Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2019.4639
OpenShift Container Platform 4.2 openshift-external-storage security update
12 December 2019
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: OpenShift
Publisher: Red Hat
Operating System: Red Hat
Impact/Access: Increased Privileges -- Remote/Unauthenticated
Execute Arbitrary Code/Commands -- Existing Account
Access Privileged Data -- Remote with User Interaction
Cross-site Scripting -- Remote with User Interaction
Provide Misleading Information -- Remote with User Interaction
Resolution: Patch/Upgrade
CVE Names: CVE-2019-18838 CVE-2019-18802 CVE-2019-18801
CVE-2019-14854 CVE-2019-14845 CVE-2019-11255
CVE-2019-10432 CVE-2019-10431
Reference: ESB-2019.4557
ESB-2019.4551
ESB-2019.3694
Original Bulletin:
https://access.redhat.com/errata/RHSA-2019:4096
https://access.redhat.com/errata/RHSA-2019:4097
https://access.redhat.com/errata/RHSA-2019:4098
https://access.redhat.com/errata/RHSA-2019:4099
https://access.redhat.com/errata/RHSA-2019:4101
https://access.redhat.com/errata/RHSA-2019:4222
Comment: This bulletin contains six (6) Red Hat security advisories.
- --------------------------BEGIN INCLUDED TEXT--------------------
=====================================================================
Red Hat Security Advisory
Synopsis: Moderate: OpenShift Container Platform 4.2 openshift-external-storage security update
Advisory ID: RHSA-2019:4096-01
Product: Red Hat OpenShift Enterprise
Advisory URL: https://access.redhat.com/errata/RHSA-2019:4096
Issue date: 2019-12-11
CVE Names: CVE-2019-11255
=====================================================================
1. Summary:
An update for openshift-external-storage is now available for Red Hat
OpenShift Container Platform 4.2.
Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.
2. Relevant releases/architectures:
Red Hat OpenShift Container Platform 4.2 - s390x, x86_64
3. Description:
Red Hat OpenShift Container Platform is Red Hat's cloud computing
Kubernetes application platform solution designed for on-premise or private
cloud deployments.
Security Fix(es):
* kubernetes-csi: CSI volume snapshot, cloning and resizing features can
result in unauthorized volume data access or mutation (CVE-2019-11255)
For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.
4. Solution:
For OpenShift Container Platform 4.2 see the following documentation, which
will be updated shortly for release 4.2.10, for important instructions on
how to upgrade your cluster and fully apply this asynchronous errata
update:
https://docs.openshift.com/container-platform/4.2/release_notes/ocp-4-2-rel
ease-notes.html
Details on how to access this content are available at
https://docs.openshift.com/container-platform/4.2/updating/updating-cluster
- - -cli.html.
5. Bugs fixed (https://bugzilla.redhat.com/):
1772727 - CVE-2019-11255 kubernetes-csi: CSI volume snapshot, cloning and resizing features can result in unauthorized volume data access or mutation
6. Package List:
Red Hat OpenShift Container Platform 4.2:
Source:
openshift-external-storage-0.0.2-11.gitd3c94f0.el7.src.rpm
s390x:
openshift-external-storage-cephfs-provisioner-0.0.2-11.gitd3c94f0.el7.s390x.rpm
openshift-external-storage-debuginfo-0.0.2-11.gitd3c94f0.el7.s390x.rpm
openshift-external-storage-efs-provisioner-0.0.2-11.gitd3c94f0.el7.s390x.rpm
openshift-external-storage-local-provisioner-0.0.2-11.gitd3c94f0.el7.s390x.rpm
openshift-external-storage-manila-provisioner-0.0.2-11.gitd3c94f0.el7.s390x.rpm
