Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2021.0599
OpenShift Container Platform 4.6.17 security and packages update
18 February 2021
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: OpenShift Container Platform 4.6.17
Publisher: Red Hat
Operating System: Red Hat
Impact/Access: Execute Arbitrary Code/Commands -- Existing Account
Cross-site Scripting -- Existing Account
Denial of Service -- Existing Account
Access Confidential Data -- Existing Account
Reduced Security -- Existing Account
Resolution: Patch/Upgrade
CVE Names: CVE-2021-21615 CVE-2021-21611 CVE-2021-21610
CVE-2021-21609 CVE-2021-21608 CVE-2021-21607
CVE-2021-21606 CVE-2021-21605 CVE-2021-21604
CVE-2021-21603 CVE-2021-21602 CVE-2020-11979
CVE-2020-1945
Reference: ESB-2021.0284
ESB-2020.2472
ESB-2020.1680
Original Bulletin:
https://access.redhat.com/errata/RHSA-2021:0423
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
=====================================================================
Red Hat Security Advisory
Synopsis: Important: OpenShift Container Platform 4.6.17 security and packages update
Advisory ID: RHSA-2021:0423-01
Product: Red Hat OpenShift Enterprise
Advisory URL: https://access.redhat.com/errata/RHSA-2021:0423
Issue date: 2021-02-17
CVE Names: CVE-2020-1945 CVE-2020-11979 CVE-2021-21602
CVE-2021-21603 CVE-2021-21604 CVE-2021-21605
CVE-2021-21606 CVE-2021-21607 CVE-2021-21608
CVE-2021-21609 CVE-2021-21610 CVE-2021-21611
CVE-2021-21615
=====================================================================
1. Summary:
Red Hat OpenShift Container Platform release 4.6.17 is now available with
updates to packages and images that fix several bugs.
This release includes a security update for Red Hat OpenShift Container
Platform 4.6.
Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.
2. Relevant releases/architectures:
Red Hat OpenShift Container Platform 4.6 - noarch, ppc64le, s390x, x86_64
3. Description:
Red Hat OpenShift Container Platform is Red Hat's cloud computing
Kubernetes application platform solution designed for on-premise or private
cloud deployments.
This advisory contains the RPM packages for Red Hat OpenShift Container
Platform 4.6.17. See the following advisory for the container images for
this release:
https://access.redhat.com/errata/RHBA-2021:0424
Security Fix(es):
* jenkins: XSS vulnerability in notification bar (CVE-2021-21603)
* jenkins: Improper handling of REST API XML deserialization errors
(CVE-2021-21604)
* jenkins: Path traversal vulnerability in agent names (CVE-2021-21605)
* jenkins: Stored XSS vulnerability in button labels (CVE-2021-21608)
* jenkins: Reflected XSS vulnerability in markup formatter preview
(CVE-2021-21610)
* jenkins: Stored XSS vulnerability on new item page (CVE-2021-21611)
* ant: insecure temporary file vulnerability (CVE-2020-1945)
* ant: insecure temporary file (CVE-2020-11979)
* jenkins: Arbitrary file read vulnerability in workspace browsers
(CVE-2021-21602)
* jenkins: Arbitrary file existence check in file fingerprints
(CVE-2021-21606)
* jenkins: Excessive memory allocation in graph URLs leads to denial of
service (CVE-2021-21607)
* jenkins: Filesystem traversal by privileged users (CVE-2021-21615)
* jenkins: Missing permission check for paths with specific prefix
(CVE-2021-21609)
For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.
4. Solution:
For OpenShift Container Platform 4.6 see the following documentation, which
will be updated shortly for this release, for important instructions on how
to upgrade your cluster and fully apply this asynchronous errata update:
https://docs.openshift.com/container-platform/4.6/release_notes/ocp-4-6-rel
ease-notes.html
Details on how to access this content are available at
https://docs.openshift.com/container-platform/4.6/updating/updating-cluster
- - -cli.html.
