-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2019.4701
             OpenShift Container Platform 4.1 security update
                             18 December 2019

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           OpenShift Container Platform 4.1
Publisher:         Red Hat
Operating System:  Red Hat
Impact/Access:     Access Confidential Data -- Existing Account
Resolution:        Patch/Upgrade
CVE Names:         CVE-2019-14854 CVE-2019-10213 CVE-2017-18367

Reference:         ESB-2019.4687.3
                   ESB-2019.3527

Original Bulletin: 
   https://access.redhat.com/errata/RHSA-2019:4088
   https://access.redhat.com/errata/RHSA-2019:4091
   https://access.redhat.com/errata/RHSA-2019:4090

Comment: This bulletin contains three (3) Red Hat security advisories.

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Moderate: OpenShift Container Platform 4.1 ose-cluster-openshift-apiserver-operator-container security update
Advisory ID:       RHSA-2019:4088-01
Product:           Red Hat OpenShift Enterprise
Advisory URL:      https://access.redhat.com/errata/RHSA-2019:4088
Issue date:        2019-12-17
CVE Names:         CVE-2019-10213 
=====================================================================

1. Summary:

An update for ose-cluster-openshift-apiserver-operator-container is now
available for Red Hat OpenShift Container Platform 4.1.

Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.

2. Description:

Red Hat OpenShift Container Platform is Red Hat's cloud computing
Kubernetes application platform solution designed for on-premise or private
cloud deployments.

Security Fix(es):

* openshift: Secret data written to pod logs when operator set at Debug
level or higher (CVE-2019-10213)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

3. Solution:

For OpenShift Container Platform 4.1 see the following documentation, which
will be updated shortly for release 4.1.27, for important instructions on
how to upgrade your cluster and fully apply this asynchronous errata
update:

https://docs.openshift.com/container-platform/4.1/release_notes/ocp-4-1-rel
ease-notes.html

Details on how to access this content are available at
https://docs.openshift.com/container-platform/4.1/updating/updating-cluster
- - -cli.html.

4. Bugs fixed (https://bugzilla.redhat.com/):

1734615 - CVE-2019-10213 openshift: Secret data written to pod logs when operator set at Debug level or higher

5. References:

https://access.redhat.com/security/cve/CVE-2019-10213
https://access.redhat.com/security/updates/classification/#moderate

6. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2019 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBXfiGHNzjgjWX9erEAQjQ0RAAmVVeYaJ39w9NkDpB5uFjskMocoyiDqAl
MxHqWhly/wyPoenUN/+giPnkCGylwGhLMQEyQYK+krUuVJY8q1MUpM13/d0j893C
Xp+U5Ld5W7hXSyxodveYVwb4mEYt2bes0M5a8oEig03n0/sMsPrwuYZx3xLM5lx9
PPn/kPwpMY4ds3/FV9ypJBqLXDMTbA5iahqObyXSGt0Ny/8HbkYFLK9Ur9aEtOFD
xxAr7S4t07RlSlgA2emHZj/YydWC4ZPfzfjoU7FbqjuBMCPie3vJdGyRQ7onC9CD
1wE/LSk2UNnPu8Be6osjG5BZ3F3XccESAlIJXMBpJYQf63v0Opk7lptV06/rV7dp
ZxXtvVnoEHYugxR5STnIs1kjCl2ahUQue8ZFKiIFd97dssao/VAIG/ycezsxpVCL
bjiQkWVHd/YxAkBg5xz2BuJb0XC2Va/TuC9pqdnbsExe5wy+WUsvlrE0bBkUYXT/
gtyXuXQfVDnuT8qSIkvd1Z85qJ2Kc3iz/QRPaJMoCG8RKuy0i/m1dLCe9tEIm4nC
dct4qgGtDVRZAV4/e7VMBUMo7KMFt0k1gVWwxs3lpagS/XKM6MvGcJNxRwVBDwFB
LcFMIkojJfKmIy9/9ynfMV27hV6gm0uFIfdXAUjYQjAM+50sUyCi4DacUslOdYW0
QT68w4wN1dM=
=37mh
- -----END PGP SIGNATURE-----

- --------------------------------------------------------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Moderate: OpenShift Container Platform 4.1 libseccomp-golang security update
Advisory ID:       RHSA-2019:4090-01
Product:           Red Hat OpenShift Enterprise
Advisory URL:      https://access.redhat.com/errata/RHSA-2019:4090
Issue date:        2019-12-17
CVE Names:         CVE-2017-18367 
=====================================================================

1. Summary:

An update for openshift-enterprise-cli-container,
openshift-enterprise-hyperkube-container,
openshift-enterprise-hypershift-container,
openshift-enterprise-node-container, and ose-cli-artifacts-container is now
available for Red Hat OpenShift Container Platform 4.1.

Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.

2. Description:

Red Hat OpenShift Container Platform is Red Hat's cloud computing
Kubernetes application platform solution designed for on-premise or private
cloud deployments.

Security Fix(es):

* libseccomp-golang: mishandling of multiple argument rules leading to a
bypass of intended access restrictions (CVE-2017-18367)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

3. Solution:

For OpenShift Container Platform 4.1 see the following documentation, which
will be updated shortly for release 4.1.27, for important instructions on
how to upgrade your cluster and fully apply this asynchronous errata
update:

https://docs.openshift.com/container-platform/4.1/release_notes/ocp-4-1-rel
ease-notes.html

Details on how to access this content are available at
https://docs.openshift.com/container-platform/4.1/updating/updating-cluster
- - -cli.html.

4. Bugs fixed (https://bugzilla.redhat.com/):

1706826 - CVE-2017-18367 libseccomp-golang: mishandling of multiple argument rules leading to a bypass of intended access restrictions

5. References:

https://access.redhat.com/security/cve/CVE-2017-18367
https://access.redhat.com/security/updates/classification/#moderate

6. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2019 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBXfiGktzjgjWX9erEAQgp1Q/9EjtQiNa09je9qHH3h84SR7I4BzQGyqlk
AkCrnrtFRWxbYocLgbK4GW772h5j8XvjXNExMDjjxYkPWqjlqYkTc0CJPHt77lwz
gRFPFfYex3dxgmflf23S5UK0GPQegzx4e1IOO4cHLzy/0MCLue2LOEEvw+b3z9VO
L6mz8Bw9hTiuLiuzzkC5Yrn1IguIz2y3xsX+KNqrU43a60OS34ErJwwnx72tf3nT
+Kqop+yN8RceJX5fYWIt13el7pUQM+vsXDnfyNvZ469tbAN8u9n4BSTIFanLFsRy
WadY5SvYLtfwlOlrCg19b6HBVS0Om3Ov6fp4sh9H8BLqc+BHFFfL2nGF4lp2cUJ+
mnn0spXr1EOMowSQ7l5xAevfql8XBCpkKPICVWScqXfk/LivvGCccmxoQu5zcTwP
lhcgl61MasoAKhI7GiOTTKHU4gr3R5g44c985GdhyDYeW9YvKVeBvKs3IAlUoSPX
1506J7TJNVmdlnRRCU36Y5UU4z4QW8pINxfn1ZXhmNxNBrDCpG1ur1EePElLz90A
qheFY2p71BbivzKp/ahVK3Ay9bPVFJ4OOXUhnALGVRgg59NMgfoYZ2mRBJcenKHy
ZmetMLVG4xqQou9q6cUienxLLQH/4+2SlFNQoROTERy89WYrLe1iIwZuTyDWOCFZ
tR0RN1pGARA=
=B1rm
- -----END PGP SIGNATURE-----

- --------------------------------------------------------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Moderate: OpenShift Container Platform 4.1 library-go security update
Advisory ID:       RHSA-2019:4091-01
Product:           Red Hat OpenShift Enterprise
Advisory URL:      https://access.redhat.com/errata/RHSA-2019:4091
Issue date:        2019-12-17
CVE Names:         CVE-2019-14854 
=====================================================================

1. Summary:

An update for ose-cluster-kube-controller-manager-operator-container and
ose-cluster-kube-scheduler-operator-container is now available for Red Hat
OpenShift Container Platform 4.1.

Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.

2. Description:

Red Hat OpenShift Container Platform is Red Hat's cloud computing
Kubernetes application platform solution designed for on-premise or private
cloud deployments.

