Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2021.1378
Release of OpenShift Serverless 1.14.0 security update
23 April 2021
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: OpenShift Serverless Products
Publisher: Red Hat
Operating System: Red Hat
Impact/Access: Execute Arbitrary Code/Commands -- Remote with User Interaction
Denial of Service -- Remote/Unauthenticated
Access Confidential Data -- Remote/Unauthenticated
Reduced Security -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2021-20305 CVE-2021-3450 CVE-2021-3449
CVE-2021-3115 CVE-2021-3114
Reference: ESB-2021.1198
ESB-2021.1180
ESB-2021.1075
ESB-2021.0309
Original Bulletin:
https://access.redhat.com/errata/RHSA-2021:1338
https://access.redhat.com/errata/RHSA-2021:1339
Comment: This bulletin contains two (2) Red Hat security advisories.
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
=====================================================================
Red Hat Security Advisory
Synopsis: Moderate: Release of OpenShift Serverless 1.14.0 security update
Advisory ID: RHSA-2021:1338-01
Product: Red Hat OpenShift Serverless
Advisory URL: https://access.redhat.com/errata/RHSA-2021:1338
Issue date: 2021-04-22
CVE Names: CVE-2021-3114 CVE-2021-3115 CVE-2021-3449
CVE-2021-3450 CVE-2021-20305
=====================================================================
1. Summary:
Release of OpenShift Serverless 1.14.0
Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.
2. Description:
Red Hat OpenShift Serverless 1.14.0 is a generally available release of the
OpenShift Serverless Operator. This version of the OpenShift Serverless
Operator is supported on Red Hat OpenShift Container Platform versions 4.6
and 4.7, and includes security and bug fixes and enhancements. For more
information, see the documentation listed in the References section.
Security Fix(es):
* golang: crypto/elliptic: incorrect operations on the P-224 curve
(CVE-2021-3114)
* golang: cmd/go: packages using cgo can cause arbitrary code execution at
build time (CVE-2021-3115)
For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.
3. Solution:
See the Red Hat OpenShift Container Platform 4.6 documentation at:
https://access.redhat.com/documentation/en-us/openshift_container_platform/
4.6/html/serverless_applications/index
See the Red Hat OpenShift Container Platform 4.7 documentation at:
https://access.redhat.com/documentation/en-us/openshift_container_platform/
4.7/html/serverless/index
4. Bugs fixed (https://bugzilla.redhat.com/):
1918750 - CVE-2021-3114 golang: crypto/elliptic: incorrect operations on the P-224 curve
1918761 - CVE-2021-3115 golang: cmd/go: packages using cgo can cause arbitrary code execution at build time
1935897 - Release of OpenShift Serverless Serving 1.14.0
1935898 - Release of OpenShift Serverless Eventing 1.14.0
5. References:
https://access.redhat.com/security/cve/CVE-2021-3114
https://access.redhat.com/security/cve/CVE-2021-3115
https://access.redhat.com/security/cve/CVE-2021-3449
https://access.redhat.com/security/cve/CVE-2021-3450
https://access.redhat.com/security/cve/CVE-2021-20305
https://access.redhat.com/security/updates/classification/#moderate
https://access.redhat.com/documentation/en-us/openshift_container_platform/4.6/html/serverless_applications/index
https://access.redhat.com/documentation/en-us/openshift_container_platform/4.7/html/serverless/index
6. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2021 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIVAwUBYIHLCtzjgjWX9erEAQjPLg/9Gc50P8EDERriS4fj20MoBk3+LYDBcuCA
7GDOkY58KlcTQ4F/yBi1T3vEzrn07aQkOS3N2hjLWqc5m+qzUQeEA8IO71sMZg27
Q9nH4kBaRdVMwZTJ0ZadErgrdYhubLTPXiMk6PZzxnWn4GIvKW7cdvnGS0jZUE/r
WAwzqccLdvAamb9j35Ch+6OQYI5Q2/8Gzz9ruPrdSGbgwvLntkvkPJrUFQ4vKHii
R/VB6ZSKDxwAirqKgfNpm2uwH594IorWNgQ9tLbW3qSDWGhj/XaN1UcuCcZnXhd6
vr9jmUhsluhPdSSx3cnwAXNXj6MN+RGr/YjQ8GV0XEOamkZhw9fCahdvJhAWf2C3
40vU2X01rT2piOCdIekx4LrGpnotddEGR30eJhpo5yDehHjhcQ+fif9a3Dk7ybdo
2yTprANKIiQQv0PytB4LHp0aVsL2qC6uxZBZOvmk9BnFOC/Rxl5UjNJ1MEqXjmw1
ElPUbk37euf3vwMk8Xm4yHb4vVa5J03c1E8AvxSN8l95H7I/XWDFcBNuSU5QAYm/
Ak9t8FV4GKT+8crIpXRbnR8AGXnbT1nut0fNLU5h+aCIOJA6dge04UliFHFW1MIp
6M0o9gZ5oTOXpwvVqK5GvfC8r9x+rinJ0COVoCPaD/z5G/rCMiuoVbwkYwwxqKNl
QF+X9ZbFZvg=
=htxs
- -----END PGP SIGNATURE-----
- -----------------------------------------------------------------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
=====================================================================
Red Hat Security Advisory
Synopsis: Moderate: Release of OpenShift Serverless Client kn 1.14.0 and security update
Advisory ID: RHSA-2021:1339-01
Product: Red Hat OpenShift Serverless
Advisory URL: https://access.redhat.com/errata/RHSA-2021:1339
Issue date: 2021-04-22
CVE Names: CVE-2021-3114 CVE-2021-3115
=====================================================================
1. Summary:
Release of OpenShift Serverless Client kn 1.14.0
Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.