openshift-external-storage-snapshot-controller-0.0.2-11.gitd3c94f0.el7.s390x.rpm
openshift-external-storage-snapshot-provisioner-0.0.2-11.gitd3c94f0.el7.s390x.rpm
x86_64:
openshift-external-storage-cephfs-provisioner-0.0.2-11.gitd3c94f0.el7.x86_64.rpm
openshift-external-storage-debuginfo-0.0.2-11.gitd3c94f0.el7.x86_64.rpm
openshift-external-storage-efs-provisioner-0.0.2-11.gitd3c94f0.el7.x86_64.rpm
openshift-external-storage-local-provisioner-0.0.2-11.gitd3c94f0.el7.x86_64.rpm
openshift-external-storage-manila-provisioner-0.0.2-11.gitd3c94f0.el7.x86_64.rpm
openshift-external-storage-snapshot-controller-0.0.2-11.gitd3c94f0.el7.x86_64.rpm
openshift-external-storage-snapshot-provisioner-0.0.2-11.gitd3c94f0.el7.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/
7. References:
https://access.redhat.com/security/cve/CVE-2019-11255
https://access.redhat.com/security/updates/classification/#moderate
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2019 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIVAwUBXfCrZ9zjgjWX9erEAQjnQRAAoGJUmJ3auLLagmHiaC/6af1PsKSedS6T
bMRNZsrTyL1FO+99zAMnXuMoqTAQO4+qrCe52aG6Wc7iUTr+aOK1IFuR0lzNe7Pt
h3VZV6rRNYFiI3CHMs1FwUy4btm2Hu4Jkpgv4odbrd1Vx8P7oB+snEQ4jPXmpLla
qaI/5MetRB6zHjKz82TkS04/+/fczKA+NQkR8nY7FFTV+bgZ9L4WhaDq604SdH6y
vUDD4YfGuLinKIToZyTS4I2iga6lZ207wWZ8qn6itGJ0m+j6SAiwY/9SIZZBNYft
Mym9Pwpo0b0wGCRBhUlWtlXSl7HB7ODUQ2vqrWz61b4gt98Z1ZryLnqA4nz1Wqz7
Y0oLHaMECgMY3lInE9Uob7ChMe9EKpv/ZDzpCLB3QJX8aWhBQ12Fb2F3co2YWOfo
7PW4lBX6ke5nWQJ51iHHZQlJgxfuitLUvbM7D/Y+Gl/5PM8VC6lU7h+QauiywvKR
qsYBUWlRjR0/1Lfe9RLBzSPc9qH2jULAwoe4/w0RyHu2oTAAK64QgLJITQHRYeCp
iW5kOE1zP7I/skI8y8ZCGI4nN4PEIrBB0N13Fbr4BbpyhTHidA2EbtqpRwy1PJlm
SW8Mx7F/BKVyiSXKM06wB+h+Cvp3IK4/EWIJ2O0Aj3ygVI1sLmGkI4l3owVh2DKq
mb/Da3DaTh4=
=37Ps
- -----END PGP SIGNATURE-----
- -------------------------------------------------------------------------------
- ----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
=====================================================================
Red Hat Security Advisory
Synopsis: Important: OpenShift Container Platform 4.2 jenkins-2-plugins security update
Advisory ID: RHSA-2019:4097-01
Product: Red Hat OpenShift Enterprise
Advisory URL: https://access.redhat.com/errata/RHSA-2019:4097
Issue date: 2019-12-11
CVE Names: CVE-2019-10431 CVE-2019-10432
=====================================================================
1. Summary:
An update for jenkins-2-plugins is now available for Red Hat OpenShift
Container Platform 4.2.
Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.
2. Relevant releases/architectures:
Red Hat OpenShift Container Platform 4.2 - noarch
3. Description:
Red Hat OpenShift Container Platform is Red Hat's cloud computing
Kubernetes application platform solution designed for on-premise or private
cloud deployments.
Security Fix(es):
* jenkins-script-security: Sandbox bypass vulnerability in Script Security
Plugin (CVE-2019-10431)
* jenkins-2-plugins: Stored XSS vulnerability in HTML Publisher Plugin
(CVE-2019-10432)
For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.
4. Solution:
For OpenShift Container Platform 4.2 see the following documentation, which
will be updated shortly for release 4.2.10, for important instructions on
how to upgrade your cluster and fully apply this asynchronous errata
update:
https://docs.openshift.com/container-platform/4.2/release_notes/ocp-4-2-rel
ease-notes.html
Details on how to access this content are available at
https://docs.openshift.com/container-platform/4.2/updating/updating-cluster
- - -cli.html.
