Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2019.3906 OpenShift Container Platform 3.11 mediawiki security update 18 October 2019 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: OpenShift Container Platform 3.11 mediawiki OpenShift Container Platform 3.11 atomic-openshift OpenShift Container Platform 3.11 jenkins Publisher: Red Hat Operating System: Red Hat Impact/Access: Cross-site Request Forgery -- Remote with User Interaction Cross-site Scripting -- Remote with User Interaction Reduced Security -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2019-10384 CVE-2019-10383 CVE-2019-10150 CVE-2018-0505 CVE-2018-0503 Reference: ESB-2019.3900 ESB-2019.3841 ESB-2019.3576 ESB-2018.2842 Original Bulletin: https://access.redhat.com/errata/RHSA-2019:3142 https://access.redhat.com/errata/RHSA-2019:3143 https://access.redhat.com/errata/RHSA-2019:3144 Comment: This bulletin contains three (3) Red Hat security advisories. - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Low: OpenShift Container Platform 3.11 mediawiki security update Advisory ID: RHSA-2019:3142-01 Product: Red Hat OpenShift Enterprise Advisory URL: https://access.redhat.com/errata/RHSA-2019:3142 Issue date: 2019-10-18 CVE Names: CVE-2018-0503 CVE-2018-0505 ===================================================================== 1. Summary: An update for mediawiki is now available for Red Hat OpenShift Container Platform 3.11. Red Hat Product Security has rated this update as having a security impact of Low. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat OpenShift Container Platform 3.11 - noarch 3. Description: Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains an updated mediawiki RPM package for Red Hat OpenShift Container Platform 3.11. Security Fix(es): * mediawiki: $wgRateLimits (rate limit / ping limiter) entry for 'user' overrides that for 'newbie' (CVE-2018-0503) * mediawiki: BotPassword can bypass CentralAuth's account lock (CVE-2018-0505) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. 4. Solution: See the following documentation, which will be updated shortly for this release, for important instructions on how to upgrade your cluster and fully apply this asynchronous errata update: https://docs.openshift.com/container-platform/3.11/release_notes/ocp_3_11_r elease_notes.html 5. Bugs fixed (https://bugzilla.redhat.com/): 1634161 - CVE-2018-0503 mediawiki: $wgRateLimits (rate limit / ping limiter) entry for 'user' overrides that for 'newbie' 1634166 - CVE-2018-0505 mediawiki: BotPassword can bypass CentralAuth's account lock 6. Package List: Red Hat OpenShift Container Platform 3.11: Source: mediawiki-1.27.7-1.el7.src.rpm noarch: mediawiki-1.27.7-1.el7.noarch.rpm mediawiki-doc-1.27.7-1.el7.noarch.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2018-0503 https://access.redhat.com/security/cve/CVE-2018-0505 https://access.redhat.com/security/updates/classification/#low 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2019 Red Hat, Inc. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBXakWF9zjgjWX9erEAQiEOg/9FnzGqV+9pHHs4Vm+2eeGGw1gPMH2/oap n1rmE4rIfxL2eWHqChmS82xL6bY4wYZJ6ibXOwYpuTJX7rw816Bqgn33aU8Z3rei kYs18XZ7jLUxDqGIK9nvC+4Uzii4qkLcA9m0cyWXCgO89t2xcibV4R7qhkG33URu NKKRGhPgXf59cm9o/9S2C9mlIQohM/w+Lrz09ys6wu1CLsIyQoA5cyTAvI3BR9qC tBZv1i32uDGVG08dwevV/NFUChnnQLuM2mQccSGY2AeMqaFasG9s5z/rwJCcKsTM z1MVGdl8/meW2od0SYh8c/9s5T/Sz0fpqwdkGSHWT+pvOxu/xjhg/6wjpLmIdTLS NF/LXuRd+2V3PpeHkIxB9TlGHEhEN2SX3NXSFNEPSVhUBQ0kh6JdnWg/wlEeH+ew O1rAgtIQt2jFnxVRot8ikgRYMzod9eOZhWbfcmHO2mLZzYqILUmu4tmLjaqivgmx N7VVyyH2XVzhYtzFeDsNmMP3pn0J36HHMD3x29gkJG+xp/50DAFlKq0etKQYcOyr lSaRuQouJp14tSJQBVlhYa8tskpREXA/LqsCQRDZFuPnQJFLrgVBjyXAYRlrkksL W8xE56wko/jz3HDcBWTKt7BpjScXFT/hsSLYZijF1IhcuYzz5Ui6qs4bwrNwSloL Q5r1X/tRFKQ= =+Bsy - -----END PGP SIGNATURE----- - -------------------------------------------------------------------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: OpenShift Container Platform 3.11 atomic-openshift security update Advisory ID: RHSA-2019:3143-01 Product: Red Hat OpenShift Enterprise Advisory URL: https://access.redhat.com/errata/RHSA-2019:3143 Issue date: 2019-10-18 CVE Names: CVE-2019-10150 ===================================================================== 1. Summary: An update for atomic-openshift is now available for Red Hat OpenShift Container Platform 3.11. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat OpenShift Container Platform 3.11 - noarch, ppc64le, x86_64 3. Description: Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the atomic-openshift RPM package for Red Hat OpenShift Container Platform 3.11.153. Security Fix(es): * atomic-openshift: OpenShift builds do not verify SSH Host Keys for the Git repository. (CVE-2019-10150) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. 4. Solution: See the following documentation, which will be updated shortly for this release, for important instructions on how to upgrade your cluster and fully apply this asynchronous errata update: https://docs.openshift.com/container-platform/3.11/release_notes/ocp_3_11_r elease_notes.html 5. Bugs fixed (https://bugzilla.redhat.com/): 1713433 - CVE-2019-10150 atomic-openshift: OpenShift builds don't verify SSH Host Keys for the git repository 6. Package List: Red Hat OpenShift Container Platform 3.11: Source: atomic-openshift-3.11.153-1.git.0.aaf3f71.el7.src.rpm noarch: atomic-openshift-docker-excluder-3.11.153-1.git.0.aaf3f71.el7.noarch.rpm atomic-openshift-excluder-3.11.153-1.git.0.aaf3f71.el7.noarch.rpm ppc64le: atomic-openshift-3.11.153-1.git.0.aaf3f71.el7.ppc64le.rpm atomic-openshift-clients-3.11.153-1.git.0.aaf3f71.el7.ppc64le.rpm atomic-openshift-hyperkube-3.11.153-1.git.0.aaf3f71.el7.ppc64le.rpm atomic-openshift-hypershift-3.11.153-1.git.0.aaf3f71.el7.ppc64le.rpm atomic-openshift-master-3.11.153-1.git.0.aaf3f71.el7.ppc64le.rpm