Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2021.1378 Release of OpenShift Serverless 1.14.0 security update 23 April 2021 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: OpenShift Serverless Products Publisher: Red Hat Operating System: Red Hat Impact/Access: Execute Arbitrary Code/Commands -- Remote with User Interaction Denial of Service -- Remote/Unauthenticated Access Confidential Data -- Remote/Unauthenticated Reduced Security -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2021-20305 CVE-2021-3450 CVE-2021-3449 CVE-2021-3115 CVE-2021-3114 Reference: ESB-2021.1198 ESB-2021.1180 ESB-2021.1075 ESB-2021.0309 Original Bulletin: https://access.redhat.com/errata/RHSA-2021:1338 https://access.redhat.com/errata/RHSA-2021:1339 Comment: This bulletin contains two (2) Red Hat security advisories. - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: Release of OpenShift Serverless 1.14.0 security update Advisory ID: RHSA-2021:1338-01 Product: Red Hat OpenShift Serverless Advisory URL: https://access.redhat.com/errata/RHSA-2021:1338 Issue date: 2021-04-22 CVE Names: CVE-2021-3114 CVE-2021-3115 CVE-2021-3449 CVE-2021-3450 CVE-2021-20305 ===================================================================== 1. Summary: Release of OpenShift Serverless 1.14.0 Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Description: Red Hat OpenShift Serverless 1.14.0 is a generally available release of the OpenShift Serverless Operator. This version of the OpenShift Serverless Operator is supported on Red Hat OpenShift Container Platform versions 4.6 and 4.7, and includes security and bug fixes and enhancements. For more information, see the documentation listed in the References section. Security Fix(es): * golang: crypto/elliptic: incorrect operations on the P-224 curve (CVE-2021-3114) * golang: cmd/go: packages using cgo can cause arbitrary code execution at build time (CVE-2021-3115) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. 3. Solution: See the Red Hat OpenShift Container Platform 4.6 documentation at: https://access.redhat.com/documentation/en-us/openshift_container_platform/ 4.6/html/serverless_applications/index See the Red Hat OpenShift Container Platform 4.7 documentation at: https://access.redhat.com/documentation/en-us/openshift_container_platform/ 4.7/html/serverless/index 4. Bugs fixed (https://bugzilla.redhat.com/): 1918750 - CVE-2021-3114 golang: crypto/elliptic: incorrect operations on the P-224 curve 1918761 - CVE-2021-3115 golang: cmd/go: packages using cgo can cause arbitrary code execution at build time 1935897 - Release of OpenShift Serverless Serving 1.14.0 1935898 - Release of OpenShift Serverless Eventing 1.14.0 5. References: https://access.redhat.com/security/cve/CVE-2021-3114 https://access.redhat.com/security/cve/CVE-2021-3115 https://access.redhat.com/security/cve/CVE-2021-3449 https://access.redhat.com/security/cve/CVE-2021-3450 https://access.redhat.com/security/cve/CVE-2021-20305 https://access.redhat.com/security/updates/classification/#moderate https://access.redhat.com/documentation/en-us/openshift_container_platform/4.6/html/serverless_applications/index https://access.redhat.com/documentation/en-us/openshift_container_platform/4.7/html/serverless/index 6. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2021 Red Hat, Inc. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBYIHLCtzjgjWX9erEAQjPLg/9Gc50P8EDERriS4fj20MoBk3+LYDBcuCA 7GDOkY58KlcTQ4F/yBi1T3vEzrn07aQkOS3N2hjLWqc5m+qzUQeEA8IO71sMZg27 Q9nH4kBaRdVMwZTJ0ZadErgrdYhubLTPXiMk6PZzxnWn4GIvKW7cdvnGS0jZUE/r WAwzqccLdvAamb9j35Ch+6OQYI5Q2/8Gzz9ruPrdSGbgwvLntkvkPJrUFQ4vKHii R/VB6ZSKDxwAirqKgfNpm2uwH594IorWNgQ9tLbW3qSDWGhj/XaN1UcuCcZnXhd6 vr9jmUhsluhPdSSx3cnwAXNXj6MN+RGr/YjQ8GV0XEOamkZhw9fCahdvJhAWf2C3 40vU2X01rT2piOCdIekx4LrGpnotddEGR30eJhpo5yDehHjhcQ+fif9a3Dk7ybdo 2yTprANKIiQQv0PytB4LHp0aVsL2qC6uxZBZOvmk9BnFOC/Rxl5UjNJ1MEqXjmw1 ElPUbk37euf3vwMk8Xm4yHb4vVa5J03c1E8AvxSN8l95H7I/XWDFcBNuSU5QAYm/ Ak9t8FV4GKT+8crIpXRbnR8AGXnbT1nut0fNLU5h+aCIOJA6dge04UliFHFW1MIp 6M0o9gZ5oTOXpwvVqK5GvfC8r9x+rinJ0COVoCPaD/z5G/rCMiuoVbwkYwwxqKNl QF+X9ZbFZvg= =htxs - -----END PGP