2. Relevant releases/architectures:
Openshift Serverless 1 on RHEL 8Base - ppc64le, s390x, x86_64
3. Description:
Red Hat OpenShift Serverless Client kn 1.14.0 provides a CLI to interact
with Red Hat OpenShift Serverless 1.14.0. The kn CLI is delivered as an RPM
package for installation on RHEL platforms, and as binaries for non-Linux
platforms.
Security Fix(es):
* golang: crypto/elliptic: incorrect operations on the P-224 curve
(CVE-2021-3114)
* golang: cmd/go: packages using cgo can cause arbitrary code execution at
build time (CVE-2021-3115)
For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.
4. Solution:
See the Red Hat OpenShift Container Platform 4.6 documentation at:
https://access.redhat.com/documentation/en-us/openshift_container_platform/
4.6/html/serverless_applications/index
See the Red Hat OpenShift Container Platform 4.7 documentation at:
https://access.redhat.com/documentation/en-us/openshift_container_platform/
4.7/html/serverless/index
5. Bugs fixed (https://bugzilla.redhat.com/):
1918750 - CVE-2021-3114 golang: crypto/elliptic: incorrect operations on the P-224 curve
1918761 - CVE-2021-3115 golang: cmd/go: packages using cgo can cause arbitrary code execution at build time
1941695 - Release of OpenShift Serverless Client 1.14.0
6. Package List:
Openshift Serverless 1 on RHEL 8Base:
Source:
openshift-serverless-clients-0.20.0-6.el8.src.rpm
ppc64le:
openshift-serverless-clients-0.20.0-6.el8.ppc64le.rpm
s390x:
openshift-serverless-clients-0.20.0-6.el8.s390x.rpm
x86_64:
openshift-serverless-clients-0.20.0-6.el8.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/
7. References:
https://access.redhat.com/security/cve/CVE-2021-3114
https://access.redhat.com/security/cve/CVE-2021-3115
https://access.redhat.com/security/updates/classification/#moderate
https://access.redhat.com/documentation/en-us/openshift_container_platform/4.6/html/serverless_applications/index
https://access.redhat.com/documentation/en-us/openshift_container_platform/4.7/html/serverless/index
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2021 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIVAwUBYIG+JtzjgjWX9erEAQg53g/+Plj203uZhkyfzfqWCpSOa7b6N29nlZ6e
URYk+GSmKc9d4TB9L2ZG6sTvwtLo0WFP09dEbn7XOvN61Rj9zUgHALC8pWENppsZ
ok085H8VaH1ND835bGcDAbHvo9t97h2T6j9tjaNHFmVuC2ZqnQwnjp1qiE2+Gb+6
TdHo4dA40rOyF0JUmmuIUTs06cfYIySrVsgGYOCSmDlkAxivZrjUi0Q3gzTHt4MP
Q24m0RqZM+GyyCJUuAZUAfoiiPTVxM7vqa4ssXr0PTJTbPyNkl8oHl7+l6sguZdf
cY4ILptHyNLsWvvZIZnUu9uHuQ9ABaGKJEYfesvu6CLXp4U+M1R9Waf+XMqoyk72
YAuptXu0wqMMR//v3x/3efcEyMvFKT9pAPqDONKYbpofI0YQL/5/kOm/h+gSFGpB
PDqgKEOrMTxhGIf5I7Y9PRkq2ijADuIGxp23tE+tV4ksBpv4zAhMleV/MZFpvuxK
8AUq0e8F4WIcCFIYoksAfDJdIA04qBMN8IMlQUChg10K6mpYPRG68P7ACgvkp7ty
zB83XE8QzSYPniYU11advsDukoL1pg/1JofN38d4MQHyEPMJgqXRyUbWit90HDF4
mOyyUbC8WnG0qwPc3QrWUhZPIbjqvozK3UEF1ppknT6Le5xdlSBzU1GSdKm8DFIv
t7nxjEbNyrc=
=LjPU
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBYIJA4eNLKJtyKPYoAQiM8g/8CHlp5ADdCCnLMVfZoYiF85bCs0XvjQ49
ykyJL7JedG8iToYFFGCwswjF2nM/tVSnjo62MmEjOY65t5MjFxHfhaerGLm77vBf
FqhHTK0yqYApEjjOUNPJX4vJ0LizqNsA4uH0PEvVMwSkWNR4b7dZ1vtiHp9fOJFe
Qw4dmvci0V9qeNGwDGzU7+S0z+iOjDDfhg0IPYuPAuJZd8eLKTXQCKYLVTcv+pdI
iAYdqifDfONE2LZeN6rX2zDD5/8OulUCgNq2Rj/TFaj9TOPnPMkY5iSeLLtRW7B/
DKVuGBzRBvu/NewKiv7FpZxzIyJrsc/ePgGgGwHceks6ygS13e/Aj7WauD6m96y0
2ydBMZN+eh9asxAv7CKegzoStyqTQj4fxZyGtFnzepFCcvsKPE5AfVknVYmzskIb
RpahGaTzEA72zKB52WMlFEiTiv7hpuJWNijXRUuXy9jWvxtJzpWmJhp31prhWkyB
E+u90lrNnvd9Ux4MO1zLg6YZsrIGjcg+0j9l0OIq5GJRHukHnzAW+RmZveHP+DvE
Tf1i9oLuuPLgaDwkjvDpGEtYVHDdUWJSS8giZpR2fRVlaGG3bhSxtvfY/65r6o9I
mKo2KFfMsxNmmJoHr1o4QM3aEQJZ5eM49sdM0c8nwSDHA+gHORlYFThItowZtSR5
XgejTfRIe0I=
=dLPH
-----END PGP SIGNATURE-----