atomic-openshift-node-3.11.153-1.git.0.aaf3f71.el7.ppc64le.rpm atomic-openshift-pod-3.11.153-1.git.0.aaf3f71.el7.ppc64le.rpm atomic-openshift-sdn-ovs-3.11.153-1.git.0.aaf3f71.el7.ppc64le.rpm atomic-openshift-template-service-broker-3.11.153-1.git.0.aaf3f71.el7.ppc64le.rpm atomic-openshift-tests-3.11.153-1.git.0.aaf3f71.el7.ppc64le.rpm x86_64: atomic-openshift-3.11.153-1.git.0.aaf3f71.el7.x86_64.rpm atomic-openshift-clients-3.11.153-1.git.0.aaf3f71.el7.x86_64.rpm atomic-openshift-clients-redistributable-3.11.153-1.git.0.aaf3f71.el7.x86_64.rpm atomic-openshift-hyperkube-3.11.153-1.git.0.aaf3f71.el7.x86_64.rpm atomic-openshift-hypershift-3.11.153-1.git.0.aaf3f71.el7.x86_64.rpm atomic-openshift-master-3.11.153-1.git.0.aaf3f71.el7.x86_64.rpm atomic-openshift-node-3.11.153-1.git.0.aaf3f71.el7.x86_64.rpm atomic-openshift-pod-3.11.153-1.git.0.aaf3f71.el7.x86_64.rpm atomic-openshift-sdn-ovs-3.11.153-1.git.0.aaf3f71.el7.x86_64.rpm atomic-openshift-template-service-broker-3.11.153-1.git.0.aaf3f71.el7.x86_64.rpm atomic-openshift-tests-3.11.153-1.git.0.aaf3f71.el7.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2019-10150 https://access.redhat.com/security/updates/classification/#moderate 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2019 Red Hat, Inc. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBXakXC9zjgjWX9erEAQjpBg/+IT81WFAbcyytGsldJtP5D4Gulj9LUD15 RJw1TN66tiXgGvn+g6T8MVWZiR9aMWbDqmLWZZUYzPdH6+2QYd2KR0YVz/Fpbl3d oIjGwCyv7dYwMucxRVmFdcr/We+IJwWCv5YPeXOfYzyDuJCIP+7Ho1BprkcB+BWZ 9UI2szkGBQbiSoIfqjsXGTDeMw8Gv9K9Qo+vPPc0C0JSFBIc6jaBsqlN5eJ+4Auj DgiEU1E0HHropOosaOrBYicx5Tng0r85vAxoVzwZCDEZu8Tf++A4CrN29Kj2YVEM zey98vDLddCge0lfEaePtPMPPNaV9cl/KhV9nn5V/rQfLzaYsaw/RmAxAc4YkRBV mXfx+GPPnZU7XAjTlOf9tZvbPmD2+IYqOFArwiIXPJdxUkkm3+h07oN0BI3/GRoO HHaqg/wZgjdR4spHTFriBceLA5FC7aINUMjtu46j5A1gkp7h0EfaQ3Vpb0PYlBsQ itfB4CG89XDMzF9DRcYEGdVKmZn4CFiJWoAlkaaM+YHVlpdCUSGK1o6begAtXkuB HFjB+5WHusq4Y4TdXGKXcb9YsV/pnO79FBWuff3XR/dxgyVboYtd0ZDipaZu9kTq ZgskmffyZ5BgLPC0DeyU22AKJG9gO6KXKCrkAf/6doNNYR92Hj5/MTXL563V4hby MpviGVPpWCM= =sCqH - -----END PGP SIGNATURE----- - -------------------------------------------------------------------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Important: OpenShift Container Platform 3.11 jenkins security update Advisory ID: RHSA-2019:3144-01 Product: Red Hat OpenShift Enterprise Advisory URL: https://access.redhat.com/errata/RHSA-2019:3144 Issue date: 2019-10-18 CVE Names: CVE-2019-10383 CVE-2019-10384 ===================================================================== 1. Summary: An update for jenkins is now available for Red Hat OpenShift Container Platform 3.11. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat OpenShift Container Platform 3.11 - noarch 3. Description: Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. Jenkins is a continuous integration server that monitors executions of repeated jobs, such as building a software project or jobs run by CRON. This advisory contains the updated jenkins RPM package for Red Hat OpenShift Container Platform 3.11. Security Fix(es): * jenkins: CSRF protection tokens for anonymous users did not expire in some circumstances (CVE-2019-10384) * jenkins: stored cross-site scripting in update center web pages (CVE-2019-10383) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. 4. Solution: See the following documentation,which will be updated shortly for this release, for important instructions on how to upgrade your cluster and fully apply this asynchronous errata update: https://docs.openshift.com/container-platform/3.11/release_notes/ocp_3_11_r elease_notes.html 5. Bugs fixed (https://bugzilla.redhat.com/): 1747293 - CVE-2019-10383 jenkins: stored cross-site scripting in update center web pages (SECURITY-1453) 1747297 - CVE-2019-10384 jenkins: CSRF protection tokens for anonymous users did not expire in some circumstances (SECURITY-1491) 6. Package List: Red Hat OpenShift Container Platform 3.11: Source: jenkins-2.176.3.1569349414-1.el7.src.rpm noarch: jenkins-2.176.3.1569349414-1.el7.noarch.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2019-10383 https://access.redhat.com/security/cve/CVE-2019-10384 https://access.redhat.com/security/updates/classification/#important 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2019 Red Hat, Inc. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBXakXHdzjgjWX9erEAQhn0A/+JJ3WhLWybA6vJKFH0EUestKoZy077T8H g25MA52Q828CaKEgRd1XDrwNwQRnis2NKXPwOB0Ri1DEIwd/vvfr0EqO2nzBgiE3 LnCvNHEZY+cYdJ/4x4mlGgWxPIP/1pcWT3JjD8E++evLxhbcsiRsAJF4We2sEuj8 AF/xQPbcvEOmzxrMnxbZv6owWPkpCvu+CbobTI8QPJONY0jq25VAMtMtllq3CaoP 3aTJa6+Ef625JteEghzwfs7jfQRelxgAU4QEAYVl1ikJHgIKUunKq9kDVeH0gJdX B0Cko9KNXSrJu2I9RTbYKCRZ0Bv/tZSwhmiVBfiNet62t6wwVNaCu49caCOTYmqu HEDLXsMUNzNLSE9a72pV7R+rjzLOM+N9urtq01VJNhCa7dIIWi8jPoQvakZFAq08 igl+hXrw+ChXNKiFfXEafgkvxzFsi3/r0n5Orqr/y3Qg7wm38qDCKGJOv3NCjsLi eQWIo5YBjYu79F2YsRd3AFGGifb4i4m5aPDSs6e+kz+gG0b3ZJUC6BVH2JaZjSkl 6bcY7wfa6csl0ObSbppiJCffIol3Y4hAc1bwYdqRxLHdhgpQVushUWVLzfY4WUgC FQgQLxjRFvhMnCyt64ggDK2df+bIZQEsa1Tl02H/8LoLoIlqL7K2KqgZwifQVIyH QRSGnbshdEE= =MWPj - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBXak9GGaOgq3Tt24GAQhtXw//cHqSPmNgR92Dkr0BH3CmNSACVkp/vnYi sogeGN8YaipYIjnpVyN3Jps4Hqansqso4j9mJAMlRb5sMryUfXObJDUNUeMSi2dH ryp4LOKrRFj9aqfAaiSRXhvDMW9ZI4lcdh8zXsFuhBsBCOI9Rr2KQxTxoqzKyH+/ PFahdrlrBOjIXp2LVZbOwWWYYWu1zlhSUtCaiD6oK1XHM0dRHppd8ylYjE6Em7VX 3AoMzesJu+gwX9uDnjmPpsrBuaFAkZg4gEazyzE9FtwxFp5qtcTpXNuyjB79vSxR DCdb8NHYui6pA0wSPqqEpE1+n4Gg3xkzHqC5z69CoNaedL2I1U2bHCamYH4vRb4I QLcEkUm+7JKhLhUmPYBVFoOzzcKnx0HBXQjC6Zsu4CbIWizGC1EbD1jZ1UQ3ZD6E 2SkftnWEfzsIlqmkevRldkVJxXaR7RmF3nHmlEt4WRPDfjvnchz84vI4ZZYIfvZu T7wCOx7ud8IsSI9nF+Avs5+f/6UN42ARHSEuM9F3ErmVLO46uePQOyDHwY2pJrIQ buaXZa2qkQ8Yopdf77kBCFarkQPxjifGtXUtmnEcu7Px5LrPNDwWWQdc/ldyblTZ uBXmdNBUdBYPPSF8z7tBCIAE3OyQCOn73vs7wDQFiY/RzB+4en65zU3dy784haUq xbOef3jLDC0= =B9/n -----END PGP SIGNATURE-----