ESB-2018.2495 - [RedHat] Red Hat OpenShift Application Runtimes : Multiple vulnerabilities 2018-08-23

Printable version
PGP/GPG verifiable version

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2018.2495
 Moderate: Red Hat OpenShift Application Runtimes Node.js security update
                              23 August 2018

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Red Hat OpenShift Application Runtimes
Publisher:         Red Hat
Operating System:  Red Hat
Impact/Access:     Overwrite Arbitrary Files -- Remote/Unauthenticated      
                   Denial of Service         -- Remote with User Interaction
Resolution:        Patch/Upgrade
CVE Names:         CVE-2018-12115 CVE-2018-0732 

Reference:         ESB-2018.2458
                   ESB-2018.2333
                   ESB-2018.2187
                   ESB-2018.1870

Original Bulletin: 
   https://access.redhat.com/errata/RHSA-2018:2552
   https://access.redhat.com/errata/RHSA-2018:2553

Comment: This bulletin contains two (2) Red Hat security advisories.

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Moderate: Red Hat OpenShift Application Runtimes Node.js 8.11.4 security update
Advisory ID:       RHSA-2018:2552-01
Product:           Red Hat OpenShift Application Runtimes
Advisory URL:      https://access.redhat.com/errata/RHSA-2018:2552
Issue date:        2018-08-22
Keywords:          Node.js
CVE Names:         CVE-2018-0732 CVE-2018-12115 
=====================================================================

1. Summary:

An update is now available for Red Hat OpenShift Application Runtimes.

Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat OpenShift Application Runtimes Node.js 8 - noarch, x86_64

3. Description:

Red Hat Openshift Application Runtimes provides an application platform
that reduces the complexity of developing and operating applications
(monoliths and microservices) for OpenShift as a containerized platform.

This release of RHOAR Node.js 8.11.4 serves as a replacement for RHOAR
Node.js 8.11.3, and includes bug fixes and enhancements. For further
information, refer to the Release Notes linked to in the References
section.

Security Fix(es):

* openssl: Malicious server can send large prime to client during DH(E) TLS
handshake causing the client to hang (CVE-2018-0732)

* nodejs: Out of bounds (OOB) write via UCS-2 encoding (CVE-2018-12115)

For more details about the security issue(s), including the impact, a CVSS
score, and other related information, refer to the CVE page(s) listed in
the References section.

4. Solution:

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

For details on how to apply this update, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

1591100 - CVE-2018-0732 openssl: Malicious server can send large prime to client during DH(E) TLS handshake causing the client to hang
1620219 - CVE-2018-12115 nodejs: Out of bounds (OOB) write via UCS-2 encoding

6. JIRA issues fixed (https://issues.jboss.org/):

NODE-153 - Productisation (Node CVE-2018-12115): Out of bounds (OOB) write
NODE-154 - Productisation (OpenSSL  (CVE-2018-0732): Client DoS due to large DH parameter
NODE-155 - Productisation (OpenSSL CVE not assigned): ECDSA key extraction via local side-channel
NODE-160 - Productisation (Errata): Build Node 8.11.4 RPMs

7. Package List:

Red Hat OpenShift Application Runtimes Node.js 8:

Source:
rhoar-nodejs-8.11.4-2.el7.src.rpm

noarch:
rhoar-nodejs-docs-8.11.4-2.el7.noarch.rpm

x86_64:
npm-5.6.0-1.8.11.4.2.el7.x86_64.rpm
rhoar-nodejs-8.11.4-2.el7.x86_64.rpm
rhoar-nodejs-debuginfo-8.11.4-2.el7.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/

8. References:

https://access.redhat.com/security/cve/CVE-2018-0732
https://access.redhat.com/security/cve/CVE-2018-12115
https://access.redhat.com/security/updates/classification/#moderate
https://access.redhat.com/documentation/en-us/red_hat_openshift_application_runtimes/1/html-single/red_hat_openshift_application_runtimes_release_notes/index#runtime_components_nodejs_rpm_packages
https://nodejs.org/en/blog/vulnerability/august-2018-security-releases/

9. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2018 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBW33SIdzjgjWX9erEAQh0fQ/9GdhX+/xfTe2HtglaQE+jvMP+JPiOorev
ajhLAbVYTM0W/T9PaQTllMOvQ8Hz7tk6Tx6CryKpREK7mGEprlp5npPQemNX9S1J
gaP6WQCuOX6yKTQC93a83FUpsFduwXX5MnCDnXbYDItnXaDfAXwPB/R1DM0R+uYL
1TiD7P2X+UfhW40GX4vhjjWaoxM5CvW3iRVMRXpf06tS2FMlIlADp89doNzXIpY1
cREKFlXaLxZt2FttP9tJATqqXDyW23prfWVpJJEHXPAxMhRfqZBjh+ftVEobOGQg
8gH1IQBsDYg5WSoWfWcZKeePi1bJmBXfR2nLnNRLGASZ+/0NMFuLtXGzucjon8nL
tyzyOAwBmWDOmGnHwPJMZZ7YrH9HsiRWvCMTsasg0/60G6jrazqGqUmQSlxLHkxy
ZD7MepPU3MUOHJrlXNw73pWtXdE5Z4Wjv9duuBZEo+s0rXfq7Ufq7r5D1fIgjLte
yhVooLS+98ypMlSFTsqdhxo8OH7ENroTo9pqa0SYpKig1/ODMnnAt/d8hPja0nzW
By8uX93OXsyR120HwAlnEVHZINoqsU/z8iEOd/o4He4wr12tUWssyuRHLEZEUe9y
KP76uM62Vp5fMrVXTwjUwK5Zj5ajWv9QMcmq/RSLy0k8nhaS8rlkgbk6Ltg69mCo
G6ct7pDZgFQ=
=tMx/
- -----END PGP SIGNATURE-----

==============================================================================

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Moderate: Red Hat OpenShift Application Runtimes Node.js 10.9.0 security update
Advisory ID:       RHSA-2018:2553-01
Product:           Red Hat OpenShift Application Runtimes
Advisory URL:      https://access.redhat.com/errata/RHSA-2018:2553
Issue date:        2018-08-22
Keywords:          Node.js
CVE Names:         CVE-2018-0732 CVE-2018-7166 CVE-2018-12115 
=====================================================================

1. Summary:

An update is now available for Red Hat OpenShift Application Runtimes.

Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat OpenShift Application Runtimes Node.js 10 - noarch, x86_64

3. Description:

Red Hat Openshift Application Runtimes provides an application platform
that reduces the complexity of developing and operating applications
(monoliths and microservices) for OpenShift as a containerized platform.

This release of RHOAR Node.js 10.9.0 serves as a replacement for RHOAR
Node.js 10.8.0, and includes bug fixes and enhancements. For further
information, refer to the Release Notes linked to in the References
section.

Security Fix(es):

* openssl: Malicious server can send large prime to client during DH(E) TLS
handshake causing the client to hang (CVE-2018-0732)

* nodejs: Unintentional exposure of uninitialized memory (CVE-2018-7166)

* nodejs: Out of bounds (OOB) write via UCS-2 encoding (CVE-2018-12115)

For more details about the security issue(s), including the impact, a CVSS
score, and other related information, refer to the CVE page(s) listed in
the References section.

4. Solution:

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

For details on how to apply this update, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

1591100 - CVE-2018-0732 openssl: Malicious server can send large prime to client during DH(E) TLS handshake causing the client to hang
1620215 - CVE-2018-7166 nodejs: Unintentional exposure of uninitialized memory
1620219 - CVE-2018-12115 nodejs: Out of bounds (OOB) write via UCS-2 encoding

6. JIRA issues fixed (https://issues.jboss.org/):

NODE-152 - Productisation (Node CVE-2018-7166): Unintentional exposure of uninitialized memory
NODE-153 - Productisation (Node CVE-2018-12115): Out of bounds (OOB) write
NODE-154 - Productisation (OpenSSL  (CVE-2018-0732): Client DoS due to large DH parameter
NODE-155 - Productisation (OpenSSL CVE not assigned): ECDSA key extraction via local side-channel

7. Package List:

Red Hat OpenShift Application Runtimes Node.js 10:

Source:
rhoar-nodejs-10.9.0-1.el7.src.rpm

noarch:
rhoar-nodejs-docs-10.9.0-1.el7.noarch.rpm

x86_64:
npm-6.2.0-1.10.9.0.1.el7.x86_64.rpm
rhoar-nodejs-10.9.0-1.el7.x86_64.rpm
rhoar-nodejs-debuginfo-10.9.0-1.el7.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/

