-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2021.0689
         OpenShift Container Platform 4.7 file-integrity-operator
                           image security update
                             25 February 2021

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           OpenShift Container Platform 4.7
Publisher:         Red Hat
Operating System:  Red Hat
Impact/Access:     Denial of Service -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2020-27813  

Reference:         ESB-2021.0065

Original Bulletin: 
   https://access.redhat.com/errata/RHSA-2021:0100

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Moderate: OpenShift Container Platform 4.7 file-integrity-operator image security update
Advisory ID:       RHSA-2021:0100-01
Product:           Red Hat OpenShift Enterprise
Advisory URL:      https://access.redhat.com/errata/RHSA-2021:0100
Issue date:        2021-02-24
CVE Names:         CVE-2020-27813 
=====================================================================

1. Summary:

The file-integrity-operator image update is now available for OpenShift
Container Platform 4.7.

Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.

2. Description:

The file-integrity-operator image update is now available for OpenShift
Container Platform 4.7.

Security Fix(es):

* golang-github-gorilla-websocket: integer overflow leads to denial of
service (CVE-2020-27813)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

3. Solution:

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

For details on how to apply this update, refer to:

https://access.redhat.com/articles/11258

4. Bugs fixed (https://bugzilla.redhat.com/):

1826301 - Wrong NodeStatus reports in file-integrity scan when configuration error in aide.conf file
1869293 - The configmap name looks confusing in aide-ds pod logs
1902111 - CVE-2020-27813 golang-github-gorilla-websocket: integer overflow leads to denial of service
1905011 - The file-integrity-Operator brew Bundle image does not available for OCP4.7
1910050 - [OCP v47] The file integrity aide-ds pod goes in CrashLoopBackOff state during the scan
1921692 - Please report fileintegritynodestatus (active/ failed / etc) in column when running `oc get fileintegritynodestatus`
1923096 - The daemonSet does not get updated when the nodeSelector and Tolerations get changed in fileIntegrity object

5. References:

https://access.redhat.com/security/cve/CVE-2020-27813
https://access.redhat.com/security/updates/classification/#moderate

6. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2021 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBYDbDEtzjgjWX9erEAQgu3hAAn2qYIjaObv0rj7Rytc1PrpsMJr3LnHyA
65HuBVGGJ+1WLZfRWcr0PGjF858OAGdHhwR7buFHdj1rOQ8lKPBI10TESI+ny8aC
KAdXVV+hSuB5/o8CRcP7p4vpu2680mOkRhwN1h7vJvrRxArF2jKjxgkS3OG31XYs
a322zlyQH6VHAHxrZizjXvKLY7L98A7R/BypquzqueN2jYWKxGpZZaGppZZ4rn4Q
2gYiTpht5g+UBImw6rBoBfZJh9xlRwXp5nv53oCPgXOJOWBGdhJK06ngWtuygzTf
nK5afvuycDi67VnMwhKXFZHHA/DIZrZgL0yMwzMWOdxFKeL6lnF8X26D9289cfVq
OzAQ9O5n5+80V1fw1OuyUxLKnk/C9rKs74Xd7ppT/FhnUl+OYgy+QYhdKYqnsWWq
X51E1ykROOmaNH3Y0d1Ib8R8m362sSZDdmk97FL18YZ5Tz/0EzzmOWFdMzhCdSUn
1+sOOamooIu4OTuuqnxpOSFndjcRcIZbLM1Z+aac0aqUVIoVQ1JgqQLFuGhpO8Gu
T5tDDRFGiHUKVaqpRLbDSMaoQJY5h8JL0SSlJ5ylFGXxmiU3m93r1iW97nB54/rG
Guf0zUHQ2o12Wj8MDwLOysNZK1yEP1IKxNMryvfKmr81wNOdA6BguhzoR+Oj7beq
aVOtG/isImc=
=BWbO
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBYDbbxONLKJtyKPYoAQjXEQ/+PhkJIAwV6RK3ECI5PhGPSHsZTiG+5dQw
r3XsTzLr7XIvE+1B/1AvgLJLWojdZHo8yd0u2KeBDGA5pu/Pj3ze0P4jjCvPKqFF
fAYZuM3vyBRTpCmrF2lmjSAt9l0Zo0W0/5EgzwvKaNTQOGaLgK6ypDGc/3GRqime
pZr/wQpbR0HA0k9I04CxQjIyaF5uKgKlXovqy6iaHQVOHNFLwjk2bPwbf3qYKHzL
BZp02phZHtR9ZZYiOlioHhrh9VtfvhrLbC+U2sJyCtfynOM+yGH0GB+CXzvBLl5y
RdUAqXoDMeNR4yyxoH1hBFesHgcLqHYuOarr8sHPToDbj3o5aeuloTF5ODHPf/Ft
pLliYzZjqPOUXP8d0YRvb2XOKhOBOTIKGiK3x3NliHSbucMjv9xAuYuomiR8WJmk
zR2wakIEg77+DgEvVQY4t6KwG2r35gh65BW6zV7piM/iO/yoyGWJ9enaHW5IBojx
7hTuww0/qrDIV+9jmvhz2GDjkztQHGu5aGEZlxLKJR6OGjwWkpBKe7E3L30evCVB
wciAVraLuu4ZfryRt/2nU1yNZbnS8cfjVdFu4D3og24X6t69LSbkLYVUgyCT7wCi
UAoeHP1qf/PKtkTKFB+ORPKINiAWwulwHteAmZGXoVP3aNIMBQOlA8K5MkGIxayi
TNWciQSLSW0=
=3AZ3
-----END PGP SIGNATURE-----