SIGNATURE----- - ----------------------------------------------------------------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: Release of OpenShift Serverless Client kn 1.14.0 and security update Advisory ID: RHSA-2021:1339-01 Product: Red Hat OpenShift Serverless Advisory URL: https://access.redhat.com/errata/RHSA-2021:1339 Issue date: 2021-04-22 CVE Names: CVE-2021-3114 CVE-2021-3115 ===================================================================== 1. Summary: Release of OpenShift Serverless Client kn 1.14.0 Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Openshift Serverless 1 on RHEL 8Base - ppc64le, s390x, x86_64 3. Description: Red Hat OpenShift Serverless Client kn 1.14.0 provides a CLI to interact with Red Hat OpenShift Serverless 1.14.0. The kn CLI is delivered as an RPM package for installation on RHEL platforms, and as binaries for non-Linux platforms. Security Fix(es): * golang: crypto/elliptic: incorrect operations on the P-224 curve (CVE-2021-3114) * golang: cmd/go: packages using cgo can cause arbitrary code execution at build time (CVE-2021-3115) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. 4. Solution: See the Red Hat OpenShift Container Platform 4.6 documentation at: https://access.redhat.com/documentation/en-us/openshift_container_platform/ 4.6/html/serverless_applications/index See the Red Hat OpenShift Container Platform 4.7 documentation at: https://access.redhat.com/documentation/en-us/openshift_container_platform/ 4.7/html/serverless/index 5. Bugs fixed (https://bugzilla.redhat.com/): 1918750 - CVE-2021-3114 golang: crypto/elliptic: incorrect operations on the P-224 curve 1918761 - CVE-2021-3115 golang: cmd/go: packages using cgo can cause arbitrary code execution at build time 1941695 - Release of OpenShift Serverless Client 1.14.0 6. Package List: Openshift Serverless 1 on RHEL 8Base: Source: openshift-serverless-clients-0.20.0-6.el8.src.rpm ppc64le: openshift-serverless-clients-0.20.0-6.el8.ppc64le.rpm s390x: openshift-serverless-clients-0.20.0-6.el8.s390x.rpm x86_64: openshift-serverless-clients-0.20.0-6.el8.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2021-3114 https://access.redhat.com/security/cve/CVE-2021-3115 https://access.redhat.com/security/updates/classification/#moderate https://access.redhat.com/documentation/en-us/openshift_container_platform/4.6/html/serverless_applications/index https://access.redhat.com/documentation/en-us/openshift_container_platform/4.7/html/serverless/index 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2021 Red Hat, Inc. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBYIG+JtzjgjWX9erEAQg53g/+Plj203uZhkyfzfqWCpSOa7b6N29nlZ6e URYk+GSmKc9d4TB9L2ZG6sTvwtLo0WFP09dEbn7XOvN61Rj9zUgHALC8pWENppsZ ok085H8VaH1ND835bGcDAbHvo9t97h2T6j9tjaNHFmVuC2ZqnQwnjp1qiE2+Gb+6 TdHo4dA40rOyF0JUmmuIUTs06cfYIySrVsgGYOCSmDlkAxivZrjUi0Q3gzTHt4MP Q24m0RqZM+GyyCJUuAZUAfoiiPTVxM7vqa4ssXr0PTJTbPyNkl8oHl7+l6sguZdf cY4ILptHyNLsWvvZIZnUu9uHuQ9ABaGKJEYfesvu6CLXp4U+M1R9Waf+XMqoyk72 YAuptXu0wqMMR//v3x/3efcEyMvFKT9pAPqDONKYbpofI0YQL/5/kOm/h+gSFGpB PDqgKEOrMTxhGIf5I7Y9PRkq2ijADuIGxp23tE+tV4ksBpv4zAhMleV/MZFpvuxK 8AUq0e8F4WIcCFIYoksAfDJdIA04qBMN8IMlQUChg10K6mpYPRG68P7ACgvkp7ty zB83XE8QzSYPniYU11advsDukoL1pg/1JofN38d4MQHyEPMJgqXRyUbWit90HDF4 mOyyUbC8WnG0qwPc3QrWUhZPIbjqvozK3UEF1ppknT6Le5xdlSBzU1GSdKm8DFIv t7nxjEbNyrc= =LjPU - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBYIJA4eNLKJtyKPYoAQiM8g/8CHlp5ADdCCnLMVfZoYiF85bCs0XvjQ49 ykyJL7JedG8iToYFFGCwswjF2nM/tVSnjo62MmEjOY65t5MjFxHfhaerGLm77vBf FqhHTK0yqYApEjjOUNPJX4vJ0LizqNsA4uH0PEvVMwSkWNR4b7dZ1vtiHp9fOJFe Qw4dmvci0V9qeNGwDGzU7+S0z+iOjDDfhg0IPYuPAuJZd8eLKTXQCKYLVTcv+pdI iAYdqifDfONE2LZeN6rX2zDD5/8OulUCgNq2Rj/TFaj9TOPnPMkY5iSeLLtRW7B/ DKVuGBzRBvu/NewKiv7FpZxzIyJrsc/ePgGgGwHceks6ygS13e/Aj7WauD6m96y0 2ydBMZN+eh9asxAv7CKegzoStyqTQj4fxZyGtFnzepFCcvsKPE5AfVknVYmzskIb RpahGaTzEA72zKB52WMlFEiTiv7hpuJWNijXRUuXy9jWvxtJzpWmJhp31prhWkyB E+u90lrNnvd9Ux4MO1zLg6YZsrIGjcg+0j9l0OIq5GJRHukHnzAW+RmZveHP+DvE Tf1i9oLuuPLgaDwkjvDpGEtYVHDdUWJSS8giZpR2fRVlaGG3bhSxtvfY/65r6o9I mKo2KFfMsxNmmJoHr1o4QM3aEQJZ5eM49sdM0c8nwSDHA+gHORlYFThItowZtSR5 XgejTfRIe0I= =dLPH -----END PGP SIGNATURE-----