Operating System:

[RedHat]

Published:

22 June 2020

Protect yourself against future threats.

//Service

Member Security Incident Notifications

Be proactive with your security and receive our daily Member Security Incident Notifications (MSINs) custom to your network.

Read more
Resources > Security Bulletins > ESB-2020.2155 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2020.2155
     Red Hat OpenShift Jaeger 1.17.3 container images security update
                               22 June 2020

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           OpenShift Jaeger 1.17.3 container images
Publisher:         Red Hat
Operating System:  Red Hat
Impact/Access:     Access Confidential Data -- Existing Account
Resolution:        Patch/Upgrade
CVE Names:         CVE-2020-10750  

Original Bulletin: 
   https://access.redhat.com/errata/RHSA-2020:2636

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Moderate: Red Hat OpenShift Jaeger 1.17.3 container images security update
Advisory ID:       RHSA-2020:2636-01
Product:           Red Hat OpenShift Jaeger
Advisory URL:      https://access.redhat.com/errata/RHSA-2020:2636
Issue date:        2020-06-19
CVE Names:         CVE-2020-10750 
=====================================================================

1. Summary:

An update for jaeger-all-in-one-rhel7-container,
jaeger-collector-rhel7-container, and jaeger-ingester-rhel7-container is
now available for Jaeger-1.17.

Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.

2. Description:

Red Hat OpenShift Jaeger is Red Hat's distribution of the Jaeger project,
tailored for installation into an on-premise OpenShift Container Platform
installation.

Security Fix(es):

* jaegertracing/jaeger: credentials leaked to container logs
(CVE-2020-10750)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

3. Solution:

For details on how to apply this update, which includes the changes
described in this advisory, refer to:

https://docs.openshift.com/container-platform/4.4/jaeger/jaeger_install/rhb
jaeger-updating.html

4. Bugs fixed (https://bugzilla.redhat.com/):

1838401 - CVE-2020-10750 jaegertracing/jaeger: credentials leaked to container logs

5. References:

https://access.redhat.com/security/cve/CVE-2020-10750
https://access.redhat.com/security/updates/classification/#moderate

6. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2020 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBXuzmOtzjgjWX9erEAQidWw//W+xgbnTXobGyF72N3yhNA4avS9Kown6S
q6MaAswAP2RY8bKuIvN04YYZ/s3jgz1iaoGFtsxZyuJfp8rMyuXKd5A7H6PWEPLY
Q2kn3AAUs1N421GbV+TCo0d06eLR9Ie+du0/vubNftlEkCM1zCSkM+718YUg+TYU
6XAGNbe4AqEfWWyT/qPlb1yJdIA3+dyjHVat8KFRhXpS63XA9jF50W+tW6d4l5pc
uDwMgaQ0sfkRn1Ooa7gMufxk10hQ9yrmlZ7Uzpsf2LKQlBnoqJ23w/KZnB7oxnIN
VIaGrRV2fKfcEIZZDVCfyRPCoV3US3+6WecnjWO9OSQzyzxp9ZM2x3zsu3u1J46v
EIAfpzIUzfmWBlQLowomWEKr17InYu4IdNXysMtbNU2p5jmfP70DFh49CFaF85Rt
S2u22zhtQMhWThJwpvC5KuBZTH014uEfV29mcfLARhXurI23JZ/XijB8N3DFSxDb
bFKCSMiOQ/1iaVb3hVlr1VQGkjbueyxTAil1h6Vqm6RZ+/nSqGx/TIgfFd00Obkp
RRdJthGQO/OsQPbj2lp/mrQFrKCpqFYpZbL+8IhovhWbUIx9nlANvH/Z1bqm1lLP
hniwdObIx2lrwGRi1jYbFlX6ZQIvaP0IqO6QPfOJL4nId1kHxD6Jhwyl+cxtK3ne
3rsUdqEL5ck=
=xrV4
- -----END PGP SIGNATURE-----

- --
RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBXvA4W+NLKJtyKPYoAQi1eA//emWagaNCDPnZ+DqTxDxujQL77QeF3F1R
Uedhutst2q9zf+/ApQbVRbXUrc4aTmM4z+GUvm2T3BFTSxPIvN2MpTxiGb8dOMNR
suCoRDt/CMOxSiOYFyxOl+i2Hh1rBUa2YxwYJ0uo0W9wTzDT6uk6wkKW27JU8xo8
wQNLXBTPeiwv+frWftwkMN2dFYp8rtlslG8gDjaBroWVi0pVUWW1afeFfbOIxUCT
cwAtHHiGfsA/2/lV2M2wYDbom2Lrh8Z/IocMDtNJ+B32LrqGf2LaqZqHO39E/Jk/
Dzpoo3O1ydXqgTY28J0GUgiq+gCxyRxxPIglSeSYUnvW+gqA0tS8jLvVnuFezrJ4
yBrsN+8VmnOuKtsVfS3qGFjHxHp6q6bk7TlXjp01uGFn0GpqbuaeGh+Bzi0l/Ik9
chOY2y/39KiCeYjkkiNGMou2HgSVRWIMbrSslMqcafnKxrIUufj5z2MofhiZpcXP
SdC1dBRQLvnCJZZWsuJrs75/mlliqCFhCIZT+HNoFGXD0qV1rsgEktf2gBYi6uCS
YfNDC7vxxVNQZDoP02Wj1zHM0ddsi1tQTgN5V7DlvxU7G5acPGJxPQolJAlmRg5O
o8S6pqUCaeJnBgO4YsMAvkYnVR11dQwih3V3xtnCQ3SvYVf2EHU//DRy5E6whrX7
Uiw2Vp5dqco=
=nxeJ
-----END PGP SIGNATURE-----