Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2019.3906
OpenShift Container Platform 3.11 mediawiki security update
18 October 2019
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: OpenShift Container Platform 3.11 mediawiki
OpenShift Container Platform 3.11 atomic-openshift
OpenShift Container Platform 3.11 jenkins
Publisher: Red Hat
Operating System: Red Hat
Impact/Access: Cross-site Request Forgery -- Remote with User Interaction
Cross-site Scripting -- Remote with User Interaction
Reduced Security -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2019-10384 CVE-2019-10383 CVE-2019-10150
CVE-2018-0505 CVE-2018-0503
Reference: ESB-2019.3900
ESB-2019.3841
ESB-2019.3576
ESB-2018.2842
Original Bulletin:
https://access.redhat.com/errata/RHSA-2019:3142
https://access.redhat.com/errata/RHSA-2019:3143
https://access.redhat.com/errata/RHSA-2019:3144
Comment: This bulletin contains three (3) Red Hat security advisories.
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
=====================================================================
Red Hat Security Advisory
Synopsis: Low: OpenShift Container Platform 3.11 mediawiki security update
Advisory ID: RHSA-2019:3142-01
Product: Red Hat OpenShift Enterprise
Advisory URL: https://access.redhat.com/errata/RHSA-2019:3142
Issue date: 2019-10-18
CVE Names: CVE-2018-0503 CVE-2018-0505
=====================================================================
1. Summary:
An update for mediawiki is now available for Red Hat OpenShift Container
Platform 3.11.
Red Hat Product Security has rated this update as having a security impact
of Low. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.
2. Relevant releases/architectures:
Red Hat OpenShift Container Platform 3.11 - noarch
3. Description:
Red Hat OpenShift Container Platform is Red Hat's cloud computing
Kubernetes application platform solution designed for on-premise or private
cloud deployments.
This advisory contains an updated mediawiki RPM package for Red Hat
OpenShift Container Platform 3.11.
Security Fix(es):
* mediawiki: $wgRateLimits (rate limit / ping limiter) entry for 'user'
overrides that for 'newbie' (CVE-2018-0503)
* mediawiki: BotPassword can bypass CentralAuth's account lock
(CVE-2018-0505)
For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.
4. Solution:
See the following documentation, which will be updated shortly for this
release, for important instructions on how to upgrade your cluster and
fully apply this asynchronous errata update:
https://docs.openshift.com/container-platform/3.11/release_notes/ocp_3_11_r
elease_notes.html
5. Bugs fixed (https://bugzilla.redhat.com/):
1634161 - CVE-2018-0503 mediawiki: $wgRateLimits (rate limit / ping limiter) entry for 'user' overrides that for 'newbie'
1634166 - CVE-2018-0505 mediawiki: BotPassword can bypass CentralAuth's account lock
6. Package List:
Red Hat OpenShift Container Platform 3.11:
Source:
mediawiki-1.27.7-1.el7.src.rpm
noarch:
mediawiki-1.27.7-1.el7.noarch.rpm
mediawiki-doc-1.27.7-1.el7.noarch.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/
7. References:
https://access.redhat.com/security/cve/CVE-2018-0503
https://access.redhat.com/security/cve/CVE-2018-0505
https://access.redhat.com/security/updates/classification/#low
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2019 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIVAwUBXakWF9zjgjWX9erEAQiEOg/9FnzGqV+9pHHs4Vm+2eeGGw1gPMH2/oap