Security Fix(es):

* library-go: Secret data written to static pod logs when operator set at
Debug level or higher (CVE-2019-14854)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

3. Solution:

For OpenShift Container Platform 4.1 see the following documentation, which
will be updated shortly for release 4.1.27, for important instructions on
how to upgrade your cluster and fully apply this asynchronous errata
update:

https://docs.openshift.com/container-platform/4.1/release_notes/ocp-4-1-rel
ease-notes.html

Details on how to access this content are available at
https://docs.openshift.com/container-platform/4.1/updating/updating-cluster
- - -cli.html.

4. Bugs fixed (https://bugzilla.redhat.com/):

1758953 - CVE-2019-14854 library-go: Secret data written to static pod logs when operator set at Debug level or higher

5. References:

https://access.redhat.com/security/cve/CVE-2019-14854
https://access.redhat.com/security/updates/classification/#moderate

6. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2019 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBXfiGJNzjgjWX9erEAQgzhg/+OkUKtqqg3GWVMM6edoQg0G2qwCbMwxOu
V7CaxS3DIJNhgOOj7qO1U1bicoa0qgUG3ILx/1OegoyH1hCCiRzE2lOuKSolw69W
IgK/bSioauvXC5oQq5aT8wvcP1a7kE5K5AVLDNy+TTC78fZLnPlf2XCRnv9tgGj4
A+TBjISG5EjL6F66eiE9JGObO4Xgi9HeCIa3P37YnFBmS5MARuh4CkpZKZlpVv78
fDGA9E0Qxe4IvWQ1OsOf16W2S26kcBF1ydQbw2KKklKHGvIsCmtmMOfuZ/Wn0mO0
3b2DXkaJkKo4ucWg7JOg6EIe6kZasKCbpZCWcixsUeyKZZm3LhYTWP1wTCIjp/1Z
HmwgqYzpu5lnfDGYPQpRGgEP+omoZFZN3e34p8voxQGNOM3igBEMOxLOBxdPkwlG
oeDH+Tfri/1UM4Xdugqp2l8pDlXlgC/n1djI5/byUZoglSsqpVtSOZHC1UgVnhaI
X+I9iaJffxijqBplLO904A5GDBSWxvoCfmSNlqx8GFz1QLkKR978uDUqOjwHEm/l
aPQ/BYMj3L76p7VejfDXKG4iMOK173rVujhZI9bPvp6skOpfTCQNDqtK4xIf7EAd
pKyK6/Hl5CS+8jdHPAHstPXyODM9GIpGZo8kHEgxxGhYhu3gIRW8U2/IQKyRcDpL
wIbTChzcHZI=
=EXfB
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBXfmGcmaOgq3Tt24GAQiPGg//cOtJqriPbhxhRQYEdk29KZs0ao08pUvS
N1Zy1PUC8p61TDpdYGfqSyvyWk3Pl0ieLmQJ1gkkOmuttXVW2VRM2pWGgkhGUOc1
QuXYnVoKyKC0gKrtoR0csjEej6Di/XhH3WObv24aJ03roUdZTM7ub+s6QQIsexMg
o/FFOZqmFN9Uy2XhtVBGMc+qifJW1xD+g569N6sNL3k3V9Mq1Zh9DIDLm9X67s37
w7JNC23GyXy4pYxEJRu8RdsWBwEjDt/xQUM7uNRRzFIOhXYTqe+FMz5MSJM5UXnk
ji5sub4RQ35FztHwsHMq1OtRnx27A/QmAjcckPnEmZnd1BZrNd8SxypvPBPUIwkX
txsr2/i6YNfE6N99QAxY11qs/j3ipCX2rYS8Tfw6zaKynVUY05YVDbPyM5HoKfuU
ZMV/x3i5PFlTWtt7tgXgQFW7wb9ITRjb9TftAqu62wWsWA8SLqQ/iL2ofMDjxQkL
ghLM75S1D1UcJZM7bmVMKTzq8xz1Pdd9FsO3+AGkYPiAuqhD5uLBqjvKAYZ21lq1
Usefrgcd4q39XD/HwV2VVyFsAnHBz82sARKLBvMGLzpb4pZ7b0smd/wgFzS4J4gw
GPvqFaQYHf7sEFWfE9FQP2Qyr7Vu0Y7jFzG+Ff0z/XJIToRxwy9ALZ/8QGw2hrfM
Y4GdFzA+Mb4=
=QW7W
-----END PGP SIGNATURE-----