-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2020.1408
                       OpenShift Container Platform
                               23 April 2020

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           OpenShift Container Platform 4.2.29 openshift
                   OpenShift Container Platform 4.1.41 openshift-enterprise-ansible-operator-container
                   OpenShift Container Platform 4.2.29 openshift-enterprise-hyperkube-container
Publisher:         Red Hat
Operating System:  Red Hat
Impact/Access:     Root Compromise   -- Existing Account      
                   Denial of Service -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2020-8552 CVE-2019-19355 

Reference:         ESB-2020.1261
                   ESB-2020.1167

Original Bulletin: 
   https://access.redhat.com/errata/RHSA-2020:1526
   https://access.redhat.com/errata/RHSA-2020:1527
   https://access.redhat.com/errata/RHSA-2020:1545

Comment: This bulletin contains three (3) Red Hat security advisories.

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Moderate: OpenShift Container Platform 4.2.29 openshift-enterprise-hyperkube-container security update
Advisory ID:       RHSA-2020:1526-01
Product:           Red Hat OpenShift Enterprise
Advisory URL:      https://access.redhat.com/errata/RHSA-2020:1526
Issue date:        2020-04-22
CVE Names:         CVE-2020-8552 
=====================================================================

1. Summary:

An update for openshift-enterprise-hyperkube-container is now available for
Red Hat OpenShift Container Platform 4.2.

Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.

2. Description:

Red Hat OpenShift Container Platform is Red Hat's cloud computing
Kubernetes application platform solution designed for on-premise or private
cloud deployments.

Security Fix(es):

* kubernetes: Use of unbounded 'client' label in apiserver_request_total
allowed for memory exhaustion (CVE-2020-8552)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

3. Solution:

For OpenShift Container Platform 4.2 see the following documentation, which
will be updated shortly for release 4.2.29, for important instructions on
how to upgrade your cluster and fully apply this asynchronous errata
update:

https://docs.openshift.com/container-platform/4.2/release_notes/ocp-4-2-rel
ease-notes.html

Details on how to access this content are available at
https://docs.openshift.com/container-platform/4.2/updating/updating-cluster
- - -cli.html.

4. Bugs fixed (https://bugzilla.redhat.com/):

1797909 - CVE-2020-8552 kubernetes: Use of unbounded 'client' label in apiserver_request_total allows for memory exhaustion

5. References:

https://access.redhat.com/security/cve/CVE-2020-8552
https://access.redhat.com/security/updates/classification/#moderate

6. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2020 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBXp/TTtzjgjWX9erEAQiMvxAAin1ZRGb7t6wfWyaKQd1P8WvlH0diE1sB
FC0vw6J7Dva4j7IktXaPIvcM2ieU1ilhlEa3PzqsPumf0Nkx/11iNG+2AquoHgA9
RmPRZTdRHi9/K9KlcU5vKg3StTaGxN/mE45dvE/l8MWrhp5CBKTzI0ye8RKFE9Zv
TyMeh/O/LhNnpOSNZxqu7UYi6X7fYA/tMOp0M5Rzv9jG2D0gDBXAy6ZVyQQFApzy
6NCqxdBAvwhXRh1rnu6NCobkY2egi3cTuDE0bdzFYj5mGDilfM71Pi4naGdOS4Uz
+69Omk6mpeKTz7MEuGahHKgbJfwwsYnzLo74fuKZ7yv5WhGdM0U3Rs+vX74+VOal
ZW4uUoz2qcu8O1pkxl1VKuUUIjfX9Qd/YzQlD6+A7W9qkPNaT1jTDv+pOY4sB/vw
TyOeVWw2zoPyirh5JYD/NTOLnw+11xkKQKmcFugkud2MY/M2BDg4vm/8GFFdXnpu
F+EsZPRbtG0loJ26eIsimEEoPpF1iFRIo+ureYx0h9Yr+UGEm+n7nEl3pzpy0ZNJ
kpyabAp794cF8Kc7oH0RyWU0OzMMzoM7iq8y7mb++hPR1q9GWJcDRyu9zz65zn59
0DOazNYXJ68AfD4SJo9+f+jKSUralypf1kSkyDKH8Ru8jXChzYJmgpqXkMuYiXP9
N4UVoYqZ1Mo=
=NKNO
- -----END PGP SIGNATURE-----

- --------------------------------------------------------------------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Moderate: OpenShift Container Platform 4.2.29 openshift security update
Advisory ID:       RHSA-2020:1527-01
Product:           Red Hat OpenShift Enterprise
Advisory URL:      https://access.redhat.com/errata/RHSA-2020:1527
Issue date:        2020-04-22
CVE Names:         CVE-2020-8552 
=====================================================================

1. Summary:

An update for openshift is now available for Red Hat OpenShift Container
Platform 4.2.

Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat OpenShift Container Platform 4.2 - s390x, x86_64

3. Description:

Red Hat OpenShift Container Platform is Red Hat's cloud computing
Kubernetes application platform solution designed for on-premise or private
cloud deployments.

Security Fix(es):

* kubernetes: Use of unbounded 'client' label in apiserver_request_total
allowed for memory exhaustion (CVE-2020-8552)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

4. Solution:

For OpenShift Container Platform 4.2 see the following documentation, which
will be updated shortly for release 4.2.29, for important instructions on
how to upgrade your cluster and fully apply this asynchronous errata
update:

https://docs.openshift.com/container-platform/4.2/release_notes/ocp-4-2-rel
ease-notes.html

Details on how to access this content are available at
https://docs.openshift.com/container-platform/4.2/updating/updating-cluster
- - -cli.html.

5. Bugs fixed (https://bugzilla.redhat.com/):

1797909 - CVE-2020-8552 kubernetes: Use of unbounded 'client' label in apiserver_request_total allows for memory exhaustion

6. Package List:

Red Hat OpenShift Container Platform 4.2:

Source:
openshift-4.2.29-202004120346.git.0.d948116.el7.src.rpm

s390x:
openshift-hyperkube-4.2.29-202004120346.git.0.d948116.el7.s390x.rpm

x86_64:
openshift-hyperkube-4.2.29-202004120346.git.0.d948116.el7.x86_64.rpm

Red Hat OpenShift Container Platform 4.2:

Source:
openshift-4.2.29-202004110432.git.0.f7d02c8.el8.src.rpm

s390x:
openshift-hyperkube-4.2.29-202004110432.git.0.f7d02c8.el8.s390x.rpm

x86_64:
openshift-hyperkube-4.2.29-202004110432.git.0.f7d02c8.el8.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2020-8552
https://access.redhat.com/security/updates/classification/#moderate

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2020 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBXp/O2tzjgjWX9erEAQh2vA//cSV7HJ3v2I3N6h8svis0fekks9tUt/f/
2+KHOClfquOQ39qTxteShPnuaPBid5dKoPlx1Q/txAg2gE4+yi72f8rbNLpCK48L
EC9+FRmRaJSLMy2XY9FibGUMO/kc5lkxXP8Ftoltlv4T/Gqa3YM5d/wOKz0rpgzS
driFygXZHo8dzLrlOIh4JIYElylTRGDZZvbnG+DkIHLD/OsdUKO/IL8ZgV5bU/nD
6f5XngR9qwVayA32zjzJ4duJyb3QvLD0evZx/EMYBIHndmPz0ggyQ2sCQUcc2wuM
MJGmbbh1Etpk6H9ycahgTtWwZ8cqTuaWBg6TykP7Tx70RFFu0UX17r/sC4T5dIww
os71r64Lf779CrVMqQn5Y7E9lrC76AL9uYS2SF3TdEcUR1pFATxzdPMm437m7gfB
LbESh06mLwgNN7ujlbmquKqOn2ivIF2HuPgeRgoXBUAfSqwIr5u+pKjSRIiHZgiu
p2ojTV9Oj98Q+o3QNLXmWhwHAo1NMjqNXFbGlGTaivmoMd/BXa7z988BF94oJ1Fl
3KaECE/++1oi9aXrIZN3xWZAtJ82+7R/stS4GVydoddAzP0ejchJhvi9HpQR0AMo
9TPKutk3Oun7+dpHjr5Xb6j+XKZchLLph8lPnQaKp085XF5cBd89fN//NjFrAWXq
hNjeXyeWZeo=
=Fw+T
- -----END PGP SIGNATURE-----

- -----------------------------------------------------------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Moderate: OpenShift Container Platform 4.1.41 openshift-enterprise-ansible-operator-container security update
Advisory ID:       RHSA-2020:1545-01
Product:           Red Hat OpenShift Enterprise
Advisory URL:      https://access.redhat.com/errata/RHSA-2020:1545
Issue date:        2020-04-22
CVE Names:         CVE-2019-19355 
=====================================================================

1. Summary:

An update for openshift-enterprise-ansible-operator-container is now
available for Red Hat OpenShift Container Platform 4.1.

Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.