n1rmE4rIfxL2eWHqChmS82xL6bY4wYZJ6ibXOwYpuTJX7rw816Bqgn33aU8Z3rei
kYs18XZ7jLUxDqGIK9nvC+4Uzii4qkLcA9m0cyWXCgO89t2xcibV4R7qhkG33URu
NKKRGhPgXf59cm9o/9S2C9mlIQohM/w+Lrz09ys6wu1CLsIyQoA5cyTAvI3BR9qC
tBZv1i32uDGVG08dwevV/NFUChnnQLuM2mQccSGY2AeMqaFasG9s5z/rwJCcKsTM
z1MVGdl8/meW2od0SYh8c/9s5T/Sz0fpqwdkGSHWT+pvOxu/xjhg/6wjpLmIdTLS
NF/LXuRd+2V3PpeHkIxB9TlGHEhEN2SX3NXSFNEPSVhUBQ0kh6JdnWg/wlEeH+ew
O1rAgtIQt2jFnxVRot8ikgRYMzod9eOZhWbfcmHO2mLZzYqILUmu4tmLjaqivgmx
N7VVyyH2XVzhYtzFeDsNmMP3pn0J36HHMD3x29gkJG+xp/50DAFlKq0etKQYcOyr
lSaRuQouJp14tSJQBVlhYa8tskpREXA/LqsCQRDZFuPnQJFLrgVBjyXAYRlrkksL
W8xE56wko/jz3HDcBWTKt7BpjScXFT/hsSLYZijF1IhcuYzz5Ui6qs4bwrNwSloL
Q5r1X/tRFKQ=
=+Bsy
- -----END PGP SIGNATURE-----
- --------------------------------------------------------------------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
=====================================================================
Red Hat Security Advisory
Synopsis: Moderate: OpenShift Container Platform 3.11 atomic-openshift security update
Advisory ID: RHSA-2019:3143-01
Product: Red Hat OpenShift Enterprise
Advisory URL: https://access.redhat.com/errata/RHSA-2019:3143
Issue date: 2019-10-18
CVE Names: CVE-2019-10150
=====================================================================
1. Summary:
An update for atomic-openshift is now available for Red Hat OpenShift
Container Platform 3.11.
Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.
2. Relevant releases/architectures:
Red Hat OpenShift Container Platform 3.11 - noarch, ppc64le, x86_64
3. Description:
Red Hat OpenShift Container Platform is Red Hat's cloud computing
Kubernetes application platform solution designed for on-premise or private
cloud deployments.
This advisory contains the atomic-openshift RPM package for Red Hat
OpenShift Container Platform 3.11.153.
Security Fix(es):
* atomic-openshift: OpenShift builds do not verify SSH Host Keys for the
Git repository. (CVE-2019-10150)
For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.
4. Solution:
See the following documentation, which will be updated shortly for this
release, for important instructions on how to upgrade your cluster and
fully apply this asynchronous errata update:
https://docs.openshift.com/container-platform/3.11/release_notes/ocp_3_11_r
elease_notes.html
5. Bugs fixed (https://bugzilla.redhat.com/):
1713433 - CVE-2019-10150 atomic-openshift: OpenShift builds don't verify SSH Host Keys for the git repository
6. Package List:
Red Hat OpenShift Container Platform 3.11:
Source:
atomic-openshift-3.11.153-1.git.0.aaf3f71.el7.src.rpm
noarch:
atomic-openshift-docker-excluder-3.11.153-1.git.0.aaf3f71.el7.noarch.rpm
atomic-openshift-excluder-3.11.153-1.git.0.aaf3f71.el7.noarch.rpm
ppc64le:
atomic-openshift-3.11.153-1.git.0.aaf3f71.el7.ppc64le.rpm
atomic-openshift-clients-3.11.153-1.git.0.aaf3f71.el7.ppc64le.rpm
atomic-openshift-hyperkube-3.11.153-1.git.0.aaf3f71.el7.ppc64le.rpm
atomic-openshift-hypershift-3.11.153-1.git.0.aaf3f71.el7.ppc64le.rpm
atomic-openshift-master-3.11.153-1.git.0.aaf3f71.el7.ppc64le.rpm
atomic-openshift-node-3.11.153-1.git.0.aaf3f71.el7.ppc64le.rpm
atomic-openshift-pod-3.11.153-1.git.0.aaf3f71.el7.ppc64le.rpm
atomic-openshift-sdn-ovs-3.11.153-1.git.0.aaf3f71.el7.ppc64le.rpm
atomic-openshift-template-service-broker-3.11.153-1.git.0.aaf3f71.el7.ppc64le.rpm
atomic-openshift-tests-3.11.153-1.git.0.aaf3f71.el7.ppc64le.rpm
x86_64:
atomic-openshift-3.11.153-1.git.0.aaf3f71.el7.x86_64.rpm
atomic-openshift-clients-3.11.153-1.git.0.aaf3f71.el7.x86_64.rpm
atomic-openshift-clients-redistributable-3.11.153-1.git.0.aaf3f71.el7.x86_64.rpm
atomic-openshift-hyperkube-3.11.153-1.git.0.aaf3f71.el7.x86_64.rpm
atomic-openshift-hypershift-3.11.153-1.git.0.aaf3f71.el7.x86_64.rpm
atomic-openshift-master-3.11.153-1.git.0.aaf3f71.el7.x86_64.rpm
atomic-openshift-node-3.11.153-1.git.0.aaf3f71.el7.x86_64.rpm
atomic-openshift-pod-3.11.153-1.git.0.aaf3f71.el7.x86_64.rpm
atomic-openshift-sdn-ovs-3.11.153-1.git.0.aaf3f71.el7.x86_64.rpm
atomic-openshift-template-service-broker-3.11.153-1.git.0.aaf3f71.el7.x86_64.rpm
atomic-openshift-tests-3.11.153-1.git.0.aaf3f71.el7.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/
7. References:
https://access.redhat.com/security/cve/CVE-2019-10150
https://access.redhat.com/security/updates/classification/#moderate
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2019 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIVAwUBXakXC9zjgjWX9erEAQjpBg/+IT81WFAbcyytGsldJtP5D4Gulj9LUD15
RJw1TN66tiXgGvn+g6T8MVWZiR9aMWbDqmLWZZUYzPdH6+2QYd2KR0YVz/Fpbl3d
oIjGwCyv7dYwMucxRVmFdcr/We+IJwWCv5YPeXOfYzyDuJCIP+7Ho1BprkcB+BWZ
9UI2szkGBQbiSoIfqjsXGTDeMw8Gv9K9Qo+vPPc0C0JSFBIc6jaBsqlN5eJ+4Auj
DgiEU1E0HHropOosaOrBYicx5Tng0r85vAxoVzwZCDEZu8Tf++A4CrN29Kj2YVEM
zey98vDLddCge0lfEaePtPMPPNaV9cl/KhV9nn5V/rQfLzaYsaw/RmAxAc4YkRBV
mXfx+GPPnZU7XAjTlOf9tZvbPmD2+IYqOFArwiIXPJdxUkkm3+h07oN0BI3/GRoO
HHaqg/wZgjdR4spHTFriBceLA5FC7aINUMjtu46j5A1gkp7h0EfaQ3Vpb0PYlBsQ
itfB4CG89XDMzF9DRcYEGdVKmZn4CFiJWoAlkaaM+YHVlpdCUSGK1o6begAtXkuB
HFjB+5WHusq4Y4TdXGKXcb9YsV/pnO79FBWuff3XR/dxgyVboYtd0ZDipaZu9kTq
ZgskmffyZ5BgLPC0DeyU22AKJG9gO6KXKCrkAf/6doNNYR92Hj5/MTXL563V4hby
MpviGVPpWCM=
=sCqH
- -----END PGP SIGNATURE-----
- --------------------------------------------------------------------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
=====================================================================
Red Hat Security Advisory
Synopsis: Important: OpenShift Container Platform 3.11 jenkins security update
Advisory ID: RHSA-2019:3144-01
Product: Red Hat OpenShift Enterprise
Advisory URL: https://access.redhat.com/errata/RHSA-2019:3144
Issue date: 2019-10-18
CVE Names: CVE-2019-10383 CVE-2019-10384
=====================================================================
1. Summary:
An update for jenkins is now available for Red Hat OpenShift Container
Platform 3.11.
Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.
2. Relevant releases/architectures:
Red Hat OpenShift Container Platform 3.11 - noarch
3. Description:
Red Hat OpenShift Container Platform is Red Hat's cloud computing
Kubernetes application platform solution designed for on-premise or private
cloud deployments.
Jenkins is a continuous integration server that monitors executions of
repeated jobs, such as building a software project or jobs run by CRON.
This advisory contains the updated jenkins RPM package for Red Hat
OpenShift Container Platform 3.11.
Security Fix(es):
* jenkins: CSRF protection tokens for anonymous users did not expire in
some circumstances (CVE-2019-10384)
* jenkins: stored cross-site scripting in update center web pages
(CVE-2019-10383)
For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.