5. Bugs fixed (https://bugzilla.redhat.com/):
1764387 - CVE-2019-10432 jenkins-2-plugins: Stored XSS vulnerability in HTML Publisher Plugin
1764390 - CVE-2019-10431 jenkins-script-security: Sandbox bypass vulnerability in Script Security Plugin
6. Package List:
Red Hat OpenShift Container Platform 4.2:
Source:
jenkins-2-plugins-4.2.1574873592-1.el7.src.rpm
noarch:
jenkins-2-plugins-4.2.1574873592-1.el7.noarch.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/
7. References:
https://access.redhat.com/security/cve/CVE-2019-10431
https://access.redhat.com/security/cve/CVE-2019-10432
https://access.redhat.com/security/updates/classification/#important
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2019 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIVAwUBXfCq79zjgjWX9erEAQhMkRAAgOb5w3KFOUu3ITwwVXbhSe8VgkXB1o2e
iZtMe8aDGzzTeYfnScwD4qmjWj+4fz+6hxXaFn/YeqCDW8OHxvxeYYdrn0Ri56z6
oAJb9u62kh995we4i3k8CbyqhjuXo7NyZzRMAmPOgOLiqBTYtiP1xzgkXMZDFci8
FA9rpfZCED2RA2A6LYR9X5uBcBQAyb28VF3Xvrkk3OQZ+Qc3NGXvk1LUo0TfpAGj
HvKBFNdnCqSz/mge+4SAH7wYzPX7ggJbZD60C3lPNHfGroOVp3b44IGM7zH7Be+C
4WT0/iB9ZQM24vuLylQaYpbXdC7vNS7Wuxzy8Bl1m5M0EuPkHIa2OPkEB8DV8ACL
BckD2eYsdThyhZU/NeAz/JIER1Ob/m526xMzHTjchmx0N+tzD5G0Iv9RF0MVFv+w
yNdpVH1IqGy2nmlIVB8oFDrceRMo6B0NVLe6HcrgsJwDRVr7mepm+9U8T9DJMQNr
lFIQ/pOZwOAdpTTQWVzFA3gBRfZUKJUr3klvK4zRA0viKlzSBMyr4BvGvqEgeJr8
I78SEA1CrD8LxRw3/2UYtbXGVUDwFpQH29fyJU/d1RJxxYDnMHcyYIAp+TWIQFBB
P6rNrJlcLIQBrWsEh9vdph9a9SkSOPCsO64mMAiNhdqux2F0ZZMd34SbtVdLVMi3
sNdQXRwbWSc=
=WDWY
- -----END PGP SIGNATURE-----
- -------------------------------------------------------------------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
=====================================================================
Red Hat Security Advisory
Synopsis: Moderate: OpenShift Container Platform 4.2 ose-cluster-kube-controller-manager-operator-container security update
Advisory ID: RHSA-2019:4098-01
Product: Red Hat OpenShift Enterprise
Advisory URL: https://access.redhat.com/errata/RHSA-2019:4098
Issue date: 2019-12-11
CVE Names: CVE-2019-14854
=====================================================================
1. Summary:
An update for ose-cluster-kube-controller-manager-operator-container is now
available for Red Hat OpenShift Container Platform 4.2.
Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.
2. Description:
Red Hat OpenShift Container Platform is Red Hat's cloud computing
Kubernetes application platform solution designed for on-premise or private
cloud deployments.
Security Fix(es):
* library-go: Secret data written to static pod logs when operator set at
Debug level or higher (CVE-2019-14854)
For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.
3. Solution:
For OpenShift Container Platform 4.2 see the following documentation, which
will be updated shortly for release 4.2.10, for important instructions on
how to upgrade your cluster and fully apply this asynchronous errata
update:
https://docs.openshift.com/container-platform/4.2/release_notes/ocp-4-2-rel
ease-notes.html
Details on how to access this content are available at
https://docs.openshift.com/container-platform/4.2/updating/updating-cluster
- - -cli.html.
4. Bugs fixed (https://bugzilla.redhat.com/):
1758953 - CVE-2019-14854 library-go: Secret data written to static pod logs when operator set at Debug level or higher
5. References:
https://access.redhat.com/security/cve/CVE-2019-14854
https://access.redhat.com/security/updates/classification/#moderate
6. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2019 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIVAwUBXfCnqNzjgjWX9erEAQi1thAAo5mmb+As/5c+KxNAR6s1TVH8tgFXS/cY
uEv/EZeie+WdZRLtcGkn/bKfOUAvSvko02VfHrRfbkT1Oz0HqZ/VWqexnLDtfpfm
sTNXUpJyyxngCl2aXYpnkhRUo+dDUjXpfaUDxmrNr2i5Ztj71CdEAm3sTlWp1Mf1
NldUR46klFnqjUj0JCLafw63B29A9VoZqGFDyMFZY1yZdTPq8GPWQcSgxmLHryLr
7AW1Nlkc+xDI9ZCh0MF6LFZ7O6o0QeaRs2MQ33JJDkxlWWZwH1X6PK3tOzCPlqTK
RiK27+gTOUHBo9MTtkctk9s9llVy700R3TLiTnMqkBM0OPWcd/3BDvz0ZbtM5v4/
jYMNDqCFgNJ49K4eo0hlJlv9RX2SgAx7eFAIqj9tFVKvHolBF9t7Jk66A5GHEUIL
th05BHEg/9Fgm2x6Lo0OgPA0ySoA4qz7nSQ6jBuS4mqsljgcXMCzpRQ5Yw5E+6yw
hhkOiy9AawIhWzv+lZl4jaSlRomLlzMNY02ho2kcE2n8i4tTYl5/m6c/ZK/DvwB/
te3Jburia3M7kr4d8wSQ6ruF/7tskD9dUHK1hCZevJRmNs79z+pZGwE1wCLrMB2Q
/EoVAdwOEBoGtZ8cD+s+adxpZKbmMbhVhZyUmMIwMMRgV7arSIlNtIxDh8kQWRWj
wclgC4lKEQM=
=Ze6m
- -----END PGP SIGNATURE-----
- -------------------------------------------------------------------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
=====================================================================
Red Hat Security Advisory
Synopsis: Moderate: OpenShift Container Platform 4.2 csi-provisioner-container security update
Advisory ID: RHSA-2019:4099-01
Product: Red Hat OpenShift Enterprise
Advisory URL: https://access.redhat.com/errata/RHSA-2019:4099
Issue date: 2019-12-11
CVE Names: CVE-2019-11255
=====================================================================
1. Summary:
An update for csi-provisioner-container is now available for Red Hat
OpenShift Container Platform 4.2.
Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.
2. Description:
Red Hat OpenShift Container Platform is Red Hat's cloud computing
Kubernetes application platform solution designed for on-premise or private
cloud deployments.
Security Fix(es):
* kubernetes-csi: CSI volume snapshot, cloning and resizing features can
result in unauthorized volume data access or mutation (CVE-2019-11255)
For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.
3. Solution:
For OpenShift Container Platform 4.2 see the following documentation, which
will be updated shortly for release 4.2.10, for important instructions on
how to upgrade your cluster and fully apply this asynchronous errata
update:
https://docs.openshift.com/container-platform/4.2/release_notes/ocp-4-2-rel
ease-notes.html
Details on how to access this content are available at
https://docs.openshift.com/container-platform/4.2/updating/updating-cluster
- - -cli.html.
