Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2020.2108 OpenShift Container Platform 4.4.8 security updates 18 June 2020 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: OpenShift Container Platform 4.4.8 Publisher: Red Hat Operating System: Red Hat Red Hat Enterprise Linux Server 7 Red Hat Enterprise Linux Server 8 Impact/Access: Access Privileged Data -- Existing Account Denial of Service -- Remote/Unauthenticated Provide Misleading Information -- Existing Account Reduced Security -- Existing Account Resolution: Patch/Upgrade CVE Names: CVE-2020-10749 CVE-2020-8617 CVE-2020-8616 CVE-2020-8555 Reference: ESB-2020.2095 ESB-2020.1975 ESB-2020.1932 ESB-2020.1898 Original Bulletin: https://access.redhat.com/errata/RHSA-2020:2403 https://access.redhat.com/errata/RHSA-2020:2448 https://access.redhat.com/errata/RHSA-2020:2449 Comment: This bulletin contains three (3) Red Hat security advisories. - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: OpenShift Container Platform 4.4.8 containernetworking-plugins security update Advisory ID: RHSA-2020:2403-01 Product: Red Hat OpenShift Enterprise Advisory URL: https://access.redhat.com/errata/RHSA-2020:2403 Issue date: 2020-06-17 CVE Names: CVE-2020-10749 ===================================================================== 1. Summary: An update for containernetworking-plugins is now available for Red Hat OpenShift Container Platform 4.4. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat OpenShift Container Platform 4.4 - x86_64 3. Description: Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. Security Fix(es): * containernetworking/plugins: IPv6 router advertisements allowed for MITM attacks on IPv4 clusters (CVE-2020-10749) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. 4. Solution: For OpenShift Container Platform 4.4 see the following documentation, which will be updated shortly for release 4.4.8, for important instructions on how to upgrade your cluster and fully apply this asynchronous errata update: https://docs.openshift.com/container-platform/4.4/release_notes/ocp-4-4-rel ease-notes.html Details on how to access this content are available at https://docs.openshift.com/container-platform/4.4/updating/updating-cluster - - -cli.html. 5. Bugs fixed (https://bugzilla.redhat.com/): 1833220 - CVE-2020-10749 containernetworking/plugins: IPv6 router advertisements allow for MitM attacks on IPv4 clusters 6. Package List: Red Hat OpenShift Container Platform 4.4: Source: containernetworking-plugins-0.8.6-1.rhaos4.4.el7.src.rpm x86_64: containernetworking-plugins-0.8.6-1.rhaos4.4.el7.x86_64.rpm containernetworking-plugins-debuginfo-0.8.6-1.rhaos4.4.el7.x86_64.rpm Red Hat OpenShift Container Platform 4.4: Source: containernetworking-plugins-0.8.6-1.rhaos4.4.el8.src.rpm x86_64: containernetworking-plugins-0.8.6-1.rhaos4.4.el8.x86_64.rpm containernetworking-plugins-debuginfo-0.8.6-1.rhaos4.4.el8.x86_64.rpm containernetworking-plugins-debugsource-0.8.6-1.rhaos4.4.el8.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2020-10749 https://access.redhat.com/security/updates/classification/#moderate 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2020 Red Hat, Inc. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBXuqCgtzjgjWX9erEAQgldg//dI4fyAcV9q5QBvC9yCj5buf9w182Z/Nt 6zy1zvJAAs2I0z28WFYvZtD1Zu/OjiVcWxDmV8WpksdL01eqK+PWqzSJn7UhJNJZ E7VNE03KAU8Gix2YNKfiVzPSAuAkSjKHBKbHOxc0ZcuXExqVfzL66+o+LMP/Gpdo dciqLtilozriTWsiw9pehoAb9brTlRzjdv3NvY+XklBMa7z3UmF6Hjn7qZd9PnJK 8xkzgezv77n4wzW/IYBGh1/GCct5SxJTU5LsFJMRQy+IV24gV83CHYBwwQBe/uVO 9PTxuUtHYd7f/gnX3ePKxEaOPHb6wiFqQS+N8yOFHqtKl1FnrWSOrKl87pBOz12k Cwlo0kBHjZzb0aQ0vQEjJHL9ywImNnULJk2Ck1x/x5Ked4PtTDrNqjRBMAJoegOm 5WUmhxxjw1Lf7iq51BjVG/aJ69WOume1SOw+3+fb43ZFulzgZbFmVia2UJ7qIPVi 0s4Ccpu1Kbd4hRmDZrYeHuTyOFW0W3RMzuw0kIP0I0v7qOo2AwmHOHux1mqjAPZ8 c3peTFIKooWo9k+s/9hEJfCOr31Znc7R5jeg/13M3ARqYoMvZ/Ij2L/fHSFZUOKC RNE8/cJfOFdv97SGkK9ke7YD7Q+30jCiAxY3XBKB5kMQvtRxcl3RcNKvRL0nQ8Qo rmXmjtJqNZo= =RWvT - -----END PGP SIGNATURE----- - -------------------------------------------------------------------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: OpenShift Container Platform 4.4.8 openshift security update Advisory ID: RHSA-2020:2448-01 Product: Red Hat OpenShift Enterprise Advisory URL: https://access.redhat.com/errata/RHSA-2020:2448 Issue date: 2020-06-17 CVE Names: CVE-2020-8555 ===================================================================== 1. Summary: An update for openshift is now available for Red Hat OpenShift Container Platform 4.4. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat OpenShift Container Platform 4.4 - x86_64 3. Description: Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. Security Fix(es): * kubernetes: Server side request forgery (SSRF) in kube-controller-manager allowed users to leak secret information (CVE-2020-8555) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. 4. Solution: For OpenShift Container Platform 4.4 see the following documentation, which will be updated shortly for release 4.4.8, for important instructions on how to upgrade your cluster and fully apply this asynchronous errata update: https://docs.openshift.com/container-platform/4.4/release_notes/ocp-4-4-rel ease-notes.html Details on how to access this content are available at https://docs.openshift.com/container-platform/4.4/updating/updating-cluster - - -cli.html. 5. Bugs fixed (https://bugzilla.redhat.com/): 1821583 - CVE-2020-8555 kubernetes: Server side request forgery (SSRF) in kube-controller-manager allows users to leak secret information 6. Package List: Red Hat OpenShift Container Platform 4.4: Source: openshift-4.4.0-202006061254.git.1.dc84fb4.el7.src.rpm x86_64: openshift-hyperkube-4.4.0-202006061254.git.1.dc84fb4.el7.x86_64.rpm Red Hat OpenShift Container Platform 4.4: Source: openshift-4.4.0-202006061254.git.1.dc84fb4.el8.src.rpm x86_64: openshift-hyperkube-4.4.0-202006061254.git.1.dc84fb4.el8.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2020-8555 https://access.redhat.com/security/updates/classification/#moderate 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2020 Red Hat, Inc. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBXup6xtzjgjWX9erEAQjJBQ/+I5fLqBvE6AUBZaXyk5ZnVGzzUvzq1eQ7 4b8ZmVf/ffl3QPY7q5qhdDkoooVr2TWaKZUeQ0rn/4X7T/iXDduepK4BIP5luZpo BgQ3k2kwPpUrazaPWf5NCASTacL+SZROHDM0n0narsBo+UvL2jPJ9SzbWJdCepo6 ggAOiWkjvUoU12k8B1LXACBqz9ehCM25i8c9gMeia6MGqNIS0m0jGDXs2OfYPpx7 hWACT22VYaD3Pe3ulu74Rp62zf8e7uiXF6eU15ra1n1T5++WLfHiG9vyVvH4fiOK +9dNNUF5oB602mH2NWVD0mSi9ppeg7TAamxMJcu8YBj/9meGfXFnTjyaxlUlf4W/ UafP6sfi6h04roNU7QiIwxcToBe6h9yFzE8sdO+ugdyDGRcaDqX2THv94/Tr1YzI k/5naNEtLe+7VMXaSS9FGfak8n2wiGWXzx/PpiYNe/thnJs/iun4Mx6B+fgj7j+F 3y3SnHOoO3Ne/7c+cJw4Fi98BDwe1KzIDlpuEjU/ayI7h/YUuEdCAjD5kgTM7Sg7 Y55usDvu2DCLhiFtFj0Og5pKPlYIFF9t5T3QmnV8GfcgR+DcHUaUcvadn1ujltgS awfm0IvCcac0fDagRgVhMa8jkPP+SA6ASIItW1XmyW7gGXayFG1RvcoyRbsROBZV H+S0/2g665w= =r88T - -----END PGP