4. Solution:
See the following documentation,which will be updated shortly for this
release, for important instructions on how to upgrade your cluster and
fully apply this asynchronous errata update:
https://docs.openshift.com/container-platform/3.11/release_notes/ocp_3_11_r
elease_notes.html
5. Bugs fixed (https://bugzilla.redhat.com/):
1747293 - CVE-2019-10383 jenkins: stored cross-site scripting in update center web pages (SECURITY-1453)
1747297 - CVE-2019-10384 jenkins: CSRF protection tokens for anonymous users did not expire in some circumstances (SECURITY-1491)
6. Package List:
Red Hat OpenShift Container Platform 3.11:
Source:
jenkins-2.176.3.1569349414-1.el7.src.rpm
noarch:
jenkins-2.176.3.1569349414-1.el7.noarch.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/
7. References:
https://access.redhat.com/security/cve/CVE-2019-10383
https://access.redhat.com/security/cve/CVE-2019-10384
https://access.redhat.com/security/updates/classification/#important
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2019 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIVAwUBXakXHdzjgjWX9erEAQhn0A/+JJ3WhLWybA6vJKFH0EUestKoZy077T8H
g25MA52Q828CaKEgRd1XDrwNwQRnis2NKXPwOB0Ri1DEIwd/vvfr0EqO2nzBgiE3
LnCvNHEZY+cYdJ/4x4mlGgWxPIP/1pcWT3JjD8E++evLxhbcsiRsAJF4We2sEuj8
AF/xQPbcvEOmzxrMnxbZv6owWPkpCvu+CbobTI8QPJONY0jq25VAMtMtllq3CaoP
3aTJa6+Ef625JteEghzwfs7jfQRelxgAU4QEAYVl1ikJHgIKUunKq9kDVeH0gJdX
B0Cko9KNXSrJu2I9RTbYKCRZ0Bv/tZSwhmiVBfiNet62t6wwVNaCu49caCOTYmqu
HEDLXsMUNzNLSE9a72pV7R+rjzLOM+N9urtq01VJNhCa7dIIWi8jPoQvakZFAq08
igl+hXrw+ChXNKiFfXEafgkvxzFsi3/r0n5Orqr/y3Qg7wm38qDCKGJOv3NCjsLi
eQWIo5YBjYu79F2YsRd3AFGGifb4i4m5aPDSs6e+kz+gG0b3ZJUC6BVH2JaZjSkl
6bcY7wfa6csl0ObSbppiJCffIol3Y4hAc1bwYdqRxLHdhgpQVushUWVLzfY4WUgC
FQgQLxjRFvhMnCyt64ggDK2df+bIZQEsa1Tl02H/8LoLoIlqL7K2KqgZwifQVIyH
QRSGnbshdEE=
=MWPj
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBXak9GGaOgq3Tt24GAQhtXw//cHqSPmNgR92Dkr0BH3CmNSACVkp/vnYi
sogeGN8YaipYIjnpVyN3Jps4Hqansqso4j9mJAMlRb5sMryUfXObJDUNUeMSi2dH
ryp4LOKrRFj9aqfAaiSRXhvDMW9ZI4lcdh8zXsFuhBsBCOI9Rr2KQxTxoqzKyH+/
PFahdrlrBOjIXp2LVZbOwWWYYWu1zlhSUtCaiD6oK1XHM0dRHppd8ylYjE6Em7VX
3AoMzesJu+gwX9uDnjmPpsrBuaFAkZg4gEazyzE9FtwxFp5qtcTpXNuyjB79vSxR
DCdb8NHYui6pA0wSPqqEpE1+n4Gg3xkzHqC5z69CoNaedL2I1U2bHCamYH4vRb4I
QLcEkUm+7JKhLhUmPYBVFoOzzcKnx0HBXQjC6Zsu4CbIWizGC1EbD1jZ1UQ3ZD6E
2SkftnWEfzsIlqmkevRldkVJxXaR7RmF3nHmlEt4WRPDfjvnchz84vI4ZZYIfvZu
T7wCOx7ud8IsSI9nF+Avs5+f/6UN42ARHSEuM9F3ErmVLO46uePQOyDHwY2pJrIQ
buaXZa2qkQ8Yopdf77kBCFarkQPxjifGtXUtmnEcu7Px5LrPNDwWWQdc/ldyblTZ
uBXmdNBUdBYPPSF8z7tBCIAE3OyQCOn73vs7wDQFiY/RzB+4en65zU3dy784haUq
xbOef3jLDC0=
=B9/n
-----END PGP SIGNATURE-----