8. References:

https://access.redhat.com/security/cve/CVE-2018-0732
https://access.redhat.com/security/cve/CVE-2018-7166
https://access.redhat.com/security/cve/CVE-2018-12115
https://access.redhat.com/security/updates/classification/#moderate
https://access.redhat.com/documentation/en-us/red_hat_openshift_application_runtimes/1/html-single/red_hat_openshift_application_runtimes_release_notes/index#runtime_components_nodejs_rpm_packages
https://nodejs.org/en/blog/vulnerability/august-2018-security-releases/

9. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2018 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBW33SaNzjgjWX9erEAQgpTg/8Di3AWvuNUDmkxU5rLuPR+f4VophmQWWc
W++fsAa1qZLkuoNnd4gorHv1XmgipUJGqKecJUVuBM99BWsUnuQnrh/+bpiAx42z
9uHWAVuj6eeVku+Jf+AKcciiDzPUU6Op+/HnWq41oaHZ/FCi/XDT78jMwfecoG95
6p8cRQTa7RI1fEvSx1ERzixT/Y0DHIFoZH6cvTGNWPdeo8ooM9rm4SCqPnkimPIh
je1QYJgi6IzKIf5CVJrm5F1IU85sl0rlzsTS3JHe35lb62s79vQI+p//RhtC/88+
2K0z6PrZBLhhBFPHJGbx/OO7wI5ChkI5GijRBCJbyKZi4v/tsiB+3AVpJP2q3dEV
Vf8En+FAMzzzg+y8cTfP7v2ClE29mnwM/n4MGwhtK3Tv2+dDWOu5obNwLM3AhpKo
6WJFlklbB45Z0JsgQzGMDfjqq/1dpzc+Iumb3NA7BBwbEUMl6VaibxU1ce2mF55/
3a+XIcYc0npxKxlRf4DuHkxGOvQHERUXqbtIN+B8snJbY2mouQLAWuumJ3XrJg9n
w+LWUar+q2iJhcgnfGIlE33Vmg3pKXGQgKdKFsF53UfrwJMJTZkYVRHdFgm/jL7R
wzaoFIkDqlf40vt4PD4FwpbCy0+dyQHOSUNhLb2YjU8uDLRegRz4mH7N+ns6yIR7
tm3ANPyZd50=
=hzV6
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBW34SDmaOgq3Tt24GAQgEoA//U9msT72ngWzUcxjwlqttKZHAEIvrEXRz
85Uj0YgExu7G0AECvR9C04krrjDqZQNnCrrggp19FQDBb51HpBvnxYgOhwrs+s9e
AJzc6OtxGuOwL2Vqa/7/qt84wLTRAsvVWKv785kLla6twx+nQZyrs617byXDDyzr
Y4ge+2YoLP+sUAysjpku6FJznSn1xKu38M1q3wT+eNZB0Q4+LiqjDS3qIMPFzgZt
bo9gOoBYhGX0I7Z2SW6+mRak6lYlITCYH1wrFM6FVc6LzLn//6A6ekAHvLpA9GfK
kwS9uxVFm7pq2Ov/zkxPxTby3I3RzTgMwhxJ1O93A9CiBR1ay9fpCCxoayf8x7WS
Rws0B9f/XvNnkNqFFUNBlke/dvhnCbwfBcuKbWyh9vdvaRkU8ep7RB8cgHZGnmvg
OQHM3ks4J0FZnwEuC1OOopxD67VlsHsYIj8FP6jKuTfodJGTJ9dXydWrKo4hB1Sn
7QTbLkQ8wGUYMJAZX3OUTZ2kPvbODwOxmzTQ5yWk+2rYwGF5/BH5/UKW5BGhQsFG
1j15BqNCruhzXZnSCF8Ylo9aJeCoaTJEAT3b5H9dJ/PHZ/L0L6U5IKZqTIXnREmJ
WHIe5AJn7puWDVXJ9z+3RFAhzOG9/AyM9SV9U/0ndlhOfoHrBxlcxi/GA4+BEFiT
oAeFNue12Sc=
=T9kg
-----END PGP SIGNATURE-----

« Back to bulletins