Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2019.4639 OpenShift Container Platform 4.2 openshift-external-storage security update 12 December 2019 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: OpenShift Publisher: Red Hat Operating System: Red Hat Impact/Access: Increased Privileges -- Remote/Unauthenticated Execute Arbitrary Code/Commands -- Existing Account Access Privileged Data -- Remote with User Interaction Cross-site Scripting -- Remote with User Interaction Provide Misleading Information -- Remote with User Interaction Resolution: Patch/Upgrade CVE Names: CVE-2019-18838 CVE-2019-18802 CVE-2019-18801 CVE-2019-14854 CVE-2019-14845 CVE-2019-11255 CVE-2019-10432 CVE-2019-10431 Reference: ESB-2019.4557 ESB-2019.4551 ESB-2019.3694 Original Bulletin: https://access.redhat.com/errata/RHSA-2019:4096 https://access.redhat.com/errata/RHSA-2019:4097 https://access.redhat.com/errata/RHSA-2019:4098 https://access.redhat.com/errata/RHSA-2019:4099 https://access.redhat.com/errata/RHSA-2019:4101 https://access.redhat.com/errata/RHSA-2019:4222 Comment: This bulletin contains six (6) Red Hat security advisories. - --------------------------BEGIN INCLUDED TEXT-------------------- ===================================================================== Red Hat Security Advisory Synopsis: Moderate: OpenShift Container Platform 4.2 openshift-external-storage security update Advisory ID: RHSA-2019:4096-01 Product: Red Hat OpenShift Enterprise Advisory URL: https://access.redhat.com/errata/RHSA-2019:4096 Issue date: 2019-12-11 CVE Names: CVE-2019-11255 ===================================================================== 1. Summary: An update for openshift-external-storage is now available for Red Hat OpenShift Container Platform 4.2. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat OpenShift Container Platform 4.2 - s390x, x86_64 3. Description: Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. Security Fix(es): * kubernetes-csi: CSI volume snapshot, cloning and resizing features can result in unauthorized volume data access or mutation (CVE-2019-11255) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. 4. Solution: For OpenShift Container Platform 4.2 see the following documentation, which will be updated shortly for release 4.2.10, for important instructions on how to upgrade your cluster and fully apply this asynchronous errata update: https://docs.openshift.com/container-platform/4.2/release_notes/ocp-4-2-rel ease-notes.html Details on how to access this content are available at https://docs.openshift.com/container-platform/4.2/updating/updating-cluster - - -cli.html. 5. Bugs fixed (https://bugzilla.redhat.com/): 1772727 - CVE-2019-11255 kubernetes-csi: CSI volume snapshot, cloning and resizing features can result in unauthorized volume data access or mutation 6. Package List: Red Hat OpenShift Container Platform 4.2: Source: openshift-external-storage-0.0.2-11.gitd3c94f0.el7.src.rpm s390x: openshift-external-storage-cephfs-provisioner-0.0.2-11.gitd3c94f0.el7.s390x.rpm openshift-external-storage-debuginfo-0.0.2-11.gitd3c94f0.el7.s390x.rpm openshift-external-storage-efs-provisioner-0.0.2-11.gitd3c94f0.el7.s390x.rpm openshift-external-storage-local-provisioner-0.0.2-11.gitd3c94f0.el7.s390x.rpm openshift-external-storage-manila-provisioner-0.0.2-11.gitd3c94f0.el7.s390x.rpm openshift-external-storage-snapshot-controller-0.0.2-11.gitd3c94f0.el7.s390x.rpm openshift-external-storage-snapshot-provisioner-0.0.2-11.gitd3c94f0.el7.s390x.rpm x86_64: openshift-external-storage-cephfs-provisioner-0.0.2-11.gitd3c94f0.el7.x86_64.rpm openshift-external-storage-debuginfo-0.0.2-11.gitd3c94f0.el7.x86_64.rpm openshift-external-storage-efs-provisioner-0.0.2-11.gitd3c94f0.el7.x86_64.rpm openshift-external-storage-local-provisioner-0.0.2-11.gitd3c94f0.el7.x86_64.rpm openshift-external-storage-manila-provisioner-0.0.2-11.gitd3c94f0.el7.x86_64.rpm openshift-external-storage-snapshot-controller-0.0.2-11.gitd3c94f0.el7.x86_64.rpm openshift-external-storage-snapshot-provisioner-0.0.2-11.gitd3c94f0.el7.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2019-11255 https://access.redhat.com/security/updates/classification/#moderate 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2019 Red Hat, Inc. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBXfCrZ9zjgjWX9erEAQjnQRAAoGJUmJ3auLLagmHiaC/6af1PsKSedS6T bMRNZsrTyL1FO+99zAMnXuMoqTAQO4+qrCe52aG6Wc7iUTr+aOK1IFuR0lzNe7Pt h3VZV6rRNYFiI3CHMs1FwUy4btm2Hu4Jkpgv4odbrd1Vx8P7oB+snEQ4jPXmpLla qaI/5MetRB6zHjKz82TkS04/+/fczKA+NQkR8nY7FFTV+bgZ9L4WhaDq604SdH6y vUDD4YfGuLinKIToZyTS4I2iga6lZ207wWZ8qn6itGJ0m+j6SAiwY/9SIZZBNYft Mym9Pwpo0b0wGCRBhUlWtlXSl7HB7ODUQ2vqrWz61b4gt98Z1ZryLnqA4nz1Wqz7 Y0oLHaMECgMY3lInE9Uob7ChMe9EKpv/ZDzpCLB3QJX8aWhBQ12Fb2F3co2YWOfo 7PW4lBX6ke5nWQJ51iHHZQlJgxfuitLUvbM7D/Y+Gl/5PM8VC6lU7h+QauiywvKR qsYBUWlRjR0/1Lfe9RLBzSPc9qH2jULAwoe4/w0RyHu2oTAAK64QgLJITQHRYeCp iW5kOE1zP7I/skI8y8ZCGI4nN4PEIrBB0N13Fbr4BbpyhTHidA2EbtqpRwy1PJlm SW8Mx7F/BKVyiSXKM06wB+h+Cvp3IK4/EWIJ2O0Aj3ygVI1sLmGkI4l3owVh2DKq mb/Da3DaTh4= =37Ps - -----END PGP SIGNATURE----- - ------------------------------------------------------------------------------- - ----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Important: OpenShift Container Platform 4.2 jenkins-2-plugins security update Advisory ID: RHSA-2019:4097-01 Product: Red Hat OpenShift Enterprise Advisory URL: https://access.redhat.com/errata/RHSA-2019:4097 Issue date: 2019-12-11 CVE Names: CVE-2019-10431 CVE-2019-10432 ===================================================================== 1. Summary: An update for jenkins-2-plugins is now available for Red Hat OpenShift Container Platform 4.2. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat OpenShift Container Platform 4.2 - noarch 3. Description: Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. Security Fix(es): * jenkins-script-security: Sandbox bypass vulnerability in Script Security Plugin (CVE-2019-10431) * jenkins-2-plugins: Stored XSS vulnerability in HTML Publisher Plugin (CVE-2019-10432) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. 