Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2018.2495 Moderate: Red Hat OpenShift Application Runtimes Node.js security update 23 August 2018 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Red Hat OpenShift Application Runtimes Publisher: Red Hat Operating System: Red Hat Impact/Access: Overwrite Arbitrary Files -- Remote/Unauthenticated Denial of Service -- Remote with User Interaction Resolution: Patch/Upgrade CVE Names: CVE-2018-12115 CVE-2018-0732 Reference: ESB-2018.2458 ESB-2018.2333 ESB-2018.2187 ESB-2018.1870 Original Bulletin: https://access.redhat.com/errata/RHSA-2018:2552 https://access.redhat.com/errata/RHSA-2018:2553 Comment: This bulletin contains two (2) Red Hat security advisories. - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: Red Hat OpenShift Application Runtimes Node.js 8.11.4 security update Advisory ID: RHSA-2018:2552-01 Product: Red Hat OpenShift Application Runtimes Advisory URL: https://access.redhat.com/errata/RHSA-2018:2552 Issue date: 2018-08-22 Keywords: Node.js CVE Names: CVE-2018-0732 CVE-2018-12115 ===================================================================== 1. Summary: An update is now available for Red Hat OpenShift Application Runtimes. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat OpenShift Application Runtimes Node.js 8 - noarch, x86_64 3. Description: Red Hat Openshift Application Runtimes provides an application platform that reduces the complexity of developing and operating applications (monoliths and microservices) for OpenShift as a containerized platform. This release of RHOAR Node.js 8.11.4 serves as a replacement for RHOAR Node.js 8.11.3, and includes bug fixes and enhancements. For further information, refer to the Release Notes linked to in the References section. Security Fix(es): * openssl: Malicious server can send large prime to client during DH(E) TLS handshake causing the client to hang (CVE-2018-0732) * nodejs: Out of bounds (OOB) write via UCS-2 encoding (CVE-2018-12115) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1591100 - CVE-2018-0732 openssl: Malicious server can send large prime to client during DH(E) TLS handshake causing the client to hang 1620219 - CVE-2018-12115 nodejs: Out of bounds (OOB) write via UCS-2 encoding 6. JIRA issues fixed (https://issues.jboss.org/): NODE-153 - Productisation (Node CVE-2018-12115): Out of bounds (OOB) write NODE-154 - Productisation (OpenSSL (CVE-2018-0732): Client DoS due to large DH parameter NODE-155 - Productisation (OpenSSL CVE not assigned): ECDSA key extraction via local side-channel NODE-160 - Productisation (Errata): Build Node 8.11.4 RPMs 7. Package List: Red Hat OpenShift Application Runtimes Node.js 8: Source: rhoar-nodejs-8.11.4-2.el7.src.rpm noarch: rhoar-nodejs-docs-8.11.4-2.el7.noarch.rpm x86_64: npm-5.6.0-1.8.11.4.2.el7.x86_64.rpm rhoar-nodejs-8.11.4-2.el7.x86_64.rpm rhoar-nodejs-debuginfo-8.11.4-2.el7.