Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2021.2275
OpenShift Container Platform 4.6.36 security update
30 June 2021
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: OpenShift Container Platform 4.6.36
Publisher: Red Hat
Operating System: Red Hat
Impact/Access: Increased Privileges -- Existing Account
Denial of Service -- Remote/Unauthenticated
Reduced Security -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2020-27223 CVE-2020-27218 CVE-2020-27216
Reference: ASB-2021.0086
ASB-2021.0072
ESB-2021.1660
ESB-2020.4536
Original Bulletin:
https://access.redhat.com/errata/RHSA-2021:2499
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
=====================================================================
Red Hat Security Advisory
Synopsis: Moderate: OpenShift Container Platform 4.6.36 security update
Advisory ID: RHSA-2021:2499-01
Product: Red Hat OpenShift Enterprise
Advisory URL: https://access.redhat.com/errata/RHSA-2021:2499
Issue date: 2021-06-29
CVE Names: CVE-2020-27216 CVE-2020-27218 CVE-2020-27223
=====================================================================
1. Summary:
An update for cri-o, jenkins, openshift-clients, and openshift-kuryr is now
available for Red Hat OpenShift Container Platform 4.6.
Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.
2. Relevant releases/architectures:
Red Hat OpenShift Container Platform 4.6 - noarch, ppc64le, s390x, x86_64
3. Description:
Red Hat OpenShift Container Platform is Red Hat's cloud computing
Kubernetes application platform solution designed for on-premise or private
cloud deployments.
This advisory contains the RPM packages for Red Hat OpenShift Container
Platform 4.6.36. See the following advisory for the container images for
this release:
https://access.redhat.com/errata/RHBA-2021:2498
Security Fix(es):
* jetty: local temporary directory hijacking vulnerability (CVE-2020-27216)
* jetty: buffer not correctly recycled in Gzip Request inflation
(CVE-2020-27218)
* jetty: request containing multiple Accept headers with a large number of
"quality" parameters may lead to DoS (CVE-2020-27223)
For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.
4. Solution:
For OpenShift Container Platform 4.6 see the following documentation, which
will be updated shortly for this release, for important instructions on how
to upgrade your cluster and fully apply this asynchronous errata update:
https://docs.openshift.com/container-platform/4.6/release_notes/ocp-4-6-rel
ease-notes.html
Details on how to access this content are available at
https://docs.openshift.com/container-platform/4.6/updating/updating-cluster
- - -cli.html
5. Bugs fixed (https://bugzilla.redhat.com/):
1891132 - CVE-2020-27216 jetty: local temporary directory hijacking vulnerability
1902826 - CVE-2020-27218 jetty: buffer not correctly recycled in Gzip Request inflation
1934116 - CVE-2020-27223 jetty: request containing multiple Accept headers with a large number of "quality" parameters may lead to DoS
6. Package List:
Red Hat OpenShift Container Platform 4.6:
Source:
cri-o-1.19.2-6.rhaos4.6.git686e6d9.el7.src.rpm
openshift-clients-4.6.0-202106160917.p0.git.99556b6.el7.src.rpm
x86_64:
cri-o-1.19.2-6.rhaos4.6.git686e6d9.el7.x86_64.rpm
cri-o-debuginfo-1.19.2-6.rhaos4.6.git686e6d9.el7.x86_64.rpm
openshift-clients-4.6.0-202106160917.p0.git.99556b6.el7.x86_64.rpm
openshift-clients-redistributable-4.6.0-202106160917.p0.git.99556b6.el7.x86_64.rpm
Red Hat OpenShift Container Platform 4.6:
Source:
cri-o-1.19.2-6.rhaos4.6.git686e6d9.el8.src.rpm
jenkins-2.277.3.1623853726-1.el8.src.rpm
openshift-clients-4.6.0-202106160917.p0.git.99556b6.el8.src.rpm
openshift-kuryr-4.6.0-202106181055.p0.git.7feb5bd.el8.src.rpm
noarch:
jenkins-2.277.3.1623853726-1.el8.noarch.rpm
openshift-kuryr-cni-4.6.0-202106181055.p0.git.7feb5bd.el8.noarch.rpm
openshift-kuryr-common-4.6.0-202106181055.p0.git.7feb5bd.el8.noarch.rpm
openshift-kuryr-controller-4.6.0-202106181055.p0.git.7feb5bd.el8.noarch.rpm
python3-kuryr-kubernetes-4.6.0-202106181055.p0.git.7feb5bd.el8.noarch.rpm
ppc64le:
cri-o-1.19.2-6.rhaos4.6.git686e6d9.el8.ppc64le.rpm
cri-o-debuginfo-1.19.2-6.rhaos4.6.git686e6d9.el8.ppc64le.rpm
cri-o-debugsource-1.19.2-6.rhaos4.6.git686e6d9.el8.ppc64le.rpm
openshift-clients-4.6.0-202106160917.p0.git.99556b6.el8.ppc64le.rpm
s390x:
cri-o-1.19.2-6.rhaos4.6.git686e6d9.el8.s390x.rpm
cri-o-debuginfo-1.19.2-6.rhaos4.6.git686e6d9.el8.s390x.rpm
cri-o-debugsource-1.19.2-6.rhaos4.6.git686e6d9.el8.s390x.rpm
openshift-clients-4.6.0-202106160917.p0.git.99556b6.el8.s390x.rpm
x86_64:
cri-o-1.19.2-6.rhaos4.6.git686e6d9.el8.x86_64.rpm
cri-o-debuginfo-1.19.2-6.rhaos4.6.git686e6d9.el8.x86_64.rpm
cri-o-debugsource-1.19.2-6.rhaos4.6.git686e6d9.el8.x86_64.rpm
openshift-clients-4.6.0-202106160917.p0.git.99556b6.el8.x86_64.rpm
openshift-clients-redistributable-4.6.0-202106160917.p0.git.99556b6.el8.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/
7. References:
https://access.redhat.com/security/cve/CVE-2020-27216
https://access.redhat.com/security/cve/CVE-2020-27218
https://access.redhat.com/security/cve/CVE-2020-27223
https://access.redhat.com/security/updates/classification/#moderate
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2021 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIVAwUBYNq7KtzjgