Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2021.1573 Openshift Logging Bug Fix Release (5.0.3) 7 May 2021 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Openshift Logging Publisher: Red Hat Operating System: Red Hat Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated Modify Arbitrary Files -- Remote with User Interaction Denial of Service -- Remote/Unauthenticated Access Confidential Data -- Remote/Unauthenticated Unauthorised Access -- Remote/Unauthenticated Reduced Security -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2021-20190 CVE-2021-2163 CVE-2020-36189 CVE-2020-36188 CVE-2020-36187 CVE-2020-36186 CVE-2020-36185 CVE-2020-36184 CVE-2020-36183 CVE-2020-36182 CVE-2020-36181 CVE-2020-36180 CVE-2020-36179 CVE-2020-35728 CVE-2020-35491 CVE-2020-35490 CVE-2020-24750 CVE-2020-16845 CVE-2020-15586 CVE-2019-14379 CVE-2018-19362 CVE-2018-19361 CVE-2018-19360 CVE-2018-14721 CVE-2018-14720 CVE-2018-14719 CVE-2018-14718 Reference: ASB-2019.0299 ESB-2021.1516 ESB-2021.1437 ESB-2021.1397 Original Bulletin: https://access.redhat.com/errata/RHSA-2021:1515 - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Important: Openshift Logging Bug Fix Release (5.0.3) Advisory ID: RHSA-2021:1515-01 Product: Red Hat OpenShift Enterprise Advisory URL: https://access.redhat.com/errata/RHSA-2021:1515 Issue date: 2021-05-06 CVE Names: CVE-2018-14718 CVE-2018-14719 CVE-2018-14720 CVE-2018-14721 CVE-2018-19360 CVE-2018-19361 CVE-2018-19362 CVE-2019-14379 CVE-2020-15586 CVE-2020-16845 CVE-2020-24750 CVE-2020-35490 CVE-2020-35491 CVE-2020-35728 CVE-2020-36179 CVE-2020-36180 CVE-2020-36181 CVE-2020-36182 CVE-2020-36183 CVE-2020-36184 CVE-2020-36185 CVE-2020-36186 CVE-2020-36187 CVE-2020-36188 CVE-2020-36189 CVE-2021-2163 CVE-2021-20190 ===================================================================== 1. Summary: Openshift Logging Bug Fix Release (5.0.3) This release includes a security update. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Description: Openshift Logging Bug Fix Release (5.0.3) Security Fix(es): * jackson-databind: arbitrary code execution in slf4j-ext class (CVE-2018-14718) * jackson-databind: arbitrary code execution in blaze-ds-opt and blaze-ds-core classes (CVE-2018-14719) * jackson-databind: improper polymorphic deserialization in axis2-transport-jms class (CVE-2018-19360) * jackson-databind: improper polymorphic deserialization in openjpa class (CVE-2018-19361) * jackson-databind: improper polymorphic deserialization in jboss-common-core class (CVE-2018-19362) * jackson-databind: default typing mishandling leading to remote code execution (CVE-2019-14379) * jackson-databind: Serialization gadgets in com.pastdev.httpcomponents.configuration.JndiConfiguration (CVE-2020-24750) * jackson-databind: mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.dbcp2.datasources.PerUserPoolDataSource (CVE-2020-35490) * jackson-databind: mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.dbcp2.datasources.SharedPoolDataSource (CVE-2020-35491) * jackson-databind: mishandles the interaction between serialization gadgets and typing, related to com.oracle.wls.shaded.org.apache.xalan.lib.sql.JNDIConnectionPool (CVE-2020-35728) * jackson-databind: mishandles the interaction between serialization gadgets and typing, related to oadd.org.apache.commons.dbcp.cpdsadapter.DriverAdapterCPDS (CVE-2020-36179) * jackson-databind: mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.dbcp2.cpdsadapter.DriverAdapterCPDS (CVE-2020-36180) * jackson-databind: mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp.cpdsadapter.DriverAdapterCPDS (CVE-2020-36181) * jackson-databind: mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp2.cpdsadapter.DriverAdapterCPDS (CVE-2020-36182) * jackson-databind: mishandles the interaction between serialization gadgets and typing, related to org.docx4j.org.apache.xalan.lib.sql.JNDIConnectionPool (CVE-2020-36183) * jackson-databind: mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp2.datasources.PerUserPoolDataSource (CVE-2020-36184) * jackson-databind: mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp2.datasources.SharedPoolDataSource (CVE-2020-36185) * jackson-databind: mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp.datasources.PerUserPoolDataSource (CVE-2020-36186) * jackson-databind: mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp.datasources.SharedPoolDataSource (CVE-2020-36187) * jackson-databind: mishandles the interaction between serialization gadgets and typing, related to com.newrelic.agent.deps.ch.qos.logback.core.db.JNDIConnectionSource (CVE-2020-36188) * jackson-databind: mishandles the interaction between serialization gadgets and typing, related to com.newrelic.agent.deps.ch.qos.logback.core.db.DriverManagerConnectionSourc e (CVE-2020-36189) * jackson-databind: mishandles the interaction between serialization gadgets and typing, related to javax.swing (CVE-2021-20190) * jackson-databind: exfiltration/XXE in some JDK classes (CVE-2018-14720) * jackson-databind: server-side request forgery (SSRF) in axis2-jaxws class (CVE-2018-14721) * golang: data race in certain net/http servers including ReverseProxy can lead to DoS (CVE-2020-15586) * golang: ReadUvarint and ReadVarint can read an unlimited number of bytes from invalid inputs (CVE-2020-16845) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. 3. Solution: For OpenShift Container Platform 4.7 see the following documentation, which will be updated shortly for this release, for important instructions on how to upgrade your cluster and fully apply this errata update: https://docs.openshift.com/container-platform/4.7/release_notes/ocp-4-7-rel ease-notes.html For Red Hat OpenShift Logging 5.0, see the following instructions to apply this update: https://docs.openshift.com/container-platform/4.7/logging/cluster-logging-u pgrading.html 4. JIRA issues fixed (https://issues.jboss.org/): LOG-1224 - Release 5.0 - ClusterLogForwarder namespace-specific log forwarding does not work as expected LOG-1232 - 5.0 - Bug 1859004 - Sometimes the eventrouter couldn't gather event logs. LOG-1234 - CVE-2020-15586 CVE-2020-16845 openshift-eventrouter: various flaws [openshift-4] LOG-1299 - Release 5.0 Forwarding logs to Kafka using Chained certificates fails with error "state=error: certificate verify failed (unable to get local issuer certificate)" 5. References: https://access.redhat.com/security/cve/CVE-2018-14718 https://access.redhat.com/security/cve/CVE-2018-14719 https://access.redhat.com/security/cve/CVE-2018-14720 https://access.redhat.com/security/cve/CVE-2018-14721 https://access.redhat.com/security/cve/CVE-2018-19360 https://access.redhat.com/security/cve/CVE-2018-19361 https://access.redhat.com/security/cve/CVE-2018-19362 https://access.redhat.com/security/cve/CVE-2019-14379 https://access.redhat.com/security/cve/CVE-2020-15586 https://access.redhat.com/security/cve/CVE-2020-16845 https://access.redhat.com/security/cve/CVE-2020-24750 https://access.redhat.com/security/cve/CVE-2020-35490 https://access.redhat.com/security/cve/CVE-2020-35491 https://access.redhat.com/security/cve/CVE-2020-35728 https://access.redhat.com/security/cve/CVE-2020-36179 https://access.redhat.com/security/cve/CVE-2020-36180 https://access.redhat.com/security/cve/CVE-2020-36181 https://access.redhat.com/security/cve/CVE-2020-36182 https://access.redhat.com/security/cve/CVE-2020-36183 https://access.redhat.com/security/cve/CVE-2020-36184 https://access.redhat.com/security/cve/CVE-2020-36185 https://access.redhat.com/security/cve/CVE-2020-36186 https://access.redhat.com/security/cve/CVE-2020-36187 https://access.redhat.com/security/cve/CVE-2020-36188 https://access.redhat.com/security/cve/CVE-2020-36189 https://access.redhat.com/security/cve/CVE-2021-2163 https://access.redhat.com/security/cve/CVE-2021-20190 https://access.redhat.com/security/updates/classification/#important null 6. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2021 Red Hat, Inc. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBYJPx/tzjgjWX9erEAQhU1w//duH+XRDFd5UPYZH3ss74av1gBaKVsoHv OFaJKj5hVJ3bmq4FHiNE6MEZt1NtTWE9v/NFaiS8GWzPy6ay5J4LHCNgAoJQ23IU EUBqfee/p7zsV6RkAOBXe6Y8OTGOGdtDZwE5RcpqPlc4ZUEloWcZaaW2u+MLkPZj Z7I/ubCqVtsiieKGD3CY3ODwWs5MvCO0F8CA2aqCmRFzy/rPau2ANvlLY1cUrWPc Rc9b7/w6ubtzB/BEAWJX+TCHPRcUuGSK1eaYU8vb8KfELnQ2ADKotM61gU43x/wN kxPcsjJEB34OZEMrdYFSQyCyQCLfMLl1zOWYZfXEosktZdPhaTXC2FhIsn69lUEK kjqKxsFfbvtiP1ua/AFU41XPlu+mI6TPYqo0PbVcrHV5u1wVDIj3FsjGjw3hzBcf HYO0DL3lj2VXx1jiFT70Q2pnLw/qtIGT7nf14mqWYLlTwXM1rsQHsfp5PbXOgN9z APLp9GXLw92UFMyqqitFuHJI5OIjqtFVMFYoCEI3h0X/mxRFbQPNAWJ1F2jv0FBA HlxKuPwuCkd2jLpUqu6avTjHegacQSS3jDfnbmpLCurptbNj7sYslsbjLfJyZUH6 1pMaj/XjZW5LhN2xOI0HR19gjyQVRqq1k7mJo2x9Y9yJ9zC6sA24wyLMxPSIB6fj WRIWZmIwf4s= =fcX6 - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBYJSLjuNLKJtyKPYoAQjVRA//WNaz388a7lHR3JpPmANcymCTmsuQ8DF3 ti7KYRf/px37QTvlszFroswFSM/QfTY+y3A96CT+A7m4AWQ4EdvVNIB5rNU8JsEx DWdmHTAquSSGtQKI9rnGf7ZU9UzqIxyykzQOTCt5cYgAh1I3SnBZDCUr9XEcmply AWGYeIOomvLCJky0ks4XGTJTOBQ/eo5ojRpfaj4Em2gEnOUoMr6DsVvtjj8txCq2 fFHOO1L2m4/P+FWMS2ZWDH7TLlNZ1uz6QEE4Wf83ESMmOvFebKIZmIqPmfwq4ylg QWrNd3WlJUcF6fSloj0Z7sq3i6XgXEpggLc6v0RIjbcg1v5xLvWTDfYgxHubFv5x RJAEtiFegs7Ixdu4YkeGxFLgT+BhKq9RwqQO0gvxL++jFY35tH+DOerb99sr2uIC TVFqxh6BQJ/K9ynJlw2XGzzNOJPiAnWtUfqJ4kDHgDkcNg/bF5LPv9dY+oLIPBaN AHpL1w+hc+x8N7HumC+BuVEML2zFJFBvT2lQPBWd5USXuNqgLkxU1bg39WWJAUsL 9us4Z5XwAeyeEa5G9V8MA4Rx7yN4f5ulKbFh5MLvjyhlq+TvUtMATJL7eslb6PYK h0abtK8RnWGFlAfECZoOoDF0VD/Ds2LHY7Qc113mWg1EEjIqrMgqe71AMkq6fTY7 ztWfWkzrkFs= =W8qT -----END PGP SIGNATURE-----