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 8. References: https://access.redhat.com/security/cve/CVE-2018-0732 https://access.redhat.com/security/cve/CVE-2018-12115 https://access.redhat.com/security/updates/classification/#moderate https://access.redhat.com/documentation/en-us/red_hat_openshift_application_runtimes/1/html-single/red_hat_openshift_application_runtimes_release_notes/index#runtime_components_nodejs_rpm_packages https://nodejs.org/en/blog/vulnerability/august-2018-security-releases/ 9. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2018 Red Hat, Inc. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBW33SIdzjgjWX9erEAQh0fQ/9GdhX+/xfTe2HtglaQE+jvMP+JPiOorev ajhLAbVYTM0W/T9PaQTllMOvQ8Hz7tk6Tx6CryKpREK7mGEprlp5npPQemNX9S1J gaP6WQCuOX6yKTQC93a83FUpsFduwXX5MnCDnXbYDItnXaDfAXwPB/R1DM0R+uYL 1TiD7P2X+UfhW40GX4vhjjWaoxM5CvW3iRVMRXpf06tS2FMlIlADp89doNzXIpY1 cREKFlXaLxZt2FttP9tJATqqXDyW23prfWVpJJEHXPAxMhRfqZBjh+ftVEobOGQg 8gH1IQBsDYg5WSoWfWcZKeePi1bJmBXfR2nLnNRLGASZ+/0NMFuLtXGzucjon8nL tyzyOAwBmWDOmGnHwPJMZZ7YrH9HsiRWvCMTsasg0/60G6jrazqGqUmQSlxLHkxy ZD7MepPU3MUOHJrlXNw73pWtXdE5Z4Wjv9duuBZEo+s0rXfq7Ufq7r5D1fIgjLte yhVooLS+98ypMlSFTsqdhxo8OH7ENroTo9pqa0SYpKig1/ODMnnAt/d8hPja0nzW By8uX93OXsyR120HwAlnEVHZINoqsU/z8iEOd/o4He4wr12tUWssyuRHLEZEUe9y KP76uM62Vp5fMrVXTwjUwK5Zj5ajWv9QMcmq/RSLy0k8nhaS8rlkgbk6Ltg69mCo G6ct7pDZgFQ= =tMx/ - -----END PGP SIGNATURE----- ============================================================================== - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: Red Hat OpenShift Application Runtimes Node.js 10.9.0 security update Advisory ID: RHSA-2018:2553-01 Product: Red Hat OpenShift Application Runtimes Advisory URL: https://access.redhat.com/errata/RHSA-2018:2553 Issue date: 2018-08-22 Keywords: Node.js CVE Names: CVE-2018-0732 CVE-2018-7166 CVE-2018-12115 ===================================================================== 1. Summary: An update is now available for Red Hat OpenShift Application Runtimes. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat OpenShift Application Runtimes Node.js 10 - noarch, x86_64 3. Description: Red Hat Openshift Application Runtimes provides an application platform that reduces the complexity of developing and operating applications (monoliths and microservices) for OpenShift as a containerized platform. This release of RHOAR Node.js 10.9.0 serves as a replacement for RHOAR Node.js 10.8.0, and includes bug fixes and enhancements. For further information, refer to the Release Notes linked to in the References section. Security Fix(es): * openssl: Malicious server can send large prime to client during DH(E) TLS handshake causing the client to hang (CVE-2018-0732) * nodejs: Unintentional exposure of uninitialized memory (CVE-2018-7166) * nodejs: Out of bounds (OOB) write via UCS-2 encoding (CVE-2018-12115) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1591100 - CVE-2018-0732 openssl: Malicious server can send large prime to client during DH(E) TLS handshake causing the client to hang 1620215 - CVE-2018-7166 nodejs: Unintentional exposure of