-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2019.3468
       Important: OpenShift Container Platform 3.10 security update
                             12 September 2019

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           atomic-openshift
Publisher:         Red Hat
Operating System:  Red Hat Enterprise Linux Server 7
                   Red Hat Enterprise Linux WS/Desktop 7
Impact/Access:     Denial of Service   -- Remote/Unauthenticated
                   Unauthorised Access -- Existing Account      
Resolution:        Patch/Upgrade
CVE Names:         CVE-2019-11247 CVE-2019-9514 CVE-2019-9512

Reference:         ASB-2019.0238
                   ESB-2019.3458
                   ESB-2019.3440
                   ESB-2019.3437
                   ESB-2019.3432

Original Bulletin: 
   https://access.redhat.com/errata/RHSA-2019:2690

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Important: OpenShift Container Platform 3.10 security update
Advisory ID:       RHSA-2019:2690-01
Product:           Red Hat OpenShift Enterprise
Advisory URL:      https://access.redhat.com/errata/RHSA-2019:2690
Issue date:        2019-09-11
CVE Names:         CVE-2019-9512 CVE-2019-9514 CVE-2019-11247 
=====================================================================

1. Summary:

An update for atomic-openshift is now available for Red Hat OpenShift
Container Platform 3.10.

Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat OpenShift Container Platform 3.10 - noarch, ppc64le, x86_64

3. Description:

Red Hat OpenShift Container Platform is Red Hat's cloud computing
Kubernetes application platform solution designed for on-premise or private
cloud deployments.

Security Fix(es):

* HTTP/2: flood using PING frames results in unbounded memory growth
(CVE-2019-9512)

* HTTP/2: flood using HEADERS frames results in unbounded memory growth
(CVE-2019-9514)

* kubernetes: API server allows access to cluster-scoped custom resources
as if resources were namespaced (CVE-2019-11247)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

All OpenShift Container Platform 3.10 users are advised to upgrade to these
updated packages and images.

4. Solution:

For OpenShift Container Platform 3.10 see the following documentation,
which will be updated shortly for release 3.10.170, for important
instructions on how to upgrade your cluster and fully apply this
asynchronous errata update:

https://docs.openshift.com/container-platform/3.10/release_notes/ocp_3_10_r
elease_notes.html

5. Bugs fixed (https://bugzilla.redhat.com/):

1732192 - CVE-2019-11247 kubernetes: API server allows access to cluster-scoped custom resources as if resources were namespaced
1735645 - CVE-2019-9512 HTTP/2: flood using PING frames results in unbounded memory growth
1735744 - CVE-2019-9514 HTTP/2: flood using HEADERS frames results in unbounded memory growth

6. Package List:

Red Hat OpenShift Container Platform 3.10:

Source:
atomic-openshift-3.10.170-1.git.0.8e592d6.el7.src.rpm

noarch:
atomic-openshift-docker-excluder-3.10.170-1.git.0.8e592d6.el7.noarch.rpm
atomic-openshift-excluder-3.10.170-1.git.0.8e592d6.el7.noarch.rpm

ppc64le:
atomic-openshift-3.10.170-1.git.0.8e592d6.el7.ppc64le.rpm
atomic-openshift-clients-3.10.170-1.git.0.8e592d6.el7.ppc64le.rpm
atomic-openshift-hyperkube-3.10.170-1.git.0.8e592d6.el7.ppc64le.rpm
atomic-openshift-hypershift-3.10.170-1.git.0.8e592d6.el7.ppc64le.rpm
atomic-openshift-master-3.10.170-1.git.0.8e592d6.el7.ppc64le.rpm
atomic-openshift-node-3.10.170-1.git.0.8e592d6.el7.ppc64le.rpm
atomic-openshift-pod-3.10.170-1.git.0.8e592d6.el7.ppc64le.rpm
atomic-openshift-sdn-ovs-3.10.170-1.git.0.8e592d6.el7.ppc64le.rpm
atomic-openshift-template-service-broker-3.10.170-1.git.0.8e592d6.el7.ppc64le.rpm
atomic-openshift-tests-3.10.170-1.git.0.8e592d6.el7.ppc64le.rpm

x86_64:
atomic-openshift-3.10.170-1.git.0.8e592d6.el7.x86_64.rpm
atomic-openshift-clients-3.10.170-1.git.0.8e592d6.el7.x86_64.rpm
atomic-openshift-clients-redistributable-3.10.170-1.git.0.8e592d6.el7.x86_64.rpm
atomic-openshift-hyperkube-3.10.170-1.git.0.8e592d6.el7.x86_64.rpm
atomic-openshift-hypershift-3.10.170-1.git.0.8e592d6.el7.x86_64.rpm
atomic-openshift-master-3.10.170-1.git.0.8e592d6.el7.x86_64.rpm
atomic-openshift-node-3.10.170-1.git.0.8e592d6.el7.x86_64.rpm
atomic-openshift-pod-3.10.170-1.git.0.8e592d6.el7.x86_64.rpm
atomic-openshift-sdn-ovs-3.10.170-1.git.0.8e592d6.el7.x86_64.rpm
atomic-openshift-template-service-broker-3.10.170-1.git.0.8e592d6.el7.x86_64.rpm
atomic-openshift-tests-3.10.170-1.git.0.8e592d6.el7.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2019-9512
https://access.redhat.com/security/cve/CVE-2019-9514
https://access.redhat.com/security/cve/CVE-2019-11247
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2019 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBXXkSwtzjgjWX9erEAQiIGA/9FZX057GDtsXUUyAdKqC5+nOnTRgivJbe
4I6BRuQ/2OVF9oEjDU/vWKz5W1lYmhz1hcpt6sPlOrNvaID/ksSKddWmGS+GB3q6
UWDpNybIhGKsskbEdfCk/TmGDjFmIg7oKSTdxz1M0X2Xvx5b6fQ77HuNR8oukXUk
4e5bCW9LJ9O3WeWpw1zw8zCQT9khoIlbrDyFfF4IVsnFjC6qriuo0IjuU7caiIcU
4cZ2V+MqGiDfFIENCJy7AZ4gSASEyOgfyDUyqNyFGPRCnVwyDKhcZVIn22mt+UXY
EeAVrQymIl9dd0Cv+kWZgggZ+UcpCFO2V4ASfqV4jaFUSttF70m/QJMCuF2ufmFI
TnAHaka/pmbKS86Q2ZR8DeF7kDC0bu029bS5gBKTwslZ786G9NJgLwRzoTiYxR7Y
/8SpBW/fO/ghArBmLg9qD/ghuzBFt5AutVHaLZHJ8NOYt3xWdSQ0VvTzDzMYeMwL
RsGE4prjdsOIobjdA4Hz1/qHWLaGPew4xlEM2eTmFTWsntNvD7/v5VFFR8dLg6WP
9T528gRpEsGmOUGfiKRF29YHX85IqT84bXEz2U1uwU7Wys1SQmaPhywefr1mHL7B
DXxcMwSwj/NZje6FO95Asv/Q+QpHDfA0GfH5r/WE9HAY2eOvhKlbtgt1dXZx/Ul4
ITLdgFh2GRI=
=j3mL
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBXXmQwmaOgq3Tt24GAQh1zg/+KypHNUjosoxYhcs7LHh/OAlzaWQXWMyr
AQx/bfGfN9hEyb0CTi0ud2BexFMkpdgfpJbAKNIbYAispCerg9FEzJ2XdEdQGSAf
Ry0kL554sW+M3lpdqzt7VS/8KLhAIs/uB3T5DzPRvib55p7ZeKavGnnYqw0HQTb5
TLH8fHbGbu9jtA29FWhJ8IOugHUZIfGEJ9DPfleA6vAoF/7kWQHQpZMFkJeeLEfJ
Hv2NtYxWEKLBgq+GlBT2J5hr0LCF2vd63Y34b8RXWgSAdALUHMGc9eDQDv0yZ1K6
EF1tqg/v0LKulfKJN2FKf+TzuZPaaseTR8b80ERpNooGbhMigyfAZ+dod9IFROUE
qJH9dJkb3OXt4fX3gNq8bR4ME5GNRodNTV7P1mos49b+tPheEqM2xZlcYnRFwKdl
SAZ44tpPSBZQfjR51Yqg5YNMs/5DEY1Q4t6MpiN8MdXs3c+WAKntHUJMZ3GBHNVm
9JtPUR48+90RpxrSNGdNMlPfftGGO3/rJ9aKs041pZPJQYc6xnc6Kw6FHY/T8/JF
2GJT3n8fZ8ChUnC2xmphT542z2LpPRmP3qCxEeES+hqsHBUjoKa9Ar5h2hr0kjJD
xxJFd37EXkttgbAywEjdZoQ1EDzB/0pf3MdYMlynHsdECAM3PR8i1H/H1MsOE/3Q
CFTNDZfQxAc=
=i7XX
-----END PGP SIGNATURE-----