4. Bugs fixed (https://bugzilla.redhat.com/):
1772727 - CVE-2019-11255 kubernetes-csi: CSI volume snapshot, cloning and resizing features can result in unauthorized volume data access or mutation
5. References:
https://access.redhat.com/security/cve/CVE-2019-11255
https://access.redhat.com/security/updates/classification/#moderate
6. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2019 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIVAwUBXfB2qtzjgjWX9erEAQj9JA//a7u0QYN1mKSnXxBbJa/6lire1kF2K0GJ
5Z4X31JSRsMRMoyUIXxBR9ZDCjiHi0hvuSRUvz24EVPXzx9DZYFJlGGObqu5MYho
guqk+s3qUCqo89P1sa+Uc4YxxEiyGAQaOUBVrxCATs7lCEZ6SoEFrfBHeQsDmbNs
pM155kvvqtxTLSJbvaxyUFVcnnmckWsyxnCW9Oxuzbu8Gn/LlB8c8G9bHG3+UiXt
4ZfQiRlFQa1BRLb6i+1dTDxfCjtRAUB3+eAdLyeoniQpdXpgvHUVDABkYMO6rnbm
dRhCeoxz4NyegRecAt3IkNMiozvQBNsA4gpXnahr3O6y7crsVb9NB2feAI5t5cCv
vjn1d0hBofoVamk/jVHUsQ0zzNm5jmSQGYs5FJ+G3nvgb9oJGLPlrFM3RSmc0rYa
GkzwmeDxVWykTMYoZNMVdibZMVcQchUVd1vkhgDEN65Ks7KkmAKkW0WcP1TlaVhc
H9gkrWJTZZdykNh4I4O/zhrmRzL0XAGzjWkyKp/fGhYekVSOEbWHRjyZWTou+v8k
x8ZZ3v7+2xJV0CrPoYtd8G/IXMKHOjtJuEIRSwGHFjdvX1pfjlu25gIfeGwwxdRc
R699RcOHSgBmrpjgA+q4Dt2iFQO3d7AE58BOKCBBCPR5Li4AohH1MZ8Y0ck53AY3
9/cfFanWyd4=
=RMwu
- -----END PGP SIGNATURE-----
- -------------------------------------------------------------------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
=====================================================================
Red Hat Security Advisory
Synopsis: Moderate: OpenShift Container Platform 4.2 openshift-enterprise-builder-container security update
Advisory ID: RHSA-2019:4101-01
Product: Red Hat OpenShift Enterprise
Advisory URL: https://access.redhat.com/errata/RHSA-2019:4101
Issue date: 2019-12-11
CVE Names: CVE-2019-14845
=====================================================================
1. Summary:
An update for openshift-enterprise-builder-container is now available for
Red Hat OpenShift Container Platform 4.2.
Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.
2. Description:
Red Hat OpenShift Container Platform is Red Hat's cloud computing
Kubernetes application platform solution designed for on-premise or private
cloud deployments.
Security Fix(es):
* openshift: Container image TLS verification bypass (CVE-2019-14845)
For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.
3. Solution:
For OpenShift Container Platform 4.2 see the following documentation, which
will be updated shortly for release 4.2.10, for important instructions on
how to upgrade your cluster and fully apply this asynchronous errata
update:
https://docs.openshift.com/container-platform/4.2/release_notes/ocp-4-2-rel
ease-notes.html
Details on how to access this content are available at
https://docs.openshift.com/container-platform/4.2/updating/updating-cluster
- - -cli.html.
4. Bugs fixed (https://bugzilla.redhat.com/):
1754662 - CVE-2019-14845 openshift: Container image TLS verification bypass
5. References:
https://access.redhat.com/security/cve/CVE-2019-14845
https://access.redhat.com/security/updates/classification/#moderate
6. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2019 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIVAwUBXfCpw9zjgjWX9erEAQhO8A/9HEoCeqM7YWVCq6qgm3UGTRAnJ2Q5mp3z
CGw2Uxapc9EdQ7UhSDiFN5DZeV+x2LN+TG2+/P03TE01gqQT6q/LEPLiKwhc+REH
GQWDV7/NNXWQm7yAJ5e3l6+quRHwjYecsiie2s+7Z4NNaqWgstSQ+cK/Dg+8Zjmk
NXSBBfYnmu5L1f7uR9vtK1JPYi5lJeNbW7/ti2sPPi01yXuDKnGBT25WSLpqfIo3
6Od4hVBur3Q5SjJeKCe9nV/CBZJXr99puFPbi3M2wGclW1zIfwyTzdoyci38Gg7/
Q/rPwuDEjcRPPXnUCzFMzaDfW9f6FqBwGjplKgdejCR6pY4VmBXS5/++opvkOVNe
AG9NBUAP3/jRfcbV7Rv4NQSCTkNto3/kAyz9G0/SbvcJNbCP6O32hh3GJA5KNE4E
A1bGJ/XcTKUg3uTjNxF110GzoggxIBfs6x2b1wyaeO0YrFBqpnQo/O868V3TRxY0
Ute7TjwR+WEbERzWnQb4J46AqZ4u88UkV3KNwkRan+ZqWyvHB2ItaPfNT1OWJRiH
zkb0FY/63BaYEJ/FFbJXAMLKGju3d8/QGPRArxXTeYXIQwbHnfEDAccyy/PPdZFd
tMt4hcpuOOZYm8gcntH/o+Hc9IDamk391jVr2J1Va5qz/wuKc6ynD5By01OBRfdN
D3/ClFpLhS8=
=cjvv
- -----END PGP SIGNATURE-----
- -------------------------------------------------------------------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
=====================================================================
Red Hat Security Advisory
Synopsis: Critical: Red Hat OpenShift Service Mesh 1.0.3 RPMs security update
Advisory ID: RHSA-2019:4222-01
Product: Red Hat OpenShift Service Mesh
Advisory URL: https://access.redhat.com/errata/RHSA-2019:4222
Issue date: 2019-12-11
CVE Names: CVE-2019-18801 CVE-2019-18802 CVE-2019-18838
=====================================================================
1. Summary:
Red Hat OpenShift Service Mesh 1.0.3.
