Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2022.2284
Release of containers for OSP 16.2.z director operator tech preview
12 May 2022
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: containers for OSP 16.2.z director operator
Publisher: Red Hat
Operating System: Red Hat
Resolution: Patch/Upgrade
CVE Names: CVE-2022-1271 CVE-2022-1154 CVE-2021-32760
CVE-2021-29482 CVE-2020-15257 CVE-2019-19794
CVE-2019-11253 CVE-2018-25032
Original Bulletin:
https://access.redhat.com/errata/RHSA-2022:2183
Comment: CVSS (Max): 8.8 CVE-2020-15257 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)
CVSS Source: Red Hat
Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
=====================================================================
Red Hat Security Advisory
Synopsis: Moderate: Release of containers for OSP 16.2.z director operator tech preview
Advisory ID: RHSA-2022:2183-01
Product: Red Hat OpenStack Platform
Advisory URL: https://access.redhat.com/errata/RHSA-2022:2183
Issue date: 2022-05-11
CVE Names: CVE-2018-25032 CVE-2019-11253 CVE-2019-19794
CVE-2020-15257 CVE-2021-29482 CVE-2021-32760
CVE-2022-1154 CVE-2022-1271
=====================================================================
1. Summary:
Red Hat OpenStack Platform 16.2 (Train) director Operator containers are
available for technology preview.
2. Description:
Release osp-director-operator images
Security Fix(es):
* golang: kubernetes: YAML parsing vulnerable to "Billion Laughs" attack,
allowing for remote (CVE-2019-11253)
* golang: golang-github-miekg-dns: predictable TXID can lead to response
forgeries (CVE-2019-19794)
* golang: containerd: unrestricted access to abstract Unix domain socket
can lead to privileges (CVE-2020-15257)
* golang: ulikunitz/xz: Infinite loop in readUvarint allows for denial of
service (CVE-2021-29482)
* golang: containerd: pulling and extracting crafted container image may
result in Unix file permission changes (CVE-2021-32760)
For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page listed in the References section.
3. Solution:
OSP 16.2 Release - OSP Director Operator Containers tech preview
4. Bugs fixed (https://bugzilla.redhat.com/):
1757701 - CVE-2019-11253 kubernetes: YAML parsing vulnerable to "Billion Laughs" attack, allowing for remote denial of service
1786761 - CVE-2019-19794 golang-github-miekg-dns: predictable TXID can lead to response forgeries
1899487 - CVE-2020-15257 containerd: unrestricted access to abstract Unix domain socket can lead to privileges escalation
1954368 - CVE-2021-29482 ulikunitz/xz: Infinite loop in readUvarint allows for denial of service
1982681 - CVE-2021-32760 containerd: pulling and extracting crafted container image may result in Unix file permission changes
2079447 - Rebase tech preview on latest upstream v1.2.x branch
5. References:
https://access.redhat.com/security/cve/CVE-2018-25032
https://access.redhat.com/security/cve/CVE-2019-11253
https://access.redhat.com/security/cve/CVE-2019-19794
https://access.redhat.com/security/cve/CVE-2020-15257
https://access.redhat.com/security/cve/CVE-2021-29482
https://access.redhat.com/security/cve/CVE-2021-32760
https://access.redhat.com/security/cve/CVE-2022-1154
https://access.redhat.com/security/cve/CVE-2022-1271
https://access.redhat.com/security/updates/classification/#moderate
6. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2022 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIVAwUBYnvx49zjgjWX9erEAQifFg//TCQNGh/8hkZ1S3v71P6N+j3RHuuxNg3G
1vq4Per7WcfFjeyBw/LCFp+Ul8Qb7XgtAAY1L5FW4m6uUgrgqcd3RtGS1m5xbO9/
jyRo90kvUEfh1kIJXFVBf5OOI9r0BaYcxlmdAmL7nDZTTQJyjjSHKv0XN/4Ic7r7
+R6TtwDNy2RlcPY6pggctR6MuxxUqsgkVWcfHBABcdvMyF2XEmrPkC9tzQXx6BdP
8HpxlvD2J/MXthqAcKxqPEmszOV41JTwsi/SFdk+5aA5XLlFwrNHvCRyK0FANO0P
sM1EdU1ZnUK/Jo0G2xmMG+aExLC1IPaAQ0yA0LvBoV0Wh0oh3pJDB+8BVjnCJk3o
AwdcNb+FOUaI4ZHlJ0wMQki97HyBazTG3NMVCfvko8/LCgkBA8ROQRSxOOjxhG0J
T5uO0QYi16wWUQMmBj9S2LW0IX/iTpI4POTlVXD6b9PUR3WQ4bki4s1D61Ub7Uny
/QCRDMAxQSZ4xFhfX+d3Q3V35C9Kyg3Bhce5KdDGmp1mVZRh1NmG46IW/1/GWfpv
JljVcvbWH/4+rRF3fN7h2jAULRRziCeLin+noj1hqPTR+5DnNbGammKZjU8RafcA
4WbJO5kCqE4mjSfzPgyd26CxzES5vtlIpjYlglGfNwcCOc/oXshtARjrusOHfb1r
uegJW1UHUAo=
=ny/g
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: https://auscert.org.au/gpg-key/
iQIVAwUBYnw/Q8kNZI30y1K9AQjOPxAAi/XxpLnqN4LNNDKyBT5Vz7UHHGSPo/k9
lJ5YLpzBWL+0ruqdvXiJNdE/PzDjg3OBQ9VEcMpYJMBlXwMYGvsB0WTBRFEPm6W1
RqvVQTxuFbIfW4J9ATTv05VDQ/mly9ezGidwAhVmscgpl9PYcwv+bBcvr3ZD4T9C
vP4cdbN1U/rQLwE84VOeSYFJtalG5rxi7zJVtW2BnwXRro3McOUz8Dgu0s0T923y
IoarRAA7cWzpfXZRTbOuqXyBjLIypUtyFbQG7dds0Yaoa85KviaVavOCeeBuDbUj
a41D5JEMxxOqQ9u0xJBTZt4b0mGf4fSd7t66gi4TvhudPjsMX1i2svs5LrL+TADO
sDNyjUmS86M9j0/t+OCMDtOmopdZlI5quD320/SGPwfBzhTfXSYMfwfEQ50myD+z
+T56oW/o3Vix4QulwDa9ND3OAzhlIFmkH4u+zQ3CKLHLzERLhSrLzCsXEkywVB2W
q3BwHP2d7cPfKp+yo13P+XQIfICRP/ACy7Xz3zJh77OGSfUb2Xm6bemM6OmxnpZv
Xzj/xXKs/wai8XJWXagbhP+HGEmV1T5rQ4U+ZmbP9ZokyA7VV86zNEqOJnTUYicC
jxkVZBOQ72/b4Cdp/Q2N+VJ1wJcqZxZSK5SucqeaouV/cMkUcktkLvQxK6yB44Xz
m1l60xc0f5Y=
=XNsZ
-----END PGP SIGNATURE-----