Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2021.0689 OpenShift Container Platform 4.7 file-integrity-operator image security update 25 February 2021 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: OpenShift Container Platform 4.7 Publisher: Red Hat Operating System: Red Hat Impact/Access: Denial of Service -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2020-27813 Reference: ESB-2021.0065 Original Bulletin: https://access.redhat.com/errata/RHSA-2021:0100 - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: OpenShift Container Platform 4.7 file-integrity-operator image security update Advisory ID: RHSA-2021:0100-01 Product: Red Hat OpenShift Enterprise Advisory URL: https://access.redhat.com/errata/RHSA-2021:0100 Issue date: 2021-02-24 CVE Names: CVE-2020-27813 ===================================================================== 1. Summary: The file-integrity-operator image update is now available for OpenShift Container Platform 4.7. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Description: The file-integrity-operator image update is now available for OpenShift Container Platform 4.7. Security Fix(es): * golang-github-gorilla-websocket: integer overflow leads to denial of service (CVE-2020-27813) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. 3. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258 4. Bugs fixed (https://bugzilla.redhat.com/): 1826301 - Wrong NodeStatus reports in file-integrity scan when configuration error in aide.conf file 1869293 - The configmap name looks confusing in aide-ds pod logs 1902111 - CVE-2020-27813 golang-github-gorilla-websocket: integer overflow leads to denial of service 1905011 - The file-integrity-Operator brew Bundle image does not available for OCP4.7 1910050 - [OCP v47] The file integrity aide-ds pod goes in CrashLoopBackOff state during the scan 1921692 - Please report fileintegritynodestatus (active/ failed / etc) in column when running `oc get fileintegritynodestatus` 1923096 - The daemonSet does not get updated when the nodeSelector and Tolerations get changed in fileIntegrity object 5. References: https://access.redhat.com/security/cve/CVE-2020-27813 https://access.redhat.com/security/updates/classification/#moderate 6. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2021 Red Hat, Inc. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBYDbDEtzjgjWX9erEAQgu3hAAn2qYIjaObv0rj7Rytc1PrpsMJr3LnHyA 65HuBVGGJ+1WLZfRWcr0PGjF858OAGdHhwR7buFHdj1rOQ8lKPBI10TESI+ny8aC KAdXVV+hSuB5/o8CRcP7p4vpu2680mOkRhwN1h7vJvrRxArF2jKjxgkS3OG31XYs a322zlyQH6VHAHxrZizjXvKLY7L98A7R/BypquzqueN2jYWKxGpZZaGppZZ4rn4Q 2gYiTpht5g+UBImw6rBoBfZJh9xlRwXp5nv53oCPgXOJOWBGdhJK06ngWtuygzTf nK5afvuycDi67VnMwhKXFZHHA/DIZrZgL0yMwzMWOdxFKeL6lnF8X26D9289cfVq OzAQ9O5n5+80V1fw1OuyUxLKnk/C9rKs74Xd7ppT/FhnUl+OYgy+QYhdKYqnsWWq X51E1ykROOmaNH3Y0d1Ib8R8m362sSZDdmk97FL18YZ5Tz/0EzzmOWFdMzhCdSUn 1+sOOamooIu4OTuuqnxpOSFndjcRcIZbLM1Z+aac0aqUVIoVQ1JgqQLFuGhpO8Gu T5tDDRFGiHUKVaqpRLbDSMaoQJY5h8JL0SSlJ5ylFGXxmiU3m93r1iW97nB54/rG Guf0zUHQ2o12Wj8MDwLOysNZK1yEP1IKxNMryvfKmr81wNOdA6BguhzoR+Oj7beq aVOtG/isImc= =BWbO - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBYDbbxONLKJtyKPYoAQjXEQ/+PhkJIAwV6RK3ECI5PhGPSHsZTiG+5dQw r3XsTzLr7XIvE+1B/1AvgLJLWojdZHo8yd0u2KeBDGA5pu/Pj3ze0P4jjCvPKqFF fAYZuM3vyBRTpCmrF2lmjSAt9l0Zo0W0/5EgzwvKaNTQOGaLgK6ypDGc/3GRqime pZr/wQpbR0HA0k9I04CxQjIyaF5uKgKlXovqy6iaHQVOHNFLwjk2bPwbf3qYKHzL BZp02phZHtR9ZZYiOlioHhrh9VtfvhrLbC+U2sJyCtfynOM+yGH0GB+CXzvBLl5y RdUAqXoDMeNR4yyxoH1hBFesHgcLqHYuOarr8sHPToDbj3o5aeuloTF5ODHPf/Ft pLliYzZjqPOUXP8d0YRvb2XOKhOBOTIKGiK3x3NliHSbucMjv9xAuYuomiR8WJmk zR2wakIEg77+DgEvVQY4t6KwG2r35gh65BW6zV7piM/iO/yoyGWJ9enaHW5IBojx 7hTuww0/qrDIV+9jmvhz2GDjkztQHGu5aGEZlxLKJR6OGjwWkpBKe7E3L30evCVB wciAVraLuu4ZfryRt/2nU1yNZbnS8cfjVdFu4D3og24X6t69LSbkLYVUgyCT7wCi UAoeHP1qf/PKtkTKFB+ORPKINiAWwulwHteAmZGXoVP3aNIMBQOlA8K5MkGIxayi TNWciQSLSW0= =3AZ3 -----END PGP SIGNATURE-----