5. Bugs fixed (https://bugzilla.redhat.com/):
1837444 - CVE-2020-1945 ant: insecure temporary file vulnerability
1903702 - CVE-2020-11979 ant: insecure temporary file
1921322 - CVE-2021-21615 jenkins: Filesystem traversal by privileged users
1925140 - CVE-2021-21608 jenkins: Stored XSS vulnerability in button labels
1925141 - CVE-2021-21609 jenkins: Missing permission check for paths with specific prefix
1925143 - CVE-2021-21605 jenkins: Path traversal vulnerability in agent names
1925145 - CVE-2021-21611 jenkins: Stored XSS vulnerability on new item page
1925151 - CVE-2021-21610 jenkins: Reflected XSS vulnerability in markup formatter preview
1925156 - CVE-2021-21607 jenkins: Excessive memory allocation in graph URLs leads to denial of service
1925157 - CVE-2021-21604 jenkins: Improper handling of REST API XML deserialization errors
1925159 - CVE-2021-21606 jenkins: Arbitrary file existence check in file fingerprints
1925160 - CVE-2021-21603 jenkins: XSS vulnerability in notification bar
1925161 - CVE-2021-21602 jenkins: Arbitrary file read vulnerability in workspace browsers
1925674 - Placeholder bug for OCP 4.6.0 rpm release
6. Package List:
Red Hat OpenShift Container Platform 4.6:
Source:
cri-o-1.19.1-7.rhaos4.6.git6377f68.el7.src.rpm
openshift-4.6.0-202102050212.p0.git.94265.716fcf8.el7.src.rpm
openshift-ansible-4.6.0-202102031649.p0.git.0.bf90f86.el7.src.rpm
openshift-clients-4.6.0-202102050644.p0.git.3831.1c61c6b.el7.src.rpm
runc-1.0.0-82.rhaos4.6.git086e841.el7.src.rpm
noarch:
openshift-ansible-4.6.0-202102031649.p0.git.0.bf90f86.el7.noarch.rpm
openshift-ansible-test-4.6.0-202102031649.p0.git.0.bf90f86.el7.noarch.rpm
x86_64:
cri-o-1.19.1-7.rhaos4.6.git6377f68.el7.x86_64.rpm
cri-o-debuginfo-1.19.1-7.rhaos4.6.git6377f68.el7.x86_64.rpm
openshift-clients-4.6.0-202102050644.p0.git.3831.1c61c6b.el7.x86_64.rpm
openshift-clients-redistributable-4.6.0-202102050644.p0.git.3831.1c61c6b.el7.x86_64.rpm
openshift-hyperkube-4.6.0-202102050212.p0.git.94265.716fcf8.el7.x86_64.rpm
runc-1.0.0-82.rhaos4.6.git086e841.el7.x86_64.rpm
runc-debuginfo-1.0.0-82.rhaos4.6.git086e841.el7.x86_64.rpm
Red Hat OpenShift Container Platform 4.6:
Source:
atomic-openshift-service-idler-4.6.0-202102031810.p0.git.15.dcab90a.el8.src.rpm
jenkins-2-plugins-4.6.1612257979-1.el8.src.rpm
jenkins-2.263.3.1612434510-1.el8.src.rpm
openshift-4.6.0-202102050212.p0.git.94265.716fcf8.el8.src.rpm
openshift-clients-4.6.0-202102050644.p0.git.3831.1c61c6b.el8.src.rpm
openshift-kuryr-4.6.0-202102031810.p0.git.2225.a3ab872.el8.src.rpm
python-rsa-4.7-1.el8.src.rpm
runc-1.0.0-82.rhaos4.6.git086e841.el8.src.rpm
noarch:
jenkins-2-plugins-4.6.1612257979-1.el8.noarch.rpm
jenkins-2.263.3.1612434510-1.el8.noarch.rpm
openshift-kuryr-cni-4.6.0-202102031810.p0.git.2225.a3ab872.el8.noarch.rpm
openshift-kuryr-common-4.6.0-202102031810.p0.git.2225.a3ab872.el8.noarch.rpm
openshift-kuryr-controller-4.6.0-202102031810.p0.git.2225.a3ab872.el8.noarch.rpm
python3-kuryr-kubernetes-4.6.0-202102031810.p0.git.2225.a3ab872.el8.noarch.rpm
python3-rsa-4.7-1.el8.noarch.rpm
ppc64le:
atomic-openshift-service-idler-4.6.0-202102031810.p0.git.15.dcab90a.el8.ppc64le.rpm
openshift-clients-4.6.0-202102050644.p0.git.3831.1c61c6b.el8.ppc64le.rpm
openshift-hyperkube-4.6.0-202102050212.p0.git.94265.716fcf8.el8.ppc64le.rpm
runc-1.0.0-82.rhaos4.6.git086e841.el8.ppc64le.rpm
runc-debuginfo-1.0.0-82.rhaos4.6.git086e841.el8.ppc64le.rpm