Red Hat Product Security has rated this update as having a security impact
of Critical. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.
2. Relevant releases/architectures:
OpenShift Service Mesh 1.0 - x86_64
Red Hat OpenShift Service Mesh 1.0 - x86_64
3. Description:
Red Hat OpenShift Service Mesh is Red Hat's distribution of the Istio
service mesh project, tailored for installation into an on-premise
OpenShift Container Platform installation.
This advisory covers the RPM packages for the OpenShift Service Mesh 1.0.3
release.
Security Fix(es):
* An untrusted remote client may send HTTP/2 requests that write to the
heap outside of the request buffers when the upstream is HTTP/1
(CVE-2019-18801)
* Malformed request header may cause bypass of route matchers resulting in
escalation of privileges or information disclosure (CVE-2019-18802)
* Malformed HTTP request without the Host header may cause abnormal
termination of the Envoy process (CVE-2019-18838)
For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.
4. Solution:
The OpenShift Service Mesh release notes provide information on the
features and known issues:
https://docs.openshift.com/container-platform/4.2/service_mesh/servicemesh-
release-notes.html
5. Bugs fixed (https://bugzilla.redhat.com/):
1773444 - CVE-2019-18801 envoy: an untrusted remote client may send HTTP/2 requests that write to the heap outside of the request buffers when the upstream is HTTP/1
1773447 - CVE-2019-18802 envoy: malformed request header may cause bypass of route matchers resulting in escalation of privileges or information disclosure
1773449 - CVE-2019-18838 envoy: malformed HTTP request without the Host header may cause abnormal termination of the Envoy process
6. Package List:
Red Hat OpenShift Service Mesh 1.0:
Source:
kiali-v1.0.8.redhat1-1.el7.src.rpm
x86_64:
kiali-v1.0.8.redhat1-1.el7.x86_64.rpm
OpenShift Service Mesh 1.0:
Source:
servicemesh-1.0.3-1.el8.src.rpm
servicemesh-cni-1.0.3-1.el8.src.rpm
servicemesh-grafana-6.2.2-25.el8.src.rpm
servicemesh-operator-1.0.3-1.el8.src.rpm
servicemesh-prometheus-2.7.2-26.el8.src.rpm
servicemesh-proxy-1.0.3-1.el8.src.rpm
x86_64:
servicemesh-1.0.3-1.el8.x86_64.rpm
servicemesh-citadel-1.0.3-1.el8.x86_64.rpm
servicemesh-cni-1.0.3-1.el8.x86_64.rpm
servicemesh-galley-1.0.3-1.el8.x86_64.rpm
servicemesh-grafana-6.2.2-25.el8.x86_64.rpm
servicemesh-grafana-prometheus-6.2.2-25.el8.x86_64.rpm
