Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2020.1582
OpenShift Container Platform 4.4.3 presto-container security update
5 May 2020
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: OpenShift Container Platform 4.4.3
Publisher: Red Hat
Operating System: Red Hat
Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated
Increased Privileges -- Existing Account
Denial of Service -- Remote/Unauthenticated
Unauthorised Access -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2020-11100 CVE-2020-8945 CVE-2020-2830
CVE-2020-2805 CVE-2020-2803 CVE-2020-2800
CVE-2020-2781 CVE-2020-2773 CVE-2020-2757
CVE-2020-2756 CVE-2020-2755 CVE-2020-2754
CVE-2020-1750 CVE-2020-1702 CVE-2019-19354
CVE-2019-19352 CVE-2019-19330 CVE-2019-18277
Reference: ESB-2020.1414
ESB-2020.1413
Original Bulletin:
https://access.redhat.com/errata/RHSA-2020:1942
https://access.redhat.com/errata/RHSA-2020:1940
https://access.redhat.com/errata/RHSA-2020:1936
https://access.redhat.com/errata/RHSA-2020:1937
https://access.redhat.com/errata/RHSA-2020:1938
https://access.redhat.com/errata/RHSA-2020:1939
Comment: This bulletin contains six (6) Red Hat security advisories.
- --------------------------BEGIN INCLUDED TEXT--------------------
=====================================================================
Red Hat Security Advisory
Synopsis: Moderate: OpenShift Container Platform 4.4.3 presto-container security update
Advisory ID: RHSA-2020:1942-01
Product: Red Hat OpenShift Enterprise
Advisory URL: https://access.redhat.com/errata/RHSA-2020:1942
Issue date: 2020-05-04
CVE Names: CVE-2019-19352 CVE-2020-2754 CVE-2020-2755
CVE-2020-2756 CVE-2020-2757 CVE-2020-2773
CVE-2020-2781 CVE-2020-2800 CVE-2020-2803
CVE-2020-2805 CVE-2020-2830
=====================================================================
1. Summary:
An update for presto-container is now available for Red Hat OpenShift
Container Platform 4.4.
Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.
2. Description:
Red Hat OpenShift Container Platform is Red Hat's cloud computing
Kubernetes application platform solution designed for on-premise or private
cloud deployments.
Security Fix(es):
* operator-framework/presto: /etc/passwd was given incorrect privileges
(CVE-2019-19352)
For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.
3. Solution:
For OpenShift Container Platform 4.4 see the following documentation, which
will be updated shortly for release 4.4.3, for important instructions on
how to upgrade your cluster and fully apply this asynchronous errata
update:
https://docs.openshift.com/container-platform/4.4/release_notes/ocp-4-4-rel
ease-notes.html
Details on how to access this content are available at
https://docs.openshift.com/container-platform/4.4/updating/updating-cluster
- - -cli.html.
4. Bugs fixed (https://bugzilla.redhat.com/):
1793281 - CVE-2019-19352 operator-framework/presto: /etc/passwd is given incorrect privileges
5. References:
https://access.redhat.com/security/cve/CVE-2019-19352
https://access.redhat.com/security/cve/CVE-2020-2754
https://access.redhat.com/security/cve/CVE-2020-2755
https://access.redhat.com/security/cve/CVE-2020-2756
https://access.redhat.com/security/cve/CVE-2020-2757
https://access.redhat.com/security/cve/CVE-2020-2773
https://access.redhat.com/security/cve/CVE-2020-2781
https://access.redhat.com/security/cve/CVE-2020-2800
https://access.redhat.com/security/cve/CVE-2020-2803
https://access.redhat.com/security/cve/CVE-2020-2805
https://access.redhat.com/security/cve/CVE-2020-2830
https://access.redhat.com/security/updates/classification/#moderate
6. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2020 Red Hat, Inc.
- -------------------------------------------------------------------------------
=====================================================================
Red Hat Security Advisory
Synopsis: Moderate: OpenShift Container Platform 4.4.3 ose-cluster-policy-controller-container security update
Advisory ID: RHSA-2020:1940-01
Product: Red Hat OpenShift Enterprise
Advisory URL: https://access.redhat.com/errata/RHSA-2020:1940
Issue date: 2020-05-04
CVE Names: CVE-2020-8945
=====================================================================
1. Summary:
An update for ose-cluster-policy-controller-container is now available for
Red Hat OpenShift Container Platform 4.4.
Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.
2. Description:
Red Hat OpenShift Container Platform is Red Hat's cloud computing
Kubernetes application platform solution designed for on-premise or private
cloud deployments.
Security Fix(es):
* proglottis/gpgme: Use-after-free in GPGME bindings during container image
pull (CVE-2020-8945)
For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.
3. Solution:
For OpenShift Container Platform 4.4 see the following documentation, which
will be updated shortly for release 4.4.3, for important instructions on
how to upgrade your cluster and fully apply this asynchronous errata
update:
https://docs.openshift.com/container-platform/4.4/release_notes/ocp-4-4-rel
ease-notes.html
Details on how to access this content are available at
https://docs.openshift.com/container-platform/4.4/updating/updating-cluster
- - -cli.html.
4. Bugs fixed (https://bugzilla.redhat.com/):
1795838 - CVE-2020-8945 proglottis/gpgme: Use-after-free in GPGME bindings during container image pull
5. References:
https://access.redhat.com/security/cve/CVE-2020-8945
https://access.redhat.com/security/updates/classification/#moderate
6. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2020 Red Hat, Inc.
- -------------------------------------------------------------------------------
=====================================================================
Red Hat Security Advisory
Synopsis: Moderate: OpenShift Container Platform 4.4.3 ose-machine-config-operator-container security update
Advisory ID: RHSA-2020:1939-01
Product: Red Hat OpenShift Enterprise
Advisory URL: https://access.redhat.com/errata/RHSA-2020:1939
Issue date: 2020-05-04
CVE Names: CVE-2020-1750
=====================================================================
1. Summary:
An update for ose-machine-config-operator-container is now available for
Red Hat OpenShift Container Platform 4.4.
Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.
2. Description:
Red Hat OpenShift Container Platform is Red Hat's cloud computing
Kubernetes application platform solution designed for on-premise or private
cloud deployments.
Security Fix(es):
* machine-config-operator-container: mmap stressor was making the cluster
unresponsive (CVE-2020-1750)
For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s)
listed in the References section.
3. Solution:
For OpenShift Container Platform 4.4 see the following documentation, which
will be updated shortly for release 4.4.3, for important instructions on
how to upgrade your cluster and fully apply this asynchronous errata
update:
https://docs.openshift.com/container-platform/4.4/release_notes/ocp-4-4-rel
ease-notes.html
Details on how to access this content are available at
https://docs.openshift.com/container-platform/4.4/updating/updating-cluster
- - -cli.html.
4. Bugs fixed (https://bugzilla.redhat.com/):
1808130 - CVE-2020-1750 machine-config-operator-container: mmap stressor makes the cluster unresponsive
5. References:
https://access.redhat.com/security/cve/CVE-2020-1750
https://access.redhat.com/security/updates/classification/#moderate
6. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2020 Red Hat, Inc.
- -------------------------------------------------------------------------------
=====================================================================
Red Hat Security Advisory
Synopsis: Moderate: OpenShift Container Platform 4.4.3 hadoop-container security update
Advisory ID: RHSA-2020:1938-01
Product: Red Hat OpenShift Enterprise
Advisory URL: https://access.redhat.com/errata/RHSA-2020:1938
Issue date: 2020-05-04
CVE Names: CVE-2019-19354 CVE-2020-2754 CVE-2020-2755
CVE-2020-2756 CVE-2020-2757 CVE-2020-2773
CVE-2020-2781 CVE-2020-2800 CVE-2020-2803
CVE-2020-2805 CVE-2020-2830
=====================================================================
1. Summary:
An update for hadoop-container is now available for Red Hat OpenShift
Container Platform 4.4.
Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.
2. Description:
Red Hat OpenShift Container Platform is Red Hat's cloud computing
Kubernetes application platform solution designed for on-premise or private
cloud deployments.
Security Fix(es):
* operator-framework/hadoop: /etc/passwd was given incorrect privileges
(CVE-2019-19354)
For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.
3. Solution:
For OpenShift Container Platform 4.4 see the following documentation, which
will be updated shortly for release 4.4.3, for important instructions on
how to upgrade your cluster and fully apply this asynchronous errata
update:
https://docs.openshift.com/container-platform/4.4/release_notes/ocp-4-4-rel
ease-notes.html
Details on how to access this content are available at
https://docs.openshift.com/container-platform/4.4/updating/updating-cluster
- - -cli.html.