4. Solution: For OpenShift Container Platform 4.2 see the following documentation, which will be updated shortly for release 4.2.10, for important instructions on how to upgrade your cluster and fully apply this asynchronous errata update: https://docs.openshift.com/container-platform/4.2/release_notes/ocp-4-2-rel ease-notes.html Details on how to access this content are available at https://docs.openshift.com/container-platform/4.2/updating/updating-cluster - - -cli.html. 5. Bugs fixed (https://bugzilla.redhat.com/): 1764387 - CVE-2019-10432 jenkins-2-plugins: Stored XSS vulnerability in HTML Publisher Plugin 1764390 - CVE-2019-10431 jenkins-script-security: Sandbox bypass vulnerability in Script Security Plugin 6. Package List: Red Hat OpenShift Container Platform 4.2: Source: jenkins-2-plugins-4.2.1574873592-1.el7.src.rpm noarch: jenkins-2-plugins-4.2.1574873592-1.el7.noarch.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2019-10431 https://access.redhat.com/security/cve/CVE-2019-10432 https://access.redhat.com/security/updates/classification/#important 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2019 Red Hat, Inc. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBXfCq79zjgjWX9erEAQhMkRAAgOb5w3KFOUu3ITwwVXbhSe8VgkXB1o2e iZtMe8aDGzzTeYfnScwD4qmjWj+4fz+6hxXaFn/YeqCDW8OHxvxeYYdrn0Ri56z6 oAJb9u62kh995we4i3k8CbyqhjuXo7NyZzRMAmPOgOLiqBTYtiP1xzgkXMZDFci8 FA9rpfZCED2RA2A6LYR9X5uBcBQAyb28VF3Xvrkk3OQZ+Qc3NGXvk1LUo0TfpAGj HvKBFNdnCqSz/mge+4SAH7wYzPX7ggJbZD60C3lPNHfGroOVp3b44IGM7zH7Be+C 4WT0/iB9ZQM24vuLylQaYpbXdC7vNS7Wuxzy8Bl1m5M0EuPkHIa2OPkEB8DV8ACL BckD2eYsdThyhZU/NeAz/JIER1Ob/m526xMzHTjchmx0N+tzD5G0Iv9RF0MVFv+w yNdpVH1IqGy2nmlIVB8oFDrceRMo6B0NVLe6HcrgsJwDRVr7mepm+9U8T9DJMQNr lFIQ/pOZwOAdpTTQWVzFA3gBRfZUKJUr3klvK4zRA0viKlzSBMyr4BvGvqEgeJr8 I78SEA1CrD8LxRw3/2UYtbXGVUDwFpQH29fyJU/d1RJxxYDnMHcyYIAp+TWIQFBB P6rNrJlcLIQBrWsEh9vdph9a9SkSOPCsO64mMAiNhdqux2F0ZZMd34SbtVdLVMi3 sNdQXRwbWSc= =WDWY - -----END PGP SIGNATURE----- - ------------------------------------------------------------------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: OpenShift Container Platform 4.2 ose-cluster-kube-controller-manager-operator-container security update Advisory ID: RHSA-2019:4098-01 Product: Red Hat OpenShift Enterprise Advisory URL: https://access.redhat.com/errata/RHSA-2019:4098 Issue date: 2019-12-11 CVE Names: CVE-2019-14854 ===================================================================== 1. Summary: An update for ose-cluster-kube-controller-manager-operator-container is now available for Red Hat OpenShift Container Platform 4.2. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Description: Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. Security Fix(es): * library-go: Secret data written to static pod logs when operator set at Debug level or higher (CVE-2019-14854) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. 