servicemesh-istioctl-1.0.3-1.el8.x86_64.rpm
servicemesh-mixc-1.0.3-1.el8.x86_64.rpm
servicemesh-mixs-1.0.3-1.el8.x86_64.rpm
servicemesh-operator-1.0.3-1.el8.x86_64.rpm
servicemesh-pilot-agent-1.0.3-1.el8.x86_64.rpm
servicemesh-pilot-discovery-1.0.3-1.el8.x86_64.rpm
servicemesh-prometheus-2.7.2-26.el8.x86_64.rpm
servicemesh-proxy-1.0.3-1.el8.x86_64.rpm
servicemesh-sidecar-injector-1.0.3-1.el8.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/
7. References:
https://access.redhat.com/security/cve/CVE-2019-18801
https://access.redhat.com/security/cve/CVE-2019-18802
https://access.redhat.com/security/cve/CVE-2019-18838
https://access.redhat.com/security/updates/classification/#critical
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2019 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIVAwUBXfFfotzjgjWX9erEAQivZA/+Jhhsr9G9X/W+5IXLe1iUzXvE61kJDYAg
XoruYZ3hIGVf3h5hRqHOSzmb5oaAGRwyyjvikbUPXP7FqbTKfLD3Ly7eZExhpT2X
GEMLVbeZKIppchI7rpKgswIcy9ukph5HBuxC2Z3TGMJm1wPKzUmhlDhvivlfNuy/
AnsxGrDLdRRwBtXsIsWhg1pcXqMJ/k/wpjwV2RRfm45cE9+ua1ZBLfT+DlUhXmVR
hsFJboy1Ltge8Ag4J+Sl/EhNSC+6IAF0djpXpPj3QZxg2CRg0sscci9MfqZMCBIF
b/bvRr6ZaIvrCvyr8dfyHAViv1kaz3y9Y7oyBeI33tXWHwMm18WN1fGSldMD6Gu6
vvD2YscwroqvhHjNYdsUEp3HGIAD0Gzo8S5MJS4gcLVpjl7wJ3V2jeH3sFgFmSez
DhRrc3/ytWtMHcVTR3PB4lHoeV9BYPxv68d57/Z74ihZanG/UAHclCYx1xHLNYQ7
O96yQz9sC/zCJnHiuP1SsOc0TUvDtAdNg7hAMS8iN8QOTfA925adyyV0aRMczIAD
zyTZXmBnbQ0zusrCcfUReGOzedmWM7VG2R24Wy3TSxXUJJZBRjC4mLaZtDIiRAYl
s8LOWEpJMFZaTzHQBYAYxxH7iaBQG3FDogC6f4GzM6VQE7xM7/Hw65TtpnL2rOUe
xmyOjC5UusE=
=fYm1
- -----END PGP SIGNATURE-----
- --
RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBXfGG8WaOgq3Tt24GAQhlpA/+OVCtwRzAWpNHqLTb5sMDpztusvdI1k/h
4kTN7KynEwmLaRcwZlzkSXGtVFDdmruVOJfqjfzLiWpusPsugI1PV6fUQA0RTo+s
clDOwEDe2ougk1ckpJWwa/c61kIGXgiQkPBL1WA9fJAPvvciSce37H6xKCpn272W
C2sT7FTzSO4654S+MMxBv/ENTcYN4DTwRCENGqZg3eXG/pfFgoS5p1wI7I6+boV4
TE5azYEh8ztXbq2Uc9JpjELV6MVs6GecjAQZLH/fgr14pqBpEtnS5A22Ik5hH8hm
Hux1+8CyrF88a2IO8nO2T/ftzfRTkBU8VvY73xoKgLFEVJqIFU+fPN3jHLAMcZFi
kWGPAVEtymldaZjjbwoHcR8BemVFOFnWh+SUQub3aMrO+zuaDFHyajqLxBncwSTQ
urp3UVKliihQuleaZizdR9v6sqnyecu83YWFiVaZGKM/R1BFgSlSraLARzuDzTrx
yzzCm3wnIg2INuU0WwAwhpn6N0EqHDdcpgKsfQYRB05Vbx56FbKi2+FCZvgCU1ju
WvKKaFbdIxh8TMqFqfQ7XPhG47wROZZfSr0jACgo8vKGAwtytKA6b5j6t6yd/6zF
vNBRqKYcGj6Z6Ke+eYScUvGVUwFU/3qat8gdmXTJjdeFDRgCYn8Z/wnxMeCQSERN
jD85iKshaE4=
=RCxl
-----END PGP SIGNATURE-----