2. Description:

Red Hat OpenShift Container Platform is Red Hat's cloud computing
Kubernetes application platform solution designed for on-premise or private
cloud deployments.

Security Fix(es):

* openshift/ocp-release-operator-sdk: /etc/passwd is given incorrect
privileges (CVE-2019-19355)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

3. Solution:

For OpenShift Container Platform 4.1 see the following documentation, which
will be updated shortly for release 4.1.41, for important instructions on
how to upgrade your cluster and fully apply this asynchronous errata
update:

https://docs.openshift.com/container-platform/4.1/release_notes/ocp-4-1-rel
ease-notes.html

Details on how to access this content are available at
https://docs.openshift.com/container-platform/4.1/updating/updating-cluster
- - -cli.html.

4. Bugs fixed (https://bugzilla.redhat.com/):

1793277 - CVE-2019-19355 openshift/ocp-release-operator-sdk: /etc/passwd is given incorrect privileges

5. References:

https://access.redhat.com/security/cve/CVE-2019-19355
https://access.redhat.com/security/updates/classification/#moderate

6. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2020 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBXqBrLdzjgjWX9erEAQi8Dg/8CK3+7fiwhIMsgVVoIRXNnYkEU1C3KGjf
6ec2TDT5a38THYOr0rxhJYpTKyOs/wJxv+ZDtx4AtVHsznJqHtUQuBbGU28PuiGG
sP2TYq7Do77mzeYC47Aek3YNH5rFSTscFiiYgvlhORjunaJAeGJM5yRdEwfr8P+s
Qb2fqLKQV82Sd7QOu7whgYoGDZGzoBA1fOyk7BRcVqPr90cYi5AWLJmhs/zK81KM
310D5Q8ibZ78NJg/dkaWwoBqihux5xCGnQFOc5E/ZPMQXyRuf2BUeK3gGycKPmf7
7gg9Kwt5ndU9iFPLTJxqbWwMcBIeDCYdkye20pIE8XG+zm15GJvkIgQH6uZj6GN0
QZ8mgPp2e9ASZGYNKe8q6IYD23Oq3MvMG17tZhBKkUbgtMzzxyCApiWbezUP7hu1
/tikiQjAV5TXjSZXC9hUbQlF45c0zaSq2Lh0R8D/nC2bX6lgpKuhy1y94DKU02uJ
RJIuLvXCdvCvTLcpMd9WxL20/LPQUqxSpWSwO/hApXODQzeM8oBFvjKaR+824Fvk
2cEPPTgX2trAh0KfIvp0IiK+ueQFgreOCQxZ7kuzCHruT+xGibNQzfepu3BMTvdo
W04PvaehTt/qKS2WG8MP3SVSq3IqrWviMFRtpsjE7/mZgOcj04vjSGiP30bfx2p6
3/pAs9lUKUY=
=WT/c
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBXqD4RGaOgq3Tt24GAQiCnw/+ObODPvL25M46HRZwfRBuGIdQRfSrGNRT
p+/4/qG9nUxOOAhJgUcUS2uXKFoIdt5/C2gbFT2ftkxU5zlFgp8wroEg2+i9J6bB
6AEglCkwNgzXzw+Kq9g59PHeb/g/s1tjxO04PmWq3xOBmDKh67yfHta5npKRzlsH
E+Ym9RIt2wgkbdqIGQf5VAAjw2fcIwUXjREBza6HkWRqHhgE60sVHtXXpDSQ6uFm
a3vMRCuE/mC/AjVVwjaqEycgGtTT5K42da0tSknAe5qpEHgczmZZ3+YFRwd6rSGf
wbddPXk2CK0suJnTDKgPvos4iXsoJg+I5TKCnHkCHYy6Z/XJDj4KC3LQsm7se0Rj
w4LJZhERlnGid6+UugUNkWay0RDvGV4CmO0DEsplA1EhS6NWtz4bS7i2OpdMJ/lj
WwA99jm5uyC8RgUxtYJxJEGGV9fAzUlpXx7kpT+Bycbu3qsRdHiI/TN9JBNOLshB
8nVATx+liX0zO6J2PmPga1ZavrLrygurRGqlbITVNmgUGPieBhrq3yyTPCK7YApo
+/y7x4ZmTFpB2BS6v6wiZvCywzRi/HsPPbs9pELwv7hcc1idTd02BeM/dhHcDG3C
xTjxk6ktoy8cLQyVnnI/lf30mhhBCmA3sGui5fTK9u9TdPUN2bL3lnHkM0eQdelm
nzV/0ULo0+M=
=b22/
-----END PGP SIGNATURE-----