4. Bugs fixed (https://bugzilla.redhat.com/):
1793278 - CVE-2019-19354 operator-framework/hadoop: /etc/passwd is given incorrect privileges
5. References:
https://access.redhat.com/security/cve/CVE-2019-19354
https://access.redhat.com/security/cve/CVE-2020-2754
https://access.redhat.com/security/cve/CVE-2020-2755
https://access.redhat.com/security/cve/CVE-2020-2756
https://access.redhat.com/security/cve/CVE-2020-2757
https://access.redhat.com/security/cve/CVE-2020-2773
https://access.redhat.com/security/cve/CVE-2020-2781
https://access.redhat.com/security/cve/CVE-2020-2800
https://access.redhat.com/security/cve/CVE-2020-2803
https://access.redhat.com/security/cve/CVE-2020-2805
https://access.redhat.com/security/cve/CVE-2020-2830
https://access.redhat.com/security/updates/classification/#moderate
6. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2020 Red Hat, Inc.
- -------------------------------------------------------------------------------
=====================================================================
Red Hat Security Advisory
Synopsis: Moderate: OpenShift Container Platform 4.4.3 cri-o security update
Advisory ID: RHSA-2020:1937-01
Product: Red Hat OpenShift Enterprise
Advisory URL: https://access.redhat.com/errata/RHSA-2020:1937
Issue date: 2020-05-04
CVE Names: CVE-2020-1702 CVE-2020-8945
=====================================================================
1. Summary:
An update for cri-o is now available for Red Hat OpenShift Container
Platform 4.4.
Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.
2. Relevant releases/architectures:
Red Hat OpenShift Container Platform 4.4 - x86_64
3. Description:
Red Hat OpenShift Container Platform is Red Hat's cloud computing
Kubernetes application platform solution designed for on-premise or private
cloud deployments.
Security Fix(es):
* proglottis/gpgme: Use-after-free in GPGME bindings during container image
pull (CVE-2020-8945)
* containers/image: Container images read entire image manifest into memory
(CVE-2020-1702)
For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.
4. Solution:
For OpenShift Container Platform 4.4 see the following documentation, which
will be updated shortly for release 4.4.3, for important instructions on
how to upgrade your cluster and fully apply this asynchronous errata
update:
https://docs.openshift.com/container-platform/4.4/release_notes/ocp-4-4-rel
ease-notes.html
Details on how to access this content are available at
https://docs.openshift.com/container-platform/4.4/updating/updating-cluster
- - -cli.html.
5. Bugs fixed (https://bugzilla.redhat.com/):
1792796 - CVE-2020-1702 containers/image: Container images read entire image manifest into memory
1795838 - CVE-2020-8945 proglottis/gpgme: Use-after-free in GPGME bindings during container image pull
6. Package List:
Red Hat OpenShift Container Platform 4.4:
Source:
cri-o-1.17.4-8.dev.rhaos4.4.git5f5c5e4.el7.src.rpm
x86_64:
cri-o-1.17.4-8.dev.rhaos4.4.git5f5c5e4.el7.x86_64.rpm
cri-o-debuginfo-1.17.4-8.dev.rhaos4.4.git5f5c5e4.el7.x86_64.rpm
Red Hat OpenShift Container Platform 4.4:
Source:
cri-o-1.17.4-8.dev.rhaos4.4.git5f5c5e4.el8.src.rpm
x86_64:
cri-o-1.17.4-8.dev.rhaos4.4.git5f5c5e4.el8.x86_64.rpm
cri-o-debuginfo-1.17.4-8.dev.rhaos4.4.git5f5c5e4.el8.x86_64.rpm
cri-o-debugsource-1.17.4-8.dev.rhaos4.4.git5f5c5e4.el8.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/
7. References:
https://access.redhat.com/security/cve/CVE-2020-1702
https://access.redhat.com/security/cve/CVE-2020-8945
https://access.redhat.com/security/updates/classification/#moderate
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2020 Red Hat, Inc.
- -------------------------------------------------------------------------------
=====================================================================
Red Hat Security Advisory
Synopsis: Moderate: OpenShift Container Platform 4.4.3 haproxy security update
Advisory ID: RHSA-2020:1936-01
Product: Red Hat OpenShift Enterprise
Advisory URL: https://access.redhat.com/errata/RHSA-2020:1936
Issue date: 2020-05-04
CVE Names: CVE-2019-18277 CVE-2019-19330 CVE-2020-11100
=====================================================================
1. Summary:
An update for haproxy is now available for Red Hat OpenShift Container
Platform 4.4.
Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.
2. Relevant releases/architectures:
Red Hat OpenShift Container Platform 4.4 - x86_64
3. Description:
Red Hat OpenShift Container Platform is Red Hat's cloud computing
Kubernetes application platform solution designed for on-premise or private
cloud deployments.
Security Fix(es):
* haproxy: malformed HTTP/2 requests could lead to out-of-bounds writes
(CVE-2020-11100)
* haproxy: HTTP request smuggling issue with transfer-encoding header
containing an obfuscated "chunked" value (CVE-2019-18277)
* haproxy: HTTP/2 implementation was vulnerable to intermediary
encapsulation attacks (CVE-2019-19330)
For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s)
listed in the References section.
4. Solution:
For OpenShift Container Platform 4.4 see the following documentation, which
will be updated shortly for release 4.4.3, for important instructions on
how to upgrade your cluster and fully apply this asynchronous errata
update:
https://docs.openshift.com/container-platform/4.4/release_notes/ocp-4-4-rel
ease-notes.html
Details on how to access this content are available at
https://docs.openshift.com/container-platform/4.4/updating/updating-cluster
- - -cli.html.
5. Bugs fixed (https://bugzilla.redhat.com/):
1759697 - CVE-2019-18277 haproxy: HTTP request smuggling issue with transfer-encoding header containing an obfuscated "chunked" value
1777584 - CVE-2019-19330 haproxy: HTTP/2 implementation vulnerable to intermediary encapsulation attacks
1819111 - CVE-2020-11100 haproxy: malformed HTTP/2 requests can lead to out-of-bounds writes
6. Package List:
Red Hat OpenShift Container Platform 4.4:
Source:
haproxy-2.0.13-3.el7.src.rpm
x86_64:
haproxy-debuginfo-2.0.13-3.el7.x86_64.rpm
haproxy20-2.0.13-3.el7.x86_64.rpm
Red Hat OpenShift Container Platform 4.4:
Source:
haproxy-2.0.13-3.el8.src.rpm
x86_64:
haproxy-debugsource-2.0.13-3.el8.x86_64.rpm
haproxy20-2.0.13-3.el8.x86_64.rpm
haproxy20-debuginfo-2.0.13-3.el8.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/
7. References:
https://access.redhat.com/security/cve/CVE-2019-18277
https://access.redhat.com/security/cve/CVE-2019-19330
https://access.redhat.com/security/cve/CVE-2020-11100
https://access.redhat.com/security/updates/classification/#moderate
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2020 Red Hat, Inc.
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBXrDj+WaOgq3Tt24GAQg+5w//dLNP1UFcqa33YQNBRJFA2nA+tFoQ6iYi
3n1eDl0ckUCs/XUGcum+gqIo847Sdv0z+6al3vKbaVSE9s48WG/ckMFz9fc60aNF
8Vc5Vk28+9YD+HYEBWGXqZvET7O2UeWgkzqa4po+Nre76+EpJtCGloNXTd06uwIr
PLAC/TkFYcJCSCk8XQV0pVw4Jr7QZNodMjYe047BDmSrsDEnKgDVUquDR5G/ayrx
33NxGl6dbpqK66IYNiTawN75f0W8qLAUQcBVo7/dZ5KiN9kMNCk1TKsW2GHl2rAe
6sjrlmymJCbx6DL3sVDvz6bEe3aCONjSHuUSKXmO/uVFAqaJuICYIccXbD1LnASG
7/JDVXCRv/ZNBDMzy8YyDP7BnJ2Fcy7oNc9M2Jq8TxMv4fD5Yfc9S1/vNxfj9+mC
u2hruMwrlq8Q4Z4UeXDNrhP1gvZmP70cbN29ES2Ne1UFYw0LQoGBpk/pnGDbuItu
fBwntN2CA24d2UkGTuw7lTVRhxgsrrrIaG1j4uURgtW7TZHYAbh1J3SSKAimOh9z
HltBOKZ1D6oH9MB/WH2vaPIJChXlLxkfMAAwClFu7irMbXyHdV5edzUxBTNPtQaI
Su2FV1qlQN55UUpHUECKfF+zo7YHu6Uxg+IhmbJGV5dgoXtuh3PqpS/z2DCjtUMC
McDpB2JWlzQ=
=GK4j
-----END PGP SIGNATURE-----