uninitialized memory 1620219 - CVE-2018-12115 nodejs: Out of bounds (OOB) write via UCS-2 encoding 6. JIRA issues fixed (https://issues.jboss.org/): NODE-152 - Productisation (Node CVE-2018-7166): Unintentional exposure of uninitialized memory NODE-153 - Productisation (Node CVE-2018-12115): Out of bounds (OOB) write NODE-154 - Productisation (OpenSSL (CVE-2018-0732): Client DoS due to large DH parameter NODE-155 - Productisation (OpenSSL CVE not assigned): ECDSA key extraction via local side-channel 7. Package List: Red Hat OpenShift Application Runtimes Node.js 10: Source: rhoar-nodejs-10.9.0-1.el7.src.rpm noarch: rhoar-nodejs-docs-10.9.0-1.el7.noarch.rpm x86_64: npm-6.2.0-1.10.9.0.1.el7.x86_64.rpm rhoar-nodejs-10.9.0-1.el7.x86_64.rpm rhoar-nodejs-debuginfo-10.9.0-1.el7.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 8. References: https://access.redhat.com/security/cve/CVE-2018-0732 https://access.redhat.com/security/cve/CVE-2018-7166 https://access.redhat.com/security/cve/CVE-2018-12115 https://access.redhat.com/security/updates/classification/#moderate https://access.redhat.com/documentation/en-us/red_hat_openshift_application_runtimes/1/html-single/red_hat_openshift_application_runtimes_release_notes/index#runtime_components_nodejs_rpm_packages https://nodejs.org/en/blog/vulnerability/august-2018-security-releases/ 9. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2018 Red Hat, Inc. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBW33SaNzjgjWX9erEAQgpTg/8Di3AWvuNUDmkxU5rLuPR+f4VophmQWWc W++fsAa1qZLkuoNnd4gorHv1XmgipUJGqKecJUVuBM99BWsUnuQnrh/+bpiAx42z 9uHWAVuj6eeVku+Jf+AKcciiDzPUU6Op+/HnWq41oaHZ/FCi/XDT78jMwfecoG95 6p8cRQTa7RI1fEvSx1ERzixT/Y0DHIFoZH6cvTGNWPdeo8ooM9rm4SCqPnkimPIh je1QYJgi6IzKIf5CVJrm5F1IU85sl0rlzsTS3JHe35lb62s79vQI+p//RhtC/88+ 2K0z6PrZBLhhBFPHJGbx/OO7wI5ChkI5GijRBCJbyKZi4v/tsiB+3AVpJP2q3dEV Vf8En+FAMzzzg+y8cTfP7v2ClE29mnwM/n4MGwhtK3Tv2+dDWOu5obNwLM3AhpKo 6WJFlklbB45Z0JsgQzGMDfjqq/1dpzc+Iumb3NA7BBwbEUMl6VaibxU1ce2mF55/ 3a+XIcYc0npxKxlRf4DuHkxGOvQHERUXqbtIN+B8snJbY2mouQLAWuumJ3XrJg9n w+LWUar+q2iJhcgnfGIlE33Vmg3pKXGQgKdKFsF53UfrwJMJTZkYVRHdFgm/jL7R wzaoFIkDqlf40vt4PD4FwpbCy0+dyQHOSUNhLb2YjU8uDLRegRz4mH7N+ns6yIR7 tm3ANPyZd50= =hzV6 - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBW34SDmaOgq3Tt24GAQgEoA//U9msT72ngWzUcxjwlqttKZHAEIvrEXRz 85Uj0YgExu7G0AECvR9C04krrjDqZQNnCrrggp19FQDBb51HpBvnxYgOhwrs+s9e AJzc6OtxGuOwL2Vqa/7/qt84wLTRAsvVWKv785kLla6twx+nQZyrs617byXDDyzr Y4ge+2YoLP+sUAysjpku6FJznSn1xKu38M1q3wT+eNZB0Q4+LiqjDS3qIMPFzgZt bo9gOoBYhGX0I7Z2SW6+mRak6lYlITCYH1wrFM6FVc6LzLn//6A6ekAHvLpA9GfK kwS9uxVFm7pq2Ov/zkxPxTby3I3RzTgMwhxJ1O93A9CiBR1ay9fpCCxoayf8x7WS Rws0B9f/XvNnkNqFFUNBlke/dvhnCbwfBcuKbWyh9vdvaRkU8ep7RB8cgHZGnmvg OQHM3ks4J0FZnwEuC1OOopxD67VlsHsYIj8FP6jKuTfodJGTJ9dXydWrKo4hB1Sn 7QTbLkQ8wGUYMJAZX3OUTZ2kPvbODwOxmzTQ5yWk+2rYwGF5/BH5/UKW5BGhQsFG 1j15BqNCruhzXZnSCF8Ylo9aJeCoaTJEAT3b5H9dJ/PHZ/L0L6U5IKZqTIXnREmJ WHIe5AJn7puWDVXJ9z+3RFAhzOG9/AyM9SV9U/0ndlhOfoHrBxlcxi/GA4+BEFiT oAeFNue12Sc= =T9kg -----END PGP SIGNATURE-----