Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2019.4201
OpenShift Container Platform 3.9 cri-o security update
8 November 2019
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: OpenShift Container Platform 3.9 cri-o
Publisher: Red Hat
Operating System: Red Hat Enterprise Linux Server 7
Red Hat Enterprise Linux WS/Desktop 7
Impact/Access: Access Confidential Data -- Remote with User Interaction
Provide Misleading Information -- Remote with User Interaction
Resolution: Patch/Upgrade
CVE Names: CVE-2019-10214
Reference: ESB-2019.4122
ESB-2019.4105
ESB-2019.3900
ESB-2019.3841
ESB-2019.3585.2
Original Bulletin:
https://access.redhat.com/errata/RHSA-2019:3812
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
=====================================================================
Red Hat Security Advisory
Synopsis: Moderate: OpenShift Container Platform 3.9 cri-o security update
Advisory ID: RHSA-2019:3812-01
Product: Red Hat OpenShift Enterprise
Advisory URL: https://access.redhat.com/errata/RHSA-2019:3812
Issue date: 2019-11-07
CVE Names: CVE-2019-10214
=====================================================================
1. Summary:
An update for cri-o is now available for Red Hat OpenShift Container
Platform 3.9.
Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.
2. Relevant releases/architectures:
Red Hat OpenShift Container Platform 3.9 - x86_64
3. Description:
Red Hat OpenShift Container Platform is Red Hat's cloud computing
Kubernetes application platform solution designed for on-premise or private
cloud deployments.
This advisory contains the cri-o RPM package for Red Hat OpenShift
Container
Platform 3.9.102.
Security Fix(es):
* containers/image: not enforcing TLS when sending username+password
credentials to token servers leading to credential disclosure
(CVE-2019-10214)
For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.
4. Solution:
For OpenShift Container Platform 3.9 see the following documentation, which
will be updated shortly for release 3.9.102, for important instructions on
how to upgrade your cluster and fully apply this asynchronous errata
update:
https://docs.openshift.com/container-platform/3.9/release_notes/ocp_3_9_rel
ease_notes.html
5. Bugs fixed (https://bugzilla.redhat.com/):
1732508 - CVE-2019-10214 containers/image: not enforcing TLS when sending username+password credentials to token servers leading to credential disclosure
6. Package List:
Red Hat OpenShift Container Platform 3.9:
Source:
cri-o-1.9.16-5.git858756d.el7.src.rpm
x86_64:
cri-o-1.9.16-5.git858756d.el7.x86_64.rpm
cri-o-debuginfo-1.9.16-5.git858756d.el7.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/
7. References:
https://access.redhat.com/security/cve/CVE-2019-10214
https://access.redhat.com/security/updates/classification/#moderate
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2019 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIVAwUBXcRMgtzjgjWX9erEAQgCQBAAgUnLTm0JR5eFeFvhwJZEpvpXpG8hebQK
nsq/eDMXzIJ99hoSbsUt3ZWsfo4ujySyK2WoN2yUng8jHD8pYHKJ/oF+SmHB0PhD
kdO7X01XOpIfv/nPVPbiUqidCksTIICuTgPgrncL2Q1Jt6kRnGyVjV2o8BWxSQ9n
yCAoaTxL37Bs7m0atgfxHH7UEkgyHPqUgnaCz9VgwyVhuyGXHHCTshIJ5mRVSLAY
Oak/WPPrBA0KLZ+MQCK/3KUBMnUzZ9b0I5xTE++oqOjB3Kl3dn1jH56xRHcnLLfl
Re0bdlHFvXtaJ0tjvBsxXxoiYYELnZid2BEa6darR4Xxuszyo56A7CdgY7cNWrAW
yFudmk9HmQZAAuJIsjFQr6cuFPJIPRpMPV556Fc0ZD7jar4B4YD/y2dxsSiH3xsO
Jike5sd2Ea0qjfpZFLn5WN9MLP2TIXmxsyvoXH4tO9nWqapZ4UTME4a2y0GxEzev
7xpYd3nxCGTUbZa4CLuXpvMBUSZDfYJ3yBcSTsZggdfN135JqrYhkeYZ3pKJQdGE
4k3tHv9Fjaz3L6OUE4NKTHV9/11i0HaaOqRwa10PLCObA7YxUjJDs1g3M7dciqbp
kIOAWwgRgXif9m1FBlK1AMho8nxMI0wIrQieOTwBH1LqVgLVHCfdRXt1ZIcgTjPK
2dKg4StJ8YU=
=43Ih
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBXcSpXmaOgq3Tt24GAQi0ow/9ElBeKT2f7xTdEhht/d8L56vVRr8Z6PBH
OxfGoiuolnPWzbBxNL0I7jWvmXiaSWFAiz7SMG2ygYXwdh31Vd21QOWe3i5UB8CK
v98iPLgt+oxpD5ck99dAm8ctGQ7i52QJcfmzahJzEEWihCgyIqF83/Qj/yaVX1Wj
PYlbyoZoO48JgVGw93ZAMnEND3Yzy2Lr30QD4UBMFzZfCkuzPd7Ti7n/A0Z1Mp9k
FTIS92NcOBzt3Yu3Ya0NmWlI2rqalbJiouwCxYVDpAPC4Joe2kcAEfdD2wWJ1I6N
3nhPFTAry31ZQwyOl2NnIxqJcU2ESjyVT/PDnFX1207gMe0r4Rx2u5ql+zyVt6Mr
gJB3VBE1NiDQmQOKft5FBuIbYtJkpSuGzWT4oj8e5S6H0YmZXX7FX/tw5I/WKLo8
FuY3lQSAVxLZtq9KUdFQ7nbs++PRpwocOVlAzJZKUFudeWlQJrS0PI9uLJedRpok
GJ+t3F9djBCmFL600woz7SYSOrV9MhjE+BtRM9Dzzo1wCHcjyA9T/uasJqgO5F6a
1EptmtFlrHgm0ycYM/C0hgDZ8QOvglVuTvGr1xEJBbrkZiN/h0uLvRGqLaTQKF5U
6gPt8b6nzddWILBvc+iVqb6odf1MxHH55zpAVwEGL1DwhRqt26N+Qfr+riTcAKvz
keo7rThPbsQ=
=LuLn
-----END PGP SIGNATURE-----