Advisory ID: RHSA-2018:2946-01
Product: Red Hat OpenShift Application Runtimes
Advisory URL: https://access.redhat.com/errata/RHSA-2018:2946
Issue date: 2018-10-18
CVE Names: CVE-2018-12541 CVE-2018-12544
=====================================================================
1. Summary:
An update is now available for Red Hat OpenShift Application Runtimes.
Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.
2. Description:
Red Hat Openshift Application Runtimes provides an application platform
that reduces the complexity of developing and operating applications
(monoliths and microservices) for OpenShift as a containerized platform.
The RHOAR Eclipse Vert.x 3.5.4 release serves as a replacement for RHOAR
Eclipse Vert.x 3.5.3, and includes bug fixes and enhancements. For a
detailed list of issues resolved in the community Eclipse Vert.x 3.5.4
release, see the release notes in the References section.
Security Fix(es):
* vertx: WebSocket HTTP upgrade implementation holds the entire http
request in memory before the handshake (CVE-2018-12541)
* vertx: API Validation XML Schemas do not forbid file system access
(CVE-2018-12544)
For more details about the security issue(s), including the impact, a CVSS
score, and other related information, refer to the CVE page(s) listed in
the References section.
3. Solution:
Before applying the update, back up your existing installation, including
all applications, configuration files, databases and database settings, and
so on.
The References section of this erratum contains a download link (you must
log in to download the update).
4. Bugs fixed (https://bugzilla.redhat.com/):
1638384 - CVE-2018-12544 vertx: API Validation XML Schemas do not forbid file system access
1638391 - CVE-2018-12541 vertx: WebSocket HTTP upgrade implementation holds the entire http request in memory before the handshake
5. References:
https://access.redhat.com/security/cve/CVE-2018-12541
https://access.redhat.com/security/cve/CVE-2018-12544
https://access.redhat.com/security/updates/classification/#moderate
https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions&product=catRhoar.eclipse.vertx&version=3.5.4
https://access.redhat.com/documentation/en-us/red_hat_openshift_application_runtimes/1/html-single/red_hat_openshift_application_runtimes_release_notes/
6. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2018 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIVAwUBW8hBEdzjgjWX9erEAQhNcQ//a/tt5l+KtEyXiwNxH9XSiiSz1wm4x7Dx
yxtns9x/EFyB622O0ITgZU3RvUXpAQMXjPL8oAaF3EthN81liU8Grs+ut9xss2Hx
CzSyy2ezW1JaeX59N2YI0MZj0Z/QlEOKdioMj+5HW/P6X0vj6Ljbk3LOv3+3WNBI
sY1+7bOjcL/2k4M9TfoP7kMNXZNKjL0Bh8FPRyMlCueDrTH+zeUo56nQZcS8qkKe
8NczngScvWIWFKNapsblvXSbExnB0VLq3BkXKI6WXTwTfPtkWnubND5sexgxSaIB
lUlqb09sH0IAyibMjAh4meQ7R6SPRaVv/8i3vp/s86hszumTfMa/WT1oKXA4y5XT
STS+CGt8ESvzkcw1YCLpFQZdHFq4/XTB3lELTc/UxL0Iri/Rdjv2jg6mMeLFYzx/
Jp//Ohoy9ds7/WLkii4V+hY4FWSgnbyy+Ok8Y6M2d26s47HOWQdT3hitKa3htqA6
yopuxY1enGzBeD12d+3RhZZgVeiSYAcZXF8d0WZ/O6WDJLjMNwE7FIR1msb2Rl6m
mTT1G3yHdIXqgymCtDia9qj6NFRqfEcWtNBnuoDy+QXTi8BuMn9XX96jWu8ZJihR
aIje3/WTFGP5dxBepbehPwa9vvC/Bsc5DDtxBI9MDir3TufpNuM4WNqjj1wvqsSN
0rUUxSaEWVQ=
=BElT
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBW8kynGaOgq3Tt24GAQgDqxAA2IEbjadx73p8R6JF8QOOhSTs0mSE6VIy
VE779aBJGc5lFtQHgpXvXWo765/fIoUqZrwcBQqfj+P+YHOBHf0HTS2DzHzwFb+t
NhxvgWCCu8stTfmVD9FOVpGXVb2Bn4teCuuORdIDpK+25b1EtkAN+oZKvLEHM/Kl
MmIMbAazyFIUstxlMdOe/1g7e+guZXkfXb+Q7UMuF+Uk3FvjH5NQCKigxH/NLj08
Llbl0N1GmrQxqpX8v7R8Rv3a7Zl9bx2NQThXY7R3cdGpzZJM7g4NgxDYCh2fBCW2
O49BWLhLkbahUMRI+ecFzBdn9tXBFjGgAzySsGQnbnJ/rDUslzFSi51j8ip/lp9I
ojVN8H3/JrRFKpuqctuTN7MWkDWt1RSUhv9eVWrr+qR66MPLFyRj/VroDr/CMgNn
4ykk+TpMoWVf1WeF9uH1S7UFuo5OCKdyiIWuemp857RwGtigUFIwRwMAgPVxdG2N
a6p1iDsPQ7hwSQKTTUmz2o3WFegPV/4/Rpy9p/aZckaAzQLxjiK+rPsI22vRk8t2
sPwmB/nykVQLgSXA83d74ElU3RGaY0NV2xJIxZojh/Ft7SY895VEMtwFh8NlPY+9
PvB4HJHmCKcf4mVFmkyitNv9N4ybnroDWG8/Wt4ZFV0vaJ4hATXoHQ69AYnvCztT
MbbWVEHfT9g=
=G+zd
-----END PGP SIGNATURE-----