Operating System:

[RedHat]

Published:

07 July 2020

Protect yourself against future threats.

//Service

Phishing Take-Down

Drawing on our strong international CERT relationships we have a high success rate in delivering phishing take-downs.

Read more
Resources > Security Bulletins > ESB-2020.2306 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2020.2306
   Red Hat OpenShift Jaeger 1.17.2 jaeger-all-in-one-rhel7-container and
               jaeger-query-rhel7-container security update
                                7 July 2020

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Red Hat OpenShift Jaeger 1.17.2 container images
Publisher:         Red Hat
Operating System:  Red Hat Enterprise Linux WS/Desktop 7
                   Red Hat Enterprise Linux Server 7
Impact/Access:     Execute Arbitrary Code/Commands -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2019-10744  

Reference:         ESB-2020.1925
                   ESB-2020.0010
                   ESB-2019.4290.3
                   ESB-2019.3809

Original Bulletin: 
   https://access.redhat.com/errata/RHSA-2020:2819

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Moderate: Red Hat OpenShift Jaeger 1.17.2 jaeger-all-in-one-rhel7-container and jaeger-query-rhel7-container security update
Advisory ID:       RHSA-2020:2819-01
Product:           Red Hat OpenShift Jaeger
Advisory URL:      https://access.redhat.com/errata/RHSA-2020:2819
Issue date:        2020-07-06
CVE Names:         CVE-2019-10744 
=====================================================================

1. Summary:

An update for jaeger-all-in-one-rhel7-container and
jaeger-query-rhel7-container is now available for Jaeger-1.17.

Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.

2. Description:

Red Hat OpenShift Jaeger is Red Hat's distribution of the Jaeger project,
tailored for installation into an on-premise OpenShift Container Platform
installation.

Security Fix(es):

* nodejs-lodash: prototype pollution in defaultsDeep function leading to
modifying properties (CVE-2019-10744)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

3. Solution:

For details on how to apply this update, which includes the changes
described in this advisory, refer to:

https://docs.openshift.com/container-platform/4.3/jaeger/jaeger_install/rhb
jaeger-updating.html

4. Bugs fixed (https://bugzilla.redhat.com/):

1739497 - CVE-2019-10744 nodejs-lodash: prototype pollution in defaultsDeep function leading to modifying properties

5. References:

https://access.redhat.com/security/cve/CVE-2019-10744
https://access.redhat.com/security/updates/classification/#moderate

6. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2020 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBXwMSUtzjgjWX9erEAQg3pw//QKdTuxxMIe6vgWrwFEXtaPsFvFTqaeg0
n0VZs3CqzxktMk2Pu+SeNNiraozoG1hSQg8n2wzpHKJ0/V0tWbnCx5iGHe7mhtHy
P+THBeFiqyfayY9NUPjEOf5ob3Y5I2VCjWu7W/HnmbSqXmbRXkX/UfJIj1xQ0fs7
eBmHaNHiwfF5HCTk7CQ6dcEZneqcb/4MSEEjfR51GAIeV89M8rr/v7VxHVKVZIs3
aiwGgTPH9DdTjB7qoZ3X+EYSWbeDDuGB066dXo78/yFwZdXBB2+bGcbjSuCJUQg1
DkQkUdM1+obHMgrAkxegmM2CPK7nqg/7Tt5NvYF/9Jljeq9tq4UA8opy8LG1kB1i
8hC2uwTTiX3zX8fMS5nFjJZSkE7CRZOP/6U1CdrHfwgbS1HP1aKw3Hj19RoOqNGa
OO/I5no3OrSt11E34WjS2M6AukLyp8nWhm/rlZVFn3YPouQpaouFwbcG5DIt3kbc
NQ4LD4xKBriVENT0JJl+0ZbkERxw3WsxgeqQResPdzUYalvJ7Pmqe7LhhvknXBVX
VISQRaV/ozaazOeI0HWnm1rZ8RiP8ejCy+/oMCmNQbUpNpb6XL10s5G5cMOb61ru
ZEkXYbBXrHXg137b9J9CdjaJ/+oIPkQiSu4gm6BZ/dJDslaHvXPDefQZ/mqGMLzQ
+aTVt7p1hTk=
=V7mP
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBXwQPJuNLKJtyKPYoAQhi6g/+LY+LJ9p8csJGmw0iGJ6J4+8Y1VucuQIR
4KH7YP+ArgKSHnQKQBjrrKX79WAqkaXWkYvA+tjr6pGr7nFW2b9wD27cz2xCuqAq
nQWBAodo0v9RmPbC9i1/rxZ/HnBDo4Rv2zOUsgcCvNexEKuOkv5P69Zdv5/6RXEY
nbAEyp3w7lvAgUIRO59KFLfgpdyVss22k+b8XuyAAJoLbc1bbfFsMAQWlhaJYkk3
LzJ/+oauOXjJ29RONj2GfWnK8SD6XIcypO3MqTgN1tB25/mV5XQcsmLLU8n6vrrI
dYrmEBH/jWU/AsN08uclcpwyQUErmPIdiZh7z2xERv6/4kC2nWJ51a6D5p2YIT2j
S9CdB/PSq0W5KgVLREyeTqQPTwRTEkAIrd+AAu1eLTqbftoSwsMsHR9TENl/dWtF
Aru8oIn/nINpA+iRD7D6NtnKdHtpbOlMaH2gDDlawAeUYPKUUV54VGGqVxHrQjS3
asB98X8UVo9e25x3BUQr7KTghR61ESAlU09xjk4JDUUjohqmZhY0Dtd6L3DXPpdt
POwi1u9A005AxVKSOEZ45EOD3CZ786am/22PRsai5psdz8FtfqRUx8xC6SNvbno7
QfS1q5Dtq2yWT0oki9AAe9LNts1iA7KE1Q4tKd/fk5MDM65NOiYEIdhLPS9f1/qK
O26LrRa0pKg=
=Wx9l
-----END PGP SIGNATURE-----