Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2020.1408 OpenShift Container Platform 23 April 2020 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: OpenShift Container Platform 4.2.29 openshift OpenShift Container Platform 4.1.41 openshift-enterprise-ansible-operator-container OpenShift Container Platform 4.2.29 openshift-enterprise-hyperkube-container Publisher: Red Hat Operating System: Red Hat Impact/Access: Root Compromise -- Existing Account Denial of Service -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2020-8552 CVE-2019-19355 Reference: ESB-2020.1261 ESB-2020.1167 Original Bulletin: https://access.redhat.com/errata/RHSA-2020:1526 https://access.redhat.com/errata/RHSA-2020:1527 https://access.redhat.com/errata/RHSA-2020:1545 Comment: This bulletin contains three (3) Red Hat security advisories. - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: OpenShift Container Platform 4.2.29 openshift-enterprise-hyperkube-container security update Advisory ID: RHSA-2020:1526-01 Product: Red Hat OpenShift Enterprise Advisory URL: https://access.redhat.com/errata/RHSA-2020:1526 Issue date: 2020-04-22 CVE Names: CVE-2020-8552 ===================================================================== 1. Summary: An update for openshift-enterprise-hyperkube-container is now available for Red Hat OpenShift Container Platform 4.2. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Description: Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. Security Fix(es): * kubernetes: Use of unbounded 'client' label in apiserver_request_total allowed for memory exhaustion (CVE-2020-8552) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. 3. Solution: For OpenShift Container Platform 4.2 see the following documentation, which will be updated shortly for release 4.2.29, for important instructions on how to upgrade your cluster and fully apply this asynchronous errata update: https://docs.openshift.com/container-platform/4.2/release_notes/ocp-4-2-rel ease-notes.html Details on how to access this content are available at https://docs.openshift.com/container-platform/4.2/updating/updating-cluster - - -cli.html. 4. Bugs fixed (https://bugzilla.redhat.com/): 1797909 - CVE-2020-8552 kubernetes: Use of unbounded 'client' label in apiserver_request_total allows for memory exhaustion 5. References: https://access.redhat.com/security/cve/CVE-2020-8552 https://access.redhat.com/security/updates/classification/#moderate 6. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2020 Red Hat, Inc. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBXp/TTtzjgjWX9erEAQiMvxAAin1ZRGb7t6wfWyaKQd1P8WvlH0diE1sB FC0vw6J7Dva4j7IktXaPIvcM2ieU1ilhlEa3PzqsPumf0Nkx/11iNG+2AquoHgA9 RmPRZTdRHi9/K9KlcU5vKg3StTaGxN/mE45dvE/l8MWrhp5CBKTzI0ye8RKFE9Zv TyMeh/O/LhNnpOSNZxqu7UYi6X7fYA/tMOp0M5Rzv9jG2D0gDBXAy6ZVyQQFApzy 6NCqxdBAvwhXRh1rnu6NCobkY2egi3cTuDE0bdzFYj5mGDilfM71Pi4naGdOS4Uz +69Omk6mpeKTz7MEuGahHKgbJfwwsYnzLo74fuKZ7yv5WhGdM0U3Rs+vX74+VOal ZW4uUoz2qcu8O1pkxl1VKuUUIjfX9Qd/YzQlD6+A7W9qkPNaT1jTDv+pOY4sB/vw TyOeVWw2zoPyirh5JYD/NTOLnw+11xkKQKmcFugkud2MY/M2BDg4vm/8GFFdXnpu F+EsZPRbtG0loJ26eIsimEEoPpF1iFRIo+ureYx0h9Yr+UGEm+n7nEl3pzpy0ZNJ kpyabAp794cF8Kc7oH0RyWU0OzMMzoM7iq8y7mb++hPR1q9GWJcDRyu9zz65zn59 