-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2021.0234
           OpenShift Container Platform 4.6 compliance-operator
                        security and bug fix update
                              20 January 2021

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           OpenShift Container Platform 4.6 compliance-operator
Publisher:         Red Hat
Operating System:  Red Hat
Impact/Access:     Execute Arbitrary Code/Commands -- Remote/Unauthenticated      
                   Overwrite Arbitrary Files       -- Existing Account            
                   Denial of Service               -- Remote/Unauthenticated      
                   Cross-site Scripting            -- Remote with User Interaction
                   Access Confidential Data        -- Remote/Unauthenticated      
Resolution:        Patch/Upgrade
CVE Names:         CVE-2020-27813 CVE-2020-24659 CVE-2020-15503
                   CVE-2020-14422 CVE-2020-14391 CVE-2020-14382
                   CVE-2020-13632 CVE-2020-13631 CVE-2020-13630
                   CVE-2020-11793 CVE-2020-10029 CVE-2020-10018
                   CVE-2020-9925 CVE-2020-9915 CVE-2020-9895
                   CVE-2020-9894 CVE-2020-9893 CVE-2020-9862
                   CVE-2020-9850 CVE-2020-9843 CVE-2020-9807
                   CVE-2020-9806 CVE-2020-9805 CVE-2020-9803
                   CVE-2020-9802 CVE-2020-9327 CVE-2020-8492
                   CVE-2020-8177 CVE-2020-7595 CVE-2020-6405
                   CVE-2020-3902 CVE-2020-3901 CVE-2020-3900
                   CVE-2020-3899 CVE-2020-3897 CVE-2020-3895
                   CVE-2020-3894 CVE-2020-3885 CVE-2020-3868
                   CVE-2020-3867 CVE-2020-3865 CVE-2020-3864
                   CVE-2020-3862 CVE-2020-1971 CVE-2020-1752
                   CVE-2020-1751 CVE-2020-1730 CVE-2019-20916
                   CVE-2019-20907 CVE-2019-20807 CVE-2019-20454
                   CVE-2019-20388 CVE-2019-20387 CVE-2019-20218
                   CVE-2019-19956 CVE-2019-19906 CVE-2019-19221
                   CVE-2019-18197 CVE-2019-17450 CVE-2019-16935
                   CVE-2019-16168 CVE-2019-15903 CVE-2019-15165
                   CVE-2019-14889 CVE-2019-13627 CVE-2019-13050
                   CVE-2019-11068 CVE-2019-8846 CVE-2019-8844
                   CVE-2019-8835 CVE-2019-8823 CVE-2019-8820
                   CVE-2019-8819 CVE-2019-8816 CVE-2019-8815
                   CVE-2019-8814 CVE-2019-8813 CVE-2019-8812
                   CVE-2019-8811 CVE-2019-8808 CVE-2019-8783
                   CVE-2019-8782 CVE-2019-8771 CVE-2019-8769
                   CVE-2019-8766 CVE-2019-8764 CVE-2019-8743
                   CVE-2019-8720 CVE-2019-8710 CVE-2019-8625
                   CVE-2019-5018 CVE-2019-1551 CVE-2018-20843

Reference:         ASB-2020.0186
                   ASB-2020.0176
                   ASB-2020.0132
                   ASB-2020.0129
                   ESB-2021.0111
                   ESB-2020.3848