runc-debugsource-1.0.0-82.rhaos4.6.git086e841.el8.ppc64le.rpm
s390x:
atomic-openshift-service-idler-4.6.0-202102031810.p0.git.15.dcab90a.el8.s390x.rpm
openshift-clients-4.6.0-202102050644.p0.git.3831.1c61c6b.el8.s390x.rpm
openshift-hyperkube-4.6.0-202102050212.p0.git.94265.716fcf8.el8.s390x.rpm
runc-1.0.0-82.rhaos4.6.git086e841.el8.s390x.rpm
runc-debuginfo-1.0.0-82.rhaos4.6.git086e841.el8.s390x.rpm
runc-debugsource-1.0.0-82.rhaos4.6.git086e841.el8.s390x.rpm
x86_64:
atomic-openshift-service-idler-4.6.0-202102031810.p0.git.15.dcab90a.el8.x86_64.rpm
openshift-clients-4.6.0-202102050644.p0.git.3831.1c61c6b.el8.x86_64.rpm
openshift-clients-redistributable-4.6.0-202102050644.p0.git.3831.1c61c6b.el8.x86_64.rpm
openshift-hyperkube-4.6.0-202102050212.p0.git.94265.716fcf8.el8.x86_64.rpm
runc-1.0.0-82.rhaos4.6.git086e841.el8.x86_64.rpm
runc-debuginfo-1.0.0-82.rhaos4.6.git086e841.el8.x86_64.rpm
runc-debugsource-1.0.0-82.rhaos4.6.git086e841.el8.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/
7. References:
https://access.redhat.com/security/cve/CVE-2020-1945
https://access.redhat.com/security/cve/CVE-2020-11979
https://access.redhat.com/security/cve/CVE-2021-21602
https://access.redhat.com/security/cve/CVE-2021-21603
https://access.redhat.com/security/cve/CVE-2021-21604
https://access.redhat.com/security/cve/CVE-2021-21605
https://access.redhat.com/security/cve/CVE-2021-21606
https://access.redhat.com/security/cve/CVE-2021-21607
https://access.redhat.com/security/cve/CVE-2021-21608
https://access.redhat.com/security/cve/CVE-2021-21609
https://access.redhat.com/security/cve/CVE-2021-21610
https://access.redhat.com/security/cve/CVE-2021-21611
https://access.redhat.com/security/cve/CVE-2021-21615
https://access.redhat.com/security/updates/classification/#important
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2021 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIVAwUBYC1po9zjgjWX9erEAQic3RAAj/bu+UIqdzRJGa69U9RIVqVuAfWB8KbB
94qVZbubcl9xd49ODvBGm4bF+wvJqt8TzxKM2YAUc1P6S7o3Ux7DdDr/b39B9ODd
KHwZCojEZnWLIc1NPzKbixmX9Ph1wvUGOBsqHbR5coX9KowP54k/Lut1zAPK0jPM
mj6J8LxKNAiGBZYAi5+V5dkB/8yduRj6SYLrQagR5T+txV+n/DyjyKlouwAIQg8f
kXOiyBCNORm2JTDv0IEgWAkK0i6B800rWjpm59wx9nKjmloQo7PsP+P4ywYaB605
J2tS49PaU0e5uw49dCp4eteMf/SoXpWa9UkQ6sK2YHmpAOyBvfT35VZz4IKMsbQi
njfg1boMQ9Q2IH6EWcL5I8GMWYXr7z3KPFd7WeuZlOGbQ5UDLhVu2TWZTZyI6HE2
wzCAkaETPHoEnI+OYR3CakzXjkoqlVt9L/BLZ4y/qnHPOLLy2U6g141KQDJ7Djrk
nIEtNASMVsRQwe6AjwiboCDYiT2Vgto6eS7GQB5ona7BWS1Eq0NtobhJxIjkRrCa
wwze2yoJgOwSHPaA57xdVVPizICbGUMnnGQJGGnRBUYHqyoeP72m5XDp2xEomBkG
4C5uEOH3zkIbLm0EL6hF2wRk5GbX75gqOVZJGaAbS9bVcKQIOmhcu7jwkgeLKks6
y6RzbAshJa0=
=f9tH
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBYC3X2ONLKJtyKPYoAQhmJg//edbBjyN4etFirJrPvUyKRKAe5f45aNLV
2ZoQXA6ERE2tWJwynILkMSmqXSr7Ic6Xa16kX46hDSiwjW/XukhtoCYE1hWN53wu
J9mArdUrqtkDzF4vXKGzNMWpdiGwxC+Esp28LfR1A6sVQLTVC7cZoW2jPX75vad6
ijMM/KvMaUokagmpbL1nOJU5576BtmOdnxOQzXnlsLodJPZ/woSXJRyXfqyltU66
NhWHftnCehUQK/5OmjpEj0hyfoGVYvMbtkgJS0pTmoNK2xFaFlxtUkb9U5zFnBa0
9n9I+miDsn7azHbOUZb9h+JD2zfPLtCZFVluFVarJfX1eMeE/KDAQI65siRFfQuW
CDHIlQuGvz4lKar40TARcRYRoy88UVOjGUl4NzZG6JEJEm5YJ7fjeDt9XR9usVPL
lAEyKHz7gCX5kw8YhfnTvwQpc11V0kz0n6FUOGDtkp21nMVu8PxFr4xlxJJP5iVU
aADawhZc3LMIbJw1KF1DtbJD4HfHMcTYkQz2Ncsd697z3eQZk3H69JoaLBAl/oUE
VbTl3hq7kQzI5kNWxnrMFk4rkTd6k//qQBD80RqNZY5AnOpWPon/j4/HXDeTk2Fi
DjZaaSI0DSAK4Pch7kuTXcBbPTnNdw0+mRNVpuVZ9Ef++RAwwvN1djVQ0tjKjJCh
lweTsl4dczU=
=4QNN
-----END PGP SIGNATURE-----