0DOazNYXJ68AfD4SJo9+f+jKSUralypf1kSkyDKH8Ru8jXChzYJmgpqXkMuYiXP9 N4UVoYqZ1Mo= =NKNO - -----END PGP SIGNATURE----- - -------------------------------------------------------------------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: OpenShift Container Platform 4.2.29 openshift security update Advisory ID: RHSA-2020:1527-01 Product: Red Hat OpenShift Enterprise Advisory URL: https://access.redhat.com/errata/RHSA-2020:1527 Issue date: 2020-04-22 CVE Names: CVE-2020-8552 ===================================================================== 1. Summary: An update for openshift is now available for Red Hat OpenShift Container Platform 4.2. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat OpenShift Container Platform 4.2 - s390x, x86_64 3. Description: Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. Security Fix(es): * kubernetes: Use of unbounded 'client' label in apiserver_request_total allowed for memory exhaustion (CVE-2020-8552) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. 4. Solution: For OpenShift Container Platform 4.2 see the following documentation, which will be updated shortly for release 4.2.29, for important instructions on how to upgrade your cluster and fully apply this asynchronous errata update: https://docs.openshift.com/container-platform/4.2/release_notes/ocp-4-2-rel ease-notes.html Details on how to access this content are available at https://docs.openshift.com/container-platform/4.2/updating/updating-cluster - - -cli.html. 5. Bugs fixed (https://bugzilla.redhat.com/): 1797909 - CVE-2020-8552 kubernetes: Use of unbounded 'client' label in apiserver_request_total allows for memory exhaustion 6. Package List: Red Hat OpenShift Container Platform 4.2: Source: openshift-4.2.29-202004120346.git.0.d948116.el7.src.rpm s390x: openshift-hyperkube-4.2.29-202004120346.git.0.d948116.el7.s390x.rpm x86_64: openshift-hyperkube-4.2.29-202004120346.git.0.d948116.el7.x86_64.rpm Red Hat OpenShift Container Platform 4.2: Source: openshift-4.2.29-202004110432.git.0.f7d02c8.el8.src.rpm s390x: openshift-hyperkube-4.2.29-202004110432.git.0.f7d02c8.el8.s390x.rpm x86_64: openshift-hyperkube-4.2.29-202004110432.git.0.f7d02c8.el8.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2020-8552 https://access.redhat.com/security/updates/classification/#moderate 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2020 Red Hat, Inc. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBXp/O2tzjgjWX9erEAQh2vA//cSV7HJ3v2I3N6h8svis0fekks9tUt/f/ 2+KHOClfquOQ39qTxteShPnuaPBid5dKoPlx1Q/txAg2gE4+yi72f8rbNLpCK48L EC9+FRmRaJSLMy2XY9FibGUMO/kc5lkxXP8Ftoltlv4T/Gqa3YM5d/wOKz0rpgzS driFygXZHo8dzLrlOIh4JIYElylTRGDZZvbnG+DkIHLD/OsdUKO/IL8ZgV5bU/nD 6f5XngR9qwVayA32zjzJ4duJyb3QvLD0evZx/EMYBIHndmPz0ggyQ2sCQUcc2wuM MJGmbbh1Etpk6H9ycahgTtWwZ8cqTuaWBg6TykP7Tx70RFFu0UX17r/sC4T5dIww os71r64Lf779CrVMqQn5Y7E9lrC76AL9uYS2SF3TdEcUR1pFATxzdPMm437m7gfB LbESh06mLwgNN7ujlbmquKqOn2ivIF2HuPgeRgoXBUAfSqwIr5u+pKjSRIiHZgiu p2ojTV9Oj98Q+o3QNLXmWhwHAo1NMjqNXFbGlGTaivmoMd/BXa7z988BF94oJ1Fl 3KaECE/++1oi9aXrIZN3xWZAtJ82+7R/stS4GVydoddAzP0ejchJhvi9HpQR0AMo 9TPKutk3Oun7+dpHjr5Xb6j+XKZchLLph8lPnQaKp085XF5cBd89fN//NjFrAWXq hNjeXyeWZeo= =Fw+T - -----END PGP SIGNATURE----- - ----------------------------------------------------------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: OpenShift Container Platform 4.1.41 openshift-enterprise-ansible-operator-container security update Advisory ID: RHSA-2020:1545-01 Product: Red Hat OpenShift Enterprise Advisory URL: https://access.redhat.com/errata/RHSA-2020:1545 Issue date: 2020-04-22 CVE Names: CVE-2019-19355 ===================================================================== 1. Summary: An update for openshift-enterprise-ansible-operator-container is now available for Red Hat OpenShift Container Platform 4.1. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Description: Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. Security Fix(es): * openshift/ocp-release-operator-sdk: /etc/passwd is given incorrect privileges (CVE-2019-19355) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. 3. Solution: For OpenShift Container Platform 4.1 see the following documentation, which will be updated shortly for release 4.1.41, for important instructions on how to upgrade your cluster and fully apply this asynchronous errata update: https://docs.openshift.com/container-platform/4.1/release_notes/ocp-4-1-rel ease-notes.html Details on how to access this content are available at https://docs.openshift.com/container-platform/4.1/updating/updating-cluster - - -cli.html. 4. Bugs fixed (https://bugzilla.redhat.com/): 1793277 - CVE-2019-19355 openshift/ocp-release-operator-sdk: /etc/passwd is given incorrect privileges 5. References: https://access.redhat.com/security/cve/CVE-2019-19355 https://access.redhat.com/security/updates/classification/#moderate 6. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2020 Red Hat, Inc. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBXqBrLdzjgjWX9erEAQi8Dg/8CK3+7fiwhIMsgVVoIRXNnYkEU1C3KGjf 6ec2TDT5a38THYOr0rxhJYpTKyOs/wJxv+ZDtx4AtVHsznJqHtUQuBbGU28PuiGG sP2TYq7Do77mzeYC47Aek3YNH5rFSTscFiiYgvlhORjunaJAeGJM5yRdEwfr8P+s Qb2fqLKQV82Sd7QOu7whgYoGDZGzoBA1fOyk7BRcVqPr90cYi5AWLJmhs/zK81KM 310D5Q8ibZ78NJg/dkaWwoBqihux5xCGnQFOc5E/ZPMQXyRuf2BUeK3gGycKPmf7 7gg9Kwt5ndU9iFPLTJxqbWwMcBIeDCYdkye20pIE8XG+zm15GJvkIgQH6uZj6GN0 QZ8mgPp2e9ASZGYNKe8q6IYD23Oq3MvMG17tZhBKkUbgtMzzxyCApiWbezUP7hu1 /tikiQjAV5TXjSZXC9hUbQlF45c0zaSq2Lh0R8D/nC2bX6lgpKuhy1y94DKU02uJ RJIuLvXCdvCvTLcpMd9WxL20/LPQUqxSpWSwO/hApXODQzeM8oBFvjKaR+824Fvk 2cEPPTgX2trAh0KfIvp0IiK+ueQFgreOCQxZ7kuzCHruT+xGibNQzfepu3BMTvdo W04PvaehTt/qKS2WG8MP3SVSq3IqrWviMFRtpsjE7/mZgOcj04vjSGiP30bfx2p6 3/pAs9lUKUY= =WT/c - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBXqD4RGaOgq3Tt24GAQiCnw/+ObODPvL25M46HRZwfRBuGIdQRfSrGNRT p+/4/qG9nUxOOAhJgUcUS2uXKFoIdt5/C2gbFT2ftkxU5zlFgp8wroEg2+i9J6bB 6AEglCkwNgzXzw+Kq9g59PHeb/g/s1tjxO04PmWq3xOBmDKh67yfHta5npKRzlsH E+Ym9RIt2wgkbdqIGQf5VAAjw2fcIwUXjREBza6HkWRqHhgE60sVHtXXpDSQ6uFm a3vMRCuE/mC/AjVVwjaqEycgGtTT5K42da0tSknAe5qpEHgczmZZ3+YFRwd6rSGf wbddPXk2CK0suJnTDKgPvos4iXsoJg+I5TKCnHkCHYy6Z/XJDj4KC3LQsm7se0Rj w4LJZhERlnGid6+UugUNkWay0RDvGV4CmO0DEsplA1EhS6NWtz4bS7i2OpdMJ/lj WwA99jm5uyC8RgUxtYJxJEGGV9fAzUlpXx7kpT+Bycbu3qsRdHiI/TN9JBNOLshB 8nVATx+liX0zO6J2PmPga1ZavrLrygurRGqlbITVNmgUGPieBhrq3yyTPCK7YApo +/y7x4ZmTFpB2BS6v6wiZvCywzRi/HsPPbs9pELwv7hcc1idTd02BeM/dhHcDG3C xTjxk6ktoy8cLQyVnnI/lf30mhhBCmA3sGui5fTK9u9TdPUN2bL3lnHkM0eQdelm nzV/0ULo0+M= =b22/ -----END PGP SIGNATURE-----