Original Bulletin: 
   https://access.redhat.com/errata/RHSA-2021:0190

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Moderate: OpenShift Container Platform 4.6 compliance-operator security and 
                             bug fix update
Advisory ID:       RHSA-2021:0190-01
Product:           Red Hat OpenShift Enterprise
Advisory URL:      https://access.redhat.com/errata/RHSA-2021:0190
Issue date:        2021-01-19
CVE Names:         CVE-2018-20843 CVE-2019-1551 CVE-2019-5018 
                   CVE-2019-8625 CVE-2019-8710 CVE-2019-8720 
                   CVE-2019-8743 CVE-2019-8764 CVE-2019-8766 
                   CVE-2019-8769 CVE-2019-8771 CVE-2019-8782 
                   CVE-2019-8783 CVE-2019-8808 CVE-2019-8811 
                   CVE-2019-8812 CVE-2019-8813 CVE-2019-8814 
                   CVE-2019-8815 CVE-2019-8816 CVE-2019-8819 
                   CVE-2019-8820 CVE-2019-8823 CVE-2019-8835 
                   CVE-2019-8844 CVE-2019-8846 CVE-2019-11068 
                   CVE-2019-13050 CVE-2019-13627 CVE-2019-14889 
                   CVE-2019-15165 CVE-2019-15903 CVE-2019-16168 
                   CVE-2019-16935 CVE-2019-17450 CVE-2019-18197 
                   CVE-2019-19221 CVE-2019-19906 CVE-2019-19956 
                   CVE-2019-20218 CVE-2019-20387 CVE-2019-20388 
                   CVE-2019-20454 CVE-2019-20807 CVE-2019-20907 
                   CVE-2019-20916 CVE-2020-1730 CVE-2020-1751 
                   CVE-2020-1752 CVE-2020-1971 CVE-2020-3862 
                   CVE-2020-3864 CVE-2020-3865 CVE-2020-3867 
                   CVE-2020-3868 CVE-2020-3885 CVE-2020-3894 
                   CVE-2020-3895 CVE-2020-3897 CVE-2020-3899 
                   CVE-2020-3900 CVE-2020-3901 CVE-2020-3902 
                   CVE-2020-6405 CVE-2020-7595 CVE-2020-8177 
                   CVE-2020-8492 CVE-2020-9327 CVE-2020-9802 
                   CVE-2020-9803 CVE-2020-9805 CVE-2020-9806 
                   CVE-2020-9807 CVE-2020-9843 CVE-2020-9850 
                   CVE-2020-9862 CVE-2020-9893 CVE-2020-9894 
                   CVE-2020-9895 CVE-2020-9915 CVE-2020-9925 
                   CVE-2020-10018 CVE-2020-10029 CVE-2020-11793 
                   CVE-2020-13630 CVE-2020-13631 CVE-2020-13632 
                   CVE-2020-14382 CVE-2020-14391 CVE-2020-14422 
                   CVE-2020-15503 CVE-2020-24659 CVE-2020-27813 
=====================================================================

1. Summary:

An update for compliance-content-container,
ose-compliance-openscap-container, ose-compliance-operator-container, and
ose-compliance-operator-metadata-container is now available for Red Hat
OpenShift Container Platform 4.6.

Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.

2. Description:

Red Hat OpenShift Container Platform is Red Hat's cloud computing
Kubernetes application platform solution designed for on-premise or private
cloud deployments.
The compliance-operator image updates are now available for OpenShift
Container Platform 4.6.

Security Fix(es):

* golang-github-gorilla-websocket: integer overflow leads to denial of
service (CVE-2020-27813)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

Bug Fix(es):

* Aggregator pod tries to parse ConfigMaps without results (BZ#1899479)

* The compliancesuite object returns error with ocp4-cis tailored profile
(BZ#1902251)

* The compliancesuite does not trigger when there are multiple rhcos4
profiles added in scansettingbinding object (BZ#1902634)

* [OCP v46] Not all remediations get applied through machineConfig although
the status of all rules shows Applied in ComplianceRemediations object
(BZ#1907414)

* The profile parser pod deployment and associated profiles should get
removed after upgrade the compliance operator (BZ#1908991)

* Applying the "rhcos4-moderate" compliance profile leads to Ignition error
"something else exists at that path" (BZ#1909081)

* [OCP v46] Always update the default profilebundles on Compliance operator
startup (BZ#1909122)

3. Solution:

For OpenShift Container Platform 4.6 see the following documentation, which
will be updated shortly for this release, for important instructions on how
to upgrade your cluster and fully apply this asynchronous errata update:

https://docs.openshift.com/container-platform/4.6/release_notes/ocp-4-6-rel
ease-notes.html

Details on how to access this content are available at
https://docs.openshift.com/container-platform/4.6/updating/updating-cluster
- - -cli.html.

4. Bugs fixed (https://bugzilla.redhat.com/):

1899479 - Aggregator pod tries to parse ConfigMaps without results
1902111 - CVE-2020-27813 golang-github-gorilla-websocket: integer overflow leads to 
denial of service
1902251 - The compliancesuite object returns error with ocp4-cis tailored profile
1902634 - The compliancesuite does not trigger when there are multiple rhcos4 profiles 
added in scansettingbinding object
1907414 - [OCP v46] Not all remediations get applied through machineConfig although the 
status of all rules shows Applied in ComplianceRemediations object
1908991 - The profile parser pod deployment and associated profiles should get removed 
after upgrade the compliance operator
1909081 - Applying the "rhcos4-moderate" compliance profile leads to Ignition error 
"something else exists at that path"
1909122 - [OCP v46] Always update the default profilebundles on Compliance operator startup

5. References:

https://access.redhat.com/security/cve/CVE-2018-20843
https://access.redhat.com/security/cve/CVE-2019-1551
https://access.redhat.com/security/cve/CVE-2019-5018
https://access.redhat.com/security/cve/CVE-2019-8625
https://access.redhat.com/security/cve/CVE-2019-8710
https://access.redhat.com/security/cve/CVE-2019-8720
https://access.redhat.com/security/cve/CVE-2019-8743
https://access.redhat.com/security/cve/CVE-2019-8764
https://access.redhat.com/security/cve/CVE-2019-8766
https://access.redhat.com/security/cve/CVE-2019-8769
https://access.redhat.com/security/cve/CVE-2019-8771
https://access.redhat.com/security/cve/CVE-2019-8782
https://access.redhat.com/security/cve/CVE-2019-8783
https://access.redhat.com/security/cve/CVE-2019-8808
https://access.redhat.com/security/cve/CVE-2019-8811
https://access.redhat.com/security/cve/CVE-2019-8812
https://access.redhat.com/security/cve/CVE-2019-8813
https://access.redhat.com/security/cve/CVE-2019-8814
https://access.redhat.com/security/cve/CVE-2019-8815
https://access.redhat.com/security/cve/CVE-2019-8816
https://access.redhat.com/security/cve/CVE-2019-8819
https://access.redhat.com/security/cve/CVE-2019-8820
https://access.redhat.com/security/cve/CVE-2019-8823
https://access.redhat.com/security/cve/CVE-2019-8835
https://access.redhat.com/security/cve/CVE-2019-8844
https://access.redhat.com/security/cve/CVE-2019-8846
https://access.redhat.com/security/cve/CVE-2019-11068
https://access.redhat.com/security/cve/CVE-2019-13050
https://access.redhat.com/security/cve/CVE-2019-13627
https://access.redhat.com/security/cve/CVE-2019-14889
https://access.redhat.com/security/cve/CVE-2019-15165
https://access.redhat.com/security/cve/CVE-2019-15903
https://access.redhat.com/security/cve/CVE-2019-16168
https://access.redhat.com/security/cve/CVE-2019-16935
https://access.redhat.com/security/cve/CVE-2019-17450
https://access.redhat.com/security/cve/CVE-2019-18197
https://access.redhat.com/security/cve/CVE-2019-19221
https://access.redhat.com/security/cve/CVE-2019-19906
https://access.redhat.com/security/cve/CVE-2019-19956
https://access.redhat.com/security/cve/CVE-2019-20218
https://access.redhat.com/security/cve/CVE-2019-20387
https://access.redhat.com/security/cve/CVE-2019-20388
https://access.redhat.com/security/cve/CVE-2019-20454
https://access.redhat.com/security/cve/CVE-2019-20807
https://access.redhat.com/security/cve/CVE-2019-20907
https://access.redhat.com/security/cve/CVE-2019-20916
https://access.redhat.com/security/cve/CVE-2020-1730
https://access.redhat.com/security/cve/CVE-2020-1751
https://access.redhat.com/security/cve/CVE-2020-1752
https://access.redhat.com/security/cve/CVE-2020-1971
https://access.redhat.com/security/cve/CVE-2020-3862
https://access.redhat.com/security/cve/CVE-2020-3864
https://access.redhat.com/security/cve/CVE-2020-3865
https://access.redhat.com/security/cve/CVE-2020-3867
https://access.redhat.com/security/cve/CVE-2020-3868
https://access.redhat.com/security/cve/CVE-2020-3885
https://access.redhat.com/security/cve/CVE-2020-3894
https://access.redhat.com/security/cve/CVE-2020-3895
https://access.redhat.com/security/cve/CVE-2020-3897
https://access.redhat.com/security/cve/CVE-2020-3899
https://access.redhat.com/security/cve/CVE-2020-3900
https://access.redhat.com/security/cve/CVE-2020-3901
https://access.redhat.com/security/cve/CVE-2020-3902
https://access.redhat.com/security/cve/CVE-2020-6405
https://access.redhat.com/security/cve/CVE-2020-7595
https://access.redhat.com/security/cve/CVE-2020-8177
https://access.redhat.com/security/cve/CVE-2020-8492
https://access.redhat.com/security/cve/CVE-2020-9327
https://access.redhat.com/security/cve/CVE-2020-9802
https://access.redhat.com/security/cve/CVE-2020-9803
https://access.redhat.com/security/cve/CVE-2020-9805
https://access.redhat.com/security/cve/CVE-2020-9806
https://access.redhat.com/security/cve/CVE-2020-9807
https://access.redhat.com/security/cve/CVE-2020-9843
https://access.redhat.com/security/cve/CVE-2020-9850
https://access.redhat.com/security/cve/CVE-2020-9862
https://access.redhat.com/security/cve/CVE-2020-9893
https://access.redhat.com/security/cve/CVE-2020-9894
https://access.redhat.com/security/cve/CVE-2020-9895
https://access.redhat.com/security/cve/CVE-2020-9915
https://access.redhat.com/security/cve/CVE-2020-9925
https://access.redhat.com/security/cve/CVE-2020-10018
https://access.redhat.com/security/cve/CVE-2020-10029
https://access.redhat.com/security/cve/CVE-2020-11793
https://access.redhat.com/security/cve/CVE-2020-13630
https://access.redhat.com/security/cve/CVE-2020-13631
https://access.redhat.com/security/cve/CVE-2020-13632
https://access.redhat.com/security/cve/CVE-2020-14382
https://access.redhat.com/security/cve/CVE-2020-14391
https://access.redhat.com/security/cve/CVE-2020-14422
https://access.redhat.com/security/cve/CVE-2020-15503
https://access.redhat.com/security/cve/CVE-2020-24659
https://access.redhat.com/security/cve/CVE-2020-27813
https://access.redhat.com/security/updates/classification/#moderate

6. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2021 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBYAblAtzjgjWX9erEAQjf/Q//YNdFlDK9QrIbBGzkynIbI5Yj4Mm2vDRv
P9MA8zRy9e9BC1uiTPYj4ifQLm2hnPi4CEjLrOsPY8J3Q0/goLTXuZhb+a3bU2NW
F/OrLE8/Igc8fkBhvoc+1jwWMC3V7sEw/b30mGOYXyKHkvBZRv099HxnT5sV50MM
aFA0itRzgmfsJrPrvu2ax5jO/xE2RflXs2J77PyZsisRaJYYEboRjappyXFvg4GR
b62pctQwb8CDh68FAqOULflEQrbrdg0wjKGWpD+Hj0FCPkvvJDFoWANBH+zR3K20
CYYnpXRNSPmPVi0vQRql+Uda8u50OYn7UcL7kMELaHWGFqssdrW2vgeKR/cXFKaC
lJjgDS/VJ9mVWeQ5EdJhqcFIkQ3bEr9JocfSQets8u/9ionzCQfXvJLmILWXH3la
s5FqjEhDB7o58agzaDFr896VDbm1e9IIFRbj+1lQt0RCTmQMdpR/fDcSq8yqIxt3
JHN00w3KcdRLNyuROSdgyWXCodZbsedIdFnmEPo9Gcua4p+y8JLXJHUM5jLDyrgP
Aov70YZ02GXmRJ6gtB5PJi6wDKYI6qSI98tTKHBCHObDyAYqoq/tXL4LBOEgLZ3k
M6rYHTdJAXUZnmkuWg7Tm7W8gpDIDHj/66AxD5IuZFSbO0jD3LqEkDgRhzkwLr0a
KI+n4hxjzV0=
=+kgB
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBYAerWONLKJtyKPYoAQjRqQ/8Ch6G3YcyxxxYS+xpSv6gKZEz0DZd30o9
wnqMhJTnOJ8A/48zvgVQp+526D3Tpd6MTDyge8fU/lG9noR+39gOuEw/PqpT7ux1
L5NQEdDVYAY6kvVofjR85j35aLVTSdkpPask9aSvBb7lLpq1ZqHrnMbnnROKVy4q
YVM1E09jWls4U1TI1tPSm7vgtpKCX/uq+0YurZDPmRcE0oJP1GKqoVvibN1gwsAH
Y+P/nhCM1u32IwI8jdQAZDvEDO4lYmpIiGTMEjFcshvboyPbK4pZwCHParwpphET
+swCIgDaraRqnq7H+RgpJafZENQF9UyV6hLmadujvZdUFHKv0f097PH9Pm1waVef
WUQx6nYAMFXuFZvHIqzBEhyIw5NNsm3PovkIo2d9P2sJoh4wsqyxR/YY9u5ISupa
91JEE6T4RHu0xpyaVLDmO6dvnXXcpKqtWsNxXqGG0U199SXLPUzDcnvql4AzK8vv
BjwdnQd5wMptbC+4Hg9DLh7ligAVvLcGxfrM5YIsda1gYPAuVTocSewjMeVaiBrE
N4UkaDQWwHLrtg9Cr82/76VKCQHRHgoKkAtKFDIiaTRYh4X83hJxvUit/xqNlD/r
Wmrygk06GU1eiJ8TdsWuV0ARCJQ5aD8jhtoZrVbcsYCLcV7VBY+MykRPQiSQKeVu
Utas575ixCM=
=8xbL
-----END PGP SIGNATURE-----