3. Solution: For OpenShift Container Platform 4.2 see the following documentation, which will be updated shortly for release 4.2.10, for important instructions on how to upgrade your cluster and fully apply this asynchronous errata update: https://docs.openshift.com/container-platform/4.2/release_notes/ocp-4-2-rel ease-notes.html Details on how to access this content are available at https://docs.openshift.com/container-platform/4.2/updating/updating-cluster - - -cli.html. 4. Bugs fixed (https://bugzilla.redhat.com/): 1758953 - CVE-2019-14854 library-go: Secret data written to static pod logs when operator set at Debug level or higher 5. References: https://access.redhat.com/security/cve/CVE-2019-14854 https://access.redhat.com/security/updates/classification/#moderate 6. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2019 Red Hat, Inc. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBXfCnqNzjgjWX9erEAQi1thAAo5mmb+As/5c+KxNAR6s1TVH8tgFXS/cY uEv/EZeie+WdZRLtcGkn/bKfOUAvSvko02VfHrRfbkT1Oz0HqZ/VWqexnLDtfpfm sTNXUpJyyxngCl2aXYpnkhRUo+dDUjXpfaUDxmrNr2i5Ztj71CdEAm3sTlWp1Mf1 NldUR46klFnqjUj0JCLafw63B29A9VoZqGFDyMFZY1yZdTPq8GPWQcSgxmLHryLr 7AW1Nlkc+xDI9ZCh0MF6LFZ7O6o0QeaRs2MQ33JJDkxlWWZwH1X6PK3tOzCPlqTK RiK27+gTOUHBo9MTtkctk9s9llVy700R3TLiTnMqkBM0OPWcd/3BDvz0ZbtM5v4/ jYMNDqCFgNJ49K4eo0hlJlv9RX2SgAx7eFAIqj9tFVKvHolBF9t7Jk66A5GHEUIL th05BHEg/9Fgm2x6Lo0OgPA0ySoA4qz7nSQ6jBuS4mqsljgcXMCzpRQ5Yw5E+6yw hhkOiy9AawIhWzv+lZl4jaSlRomLlzMNY02ho2kcE2n8i4tTYl5/m6c/ZK/DvwB/ te3Jburia3M7kr4d8wSQ6ruF/7tskD9dUHK1hCZevJRmNs79z+pZGwE1wCLrMB2Q /EoVAdwOEBoGtZ8cD+s+adxpZKbmMbhVhZyUmMIwMMRgV7arSIlNtIxDh8kQWRWj wclgC4lKEQM= =Ze6m - -----END PGP SIGNATURE----- - ------------------------------------------------------------------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: OpenShift Container Platform 4.2 csi-provisioner-container security update Advisory ID: RHSA-2019:4099-01 Product: Red Hat OpenShift Enterprise Advisory URL: https://access.redhat.com/errata/RHSA-2019:4099 Issue date: 2019-12-11 CVE Names: CVE-2019-11255 ===================================================================== 1. Summary: An update for csi-provisioner-container is now available for Red Hat OpenShift Container Platform 4.2. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Description: Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. Security Fix(es): * kubernetes-csi: CSI volume snapshot, cloning and resizing features can result in unauthorized volume data access or mutation (CVE-2019-11255) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. 3. Solution: For OpenShift Container Platform 4.2 see the following documentation, which will be updated shortly for release 4.2.10, for important instructions on how to upgrade your cluster and fully apply this asynchronous errata update: https://docs.openshift.com/container-platform/4.2/release_notes/ocp-4-2-rel ease-notes.html Details on how to access this content are available at https://docs.openshift.com/container-platform/4.2/updating/updating-cluster - - -cli.html. 4. Bugs fixed (https://bugzilla.redhat.com/): 1772727 - CVE-2019-11255 kubernetes-csi: CSI volume snapshot, cloning and resizing features can result in unauthorized volume data access or mutation 5. References: https://access.redhat.com/security/cve/CVE-2019-11255 https://access.redhat.com/security/updates/classification/#moderate 6. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2019 Red Hat, Inc. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBXfB2qtzjgjWX9erEAQj9JA//a7u0QYN1mKSnXxBbJa/6lire1kF2K0GJ 5Z4X31JSRsMRMoyUIXxBR9ZDCjiHi0hvuSRUvz24EVPXzx9DZYFJlGGObqu5MYho guqk+s3qUCqo89P1sa+Uc4YxxEiyGAQaOUBVrxCATs7lCEZ6SoEFrfBHeQsDmbNs pM155kvvqtxTLSJbvaxyUFVcnnmckWsyxnCW9Oxuzbu8Gn/LlB8c8G9bHG3+UiXt 4ZfQiRlFQa1BRLb6i+1dTDxfCjtRAUB3+eAdLyeoniQpdXpgvHUVDABkYMO6rnbm dRhCeoxz4NyegRecAt3IkNMiozvQBNsA4gpXnahr3O6y7crsVb9NB2feAI5t5cCv vjn1d0hBofoVamk/jVHUsQ0zzNm5jmSQGYs5FJ+G3nvgb9oJGLPlrFM3RSmc0rYa GkzwmeDxVWykTMYoZNMVdibZMVcQchUVd1vkhgDEN65Ks7KkmAKkW0WcP1TlaVhc H9gkrWJTZZdykNh4I4O/zhrmRzL0XAGzjWkyKp/fGhYekVSOEbWHRjyZWTou+v8k x8ZZ3v7+2xJV0CrPoYtd8G/IXMKHOjtJuEIRSwGHFjdvX1pfjlu25gIfeGwwxdRc R699RcOHSgBmrpjgA+q4Dt2iFQO3d7AE58BOKCBBCPR5Li4AohH1MZ8Y0ck53AY3 9/cfFanWyd4= =RMwu - -----END PGP SIGNATURE----- - ------------------------------------------------------------------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: OpenShift Container Platform 4.2 openshift-enterprise-builder-container security update Advisory ID: RHSA-2019:4101-01 Product: Red Hat OpenShift Enterprise Advisory URL: https://access.redhat.com/errata/RHSA-2019:4101 Issue date: 2019-12-11 CVE Names: CVE-2019-14845 ===================================================================== 1. Summary: An update for openshift-enterprise-builder-container is now available for Red Hat OpenShift Container Platform 4.2. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Description: Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. Security Fix(es): * openshift: Container image TLS verification bypass (CVE-2019-14845) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. 3. Solution: For OpenShift Container Platform 4.2 see the following documentation, which will be updated shortly for release 4.2.10, for important instructions on how to upgrade your cluster and fully apply this asynchronous errata update: https://docs.openshift.com/container-platform/4.2/release_notes/ocp-4-2-rel ease-notes.html Details on how to access this content are available at https://docs.openshift.com/container-platform/4.2/updating/updating-cluster - - -cli.html. 4. Bugs fixed (https://bugzilla.redhat.com/): 1754662 - CVE-2019-14845 openshift: Container image TLS verification bypass 5. References: https://access.redhat.com/security/cve/CVE-2019-14845 https://access.redhat.com/security/updates/classification/#moderate 6. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2019 Red Hat, Inc. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBXfCpw9zjgjWX9erEAQhO8A/9HEoCeqM7YWVCq6qgm3UGTRAnJ2Q5mp3z CGw2Uxapc9EdQ7UhSDiFN5DZeV+x2LN+TG2+/P03TE01gqQT6q/LEPLiKwhc+REH GQWDV7/NNXWQm7yAJ5e3l6+quRHwjYecsiie2s+7Z4NNaqWgstSQ+cK/Dg+8Zjmk NXSBBfYnmu5L1f7uR9vtK1JPYi5lJeNbW7/ti2sPPi01yXuDKnGBT25WSLpqfIo3 6Od4hVBur3Q5SjJeKCe9nV/CBZJXr99puFPbi3M2wGclW1zIfwyTzdoyci38Gg7/ Q/rPwuDEjcRPPXnUCzFMzaDfW9f6FqBwGjplKgdejCR6pY4VmBXS5/++opvkOVNe AG9NBUAP3/jRfcbV7Rv4NQSCTkNto3/kAyz9G0/SbvcJNbCP6O32hh3GJA5KNE4E A1bGJ/XcTKUg3uTjNxF110GzoggxIBfs6x2b1wyaeO0YrFBqpnQo/O868V3TRxY0 Ute7TjwR+WEbERzWnQb4J46AqZ4u88UkV3KNwkRan+ZqWyvHB2ItaPfNT1OWJRiH zkb0FY/63BaYEJ/FFbJXAMLKGju3d8/QGPRArxXTeYXIQwbHnfEDAccyy/PPdZFd tMt4hcpuOOZYm8gcntH/o+Hc9IDamk391jVr2J1Va5qz/wuKc6ynD5By01OBRfdN D3/ClFpLhS8= =cjvv - -----END PGP SIGNATURE----- - ------------------------------------------------------------------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Critical: Red Hat OpenShift Service Mesh 1.0.3 RPMs security update Advisory ID: RHSA-2019:4222-01 Product: Red Hat OpenShift Service Mesh Advisory URL: https://access.redhat.com/errata/RHSA-2019:4222 Issue date: 2019-12-11 CVE Names: CVE-2019-18801 CVE-2019-18802 CVE-2019-18838 ===================================================================== 1. Summary: Red Hat OpenShift Service Mesh 1.0.3. Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: OpenShift Service Mesh 1.0 - x86_64 Red Hat OpenShift Service Mesh 1.0 - x86_64 3. Description: Red Hat OpenShift Service Mesh is Red Hat's distribution of the Istio service mesh project, tailored for installation into an on-premise OpenShift Container Platform installation. This advisory covers the RPM packages for the OpenShift Service Mesh 1.0.3 release. Security Fix(es): * An untrusted remote client may send HTTP/2 requests that write to the heap outside of the request buffers when the upstream is HTTP/1 (CVE-2019-18801) * Malformed request header may cause bypass of route matchers resulting in escalation of privileges or information disclosure (CVE-2019-18802) * Malformed HTTP request without the Host header may cause abnormal termination of the Envoy process (CVE-2019-18838) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. 4. Solution: The OpenShift Service Mesh release notes provide information on the features and known issues: https://docs.openshift.com/container-platform/4.2/service_mesh/servicemesh- release-notes.html 5. Bugs fixed (https://bugzilla.redhat.com/): 1773444 - CVE-2019-18801 envoy: an untrusted remote client may send HTTP/2 requests that write to the heap outside of the request buffers when the upstream is HTTP/1 1773447 - CVE-2019-18802 envoy: malformed request header may cause bypass of route matchers resulting in escalation of privileges or information disclosure 1773449 - CVE-2019-18838 envoy: malformed HTTP request without the Host header may cause abnormal termination of the Envoy process 6. Package List: Red Hat OpenShift Service Mesh 1.0: Source: kiali-v1.0.8.redhat1-1.el7.src.rpm x86_64: kiali-v1.0.8.redhat1-1.el7.x86_64.rpm OpenShift Service Mesh 1.0: Source: servicemesh-1.0.3-1.el8.src.rpm servicemesh-cni-1.0.3-1.el8.src.rpm servicemesh-grafana-6.2.2-25.el8.src.rpm servicemesh-operator-1.0.3-1.el8.src.rpm servicemesh-prometheus-2.7.2-26.el8.src.rpm servicemesh-proxy-1.0.3-1.el8.src.rpm x86_64: servicemesh-1.0.3-1.el8.x86_64.rpm servicemesh-citadel-1.0.3-1.el8.x86_64.rpm servicemesh-cni-1.0.3-1.el8.x86_64.rpm servicemesh-galley-1.0.3-1.el8.x86_64.rpm servicemesh-grafana-6.2.2-25.el8.x86_64.rpm servicemesh-grafana-prometheus-6.2.2-25.el8.x86_64.rpm servicemesh-istioctl-1.0.3-1.el8.x86_64.rpm servicemesh-mixc-1.0.3-1.el8.x86_64.rpm servicemesh-mixs-1.0.3-1.el8.x86_64.rpm servicemesh-operator-1.0.3-1.el8.x86_64.rpm servicemesh-pilot-agent-1.0.3-1.el8.x86_64.rpm servicemesh-pilot-discovery-1.0.3-1.el8.x86_64.rpm servicemesh-prometheus-2.7.2-26.el8.x86_64.rpm servicemesh-proxy-1.0.3-1.el8.x86_64.rpm servicemesh-sidecar-injector-1.0.3-1.el8.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2019-18801 https://access.redhat.com/security/cve/CVE-2019-18802 https://access.redhat.com/security/cve/CVE-2019-18838 https://access.redhat.com/security/updates/classification/#critical 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2019 Red Hat, Inc. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBXfFfotzjgjWX9erEAQivZA/+Jhhsr9G9X/W+5IXLe1iUzXvE61kJDYAg XoruYZ3hIGVf3h5hRqHOSzmb5oaAGRwyyjvikbUPXP7FqbTKfLD3Ly7eZExhpT2X GEMLVbeZKIppchI7rpKgswIcy9ukph5HBuxC2Z3TGMJm1wPKzUmhlDhvivlfNuy/ AnsxGrDLdRRwBtXsIsWhg1pcXqMJ/k/wpjwV2RRfm45cE9+ua1ZBLfT+DlUhXmVR hsFJboy1Ltge8Ag4J+Sl/EhNSC+6IAF0djpXpPj3QZxg2CRg0sscci9MfqZMCBIF b/bvRr6ZaIvrCvyr8dfyHAViv1kaz3y9Y7oyBeI33tXWHwMm18WN1fGSldMD6Gu6 vvD2YscwroqvhHjNYdsUEp3HGIAD0Gzo8S5MJS4gcLVpjl7wJ3V2jeH3sFgFmSez DhRrc3/ytWtMHcVTR3PB4lHoeV9BYPxv68d57/Z74ihZanG/UAHclCYx1xHLNYQ7 O96yQz9sC/zCJnHiuP1SsOc0TUvDtAdNg7hAMS8iN8QOTfA925adyyV0aRMczIAD zyTZXmBnbQ0zusrCcfUReGOzedmWM7VG2R24Wy3TSxXUJJZBRjC4mLaZtDIiRAYl s8LOWEpJMFZaTzHQBYAYxxH7iaBQG3FDogC6f4GzM6VQE7xM7/Hw65TtpnL2rOUe xmyOjC5UusE= =fYm1 - -----END PGP SIGNATURE----- - -- RHSA-announce mailing list RHSA-announce@redhat.com https://www.redhat.com/mailman/listinfo/rhsa-announce - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBXfGG8WaOgq3Tt24GAQhlpA/+OVCtwRzAWpNHqLTb5sMDpztusvdI1k/h 4kTN7KynEwmLaRcwZlzkSXGtVFDdmruVOJfqjfzLiWpusPsugI1PV6fUQA0RTo+s clDOwEDe2ougk1ckpJWwa/c61kIGXgiQkPBL1WA9fJAPvvciSce37H6xKCpn272W C2sT7FTzSO4654S+MMxBv/ENTcYN4DTwRCENGqZg3eXG/pfFgoS5p1wI7I6+boV4 TE5azYEh8ztXbq2Uc9JpjELV6MVs6GecjAQZLH/fgr14pqBpEtnS5A22Ik5hH8hm Hux1+8CyrF88a2IO8nO2T/ftzfRTkBU8VvY73xoKgLFEVJqIFU+fPN3jHLAMcZFi kWGPAVEtymldaZjjbwoHcR8BemVFOFnWh+SUQub3aMrO+zuaDFHyajqLxBncwSTQ urp3UVKliihQuleaZizdR9v6sqnyecu83YWFiVaZGKM/R1BFgSlSraLARzuDzTrx yzzCm3wnIg2INuU0WwAwhpn6N0EqHDdcpgKsfQYRB05Vbx56FbKi2+FCZvgCU1ju WvKKaFbdIxh8TMqFqfQ7XPhG47wROZZfSr0jACgo8vKGAwtytKA6b5j6t6yd/6zF vNBRqKYcGj6Z6Ke+eYScUvGVUwFU/3qat8gdmXTJjdeFDRgCYn8Z/wnxMeCQSERN jD85iKshaE4= =RCxl -----END PGP SIGNATURE-----