SIGNATURE----- - -------------------------------------------------------------------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: OpenShift Container Platform 4.4.8 openshift-enterprise-hyperkube-container security update Advisory ID: RHSA-2020:2449-01 Product: Red Hat OpenShift Enterprise Advisory URL: https://access.redhat.com/errata/RHSA-2020:2449 Issue date: 2020-06-17 CVE Names: CVE-2020-8555 CVE-2020-8616 CVE-2020-8617 ===================================================================== 1. Summary: An update for openshift-enterprise-hyperkube-container is now available for Red Hat OpenShift Container Platform 4.4. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Description: Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. Security Fix(es): * kubernetes: Server side request forgery (SSRF) in kube-controller-manager allowed users to leak secret information (CVE-2020-8555) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. 3. Solution: For OpenShift Container Platform 4.4 see the following documentation, which will be updated shortly for release 4.4.8, for important instructions on how to upgrade your cluster and fully apply this asynchronous errata update: https://docs.openshift.com/container-platform/4.4/release_notes/ocp-4-4-rel ease-notes.html Details on how to access this content are available at https://docs.openshift.com/container-platform/4.4/updating/updating-cluster - - -cli.html. 4. Bugs fixed (https://bugzilla.redhat.com/): 1821583 - CVE-2020-8555 kubernetes: Server side request forgery (SSRF) in kube-controller-manager allows users to leak secret information 5. References: https://access.redhat.com/security/cve/CVE-2020-8555 https://access.redhat.com/security/cve/CVE-2020-8616 https://access.redhat.com/security/cve/CVE-2020-8617 https://access.redhat.com/security/updates/classification/#moderate 6. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2020 Red Hat, Inc. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBXuqLpdzjgjWX9erEAQhgUA/+MFyqE3dTMThkrC7DSqFvfYkP07atApMQ +jNb8tzAuHnYOw/BNe1Z9ytPTlnwAEXtzW/02i6gZh/Z0gqw5wVQxmVxhxMrDYwd 97o+OR6VZU/iQi5UFhfHIutGiyjpOrEdc/kJx22Q0ANMt/4LHAlAm2PpYA4LZTOD 9jdhoOFjJ+yqK2CctcecYZZUTQGTMP3crgbKUdQwm7g74IZ1ccoCPltP+4kAMItf Kwe50v8ixRBSHsqaVNwFLp3Z5JT+HmjFSih0nrSxXZgejNgOw/QNsiJOCyRvGiW6 J9HfBu3OTN62Sre/3Wn1hA6cqokRqP8mAeKvi+AnB89S2dJANH2oahWdq6ixZ5JU l2vNltG6l4m7CVCzwfEJusWXwPU2wKLtmVUMXPEow/1QcJwPOg/UIr9/Rsf2OD1h G9EzTPiyVx1JfFvTbcGyN4q0Rt/20N5pEm5aZyER/zZLzGcToJB4lNuVTvIw5LBQ rHJ44tyg2VfGwft+hx2vhCbJBjkx/LJkkN2h4S5j5VbmDebto4TFUurlFsqTnBny 7mQ4zePo+c2/Feg8aKYMiefS28xfNm544hxnaBa5XmLcupUBlGsDYIs3MIRU/ca8 h2Vxnt799XSIhBJbLRJ6+iWeKUFSEZi9H9E13ufbLBXVYnCaoK5W3+Lu1gTnOe8c qPICdsri8Pg= =GfPf - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBXurd3eNLKJtyKPYoAQgDXw/8CCh5qZVf3HCf0t3sKu+YLf233mieCZnQ 8VwzOrzy2fieaZ/7aXFqaNDwmXom+oySwzk7ZI3LAiBzpMyPXduxyf8tqFWrOEe0 wYi1jEfzrs8zsxCEGoviS4zI3oyc30FBeWmnqPp1MbUZGdIaeQP2pHTPZVTDRjPl K2EWlvpESSnkxanDjB3QQdVJP20MUMHK7PU7MehZUQSjuk8Jc45ijbZrvDYGeJ9M gupeERQAZgqCDpnsTW+TPdr805mM0G5sAxYjfuXsOW2lQJDxyxpKLbz3zc+NK0Et gek/IpdV5oGSFzOhQUAHKFwIBizwe5BlnZZINGU4XumvENAzSuYGvCQYVc6EcR5s qZwJnPghm7vQI+IrLbb+fNKjR2KhEIMR3F4ffU3GXLjCngmKKcB+N8waAcAdGiZG VlweJ3qWF32UfOX7IJglfaDZjJ6aiqdj4sEAHK39EUnEOBd+lBGjXtfkofsRdOiE Bolt2yPDiRZgHBtLasl0ZTeuUGX5zegGe3hFHZdZcVA6W7TZtVrZtyOhW1ADXzYC DWxSohtNEOXhv7B2trn9MSaG7vAyki2LpjSyyRjkq6KeuFG4UukvnNz3rGY3lCxz 7vGhPILD/u5KXWDniMSwiOBGIyNatSRcI37d1LBdmpKPZE71amakpzsrfAj1VzA7 yt6bn7ShJQE= =gb7S -----END PGP SIGNATURE-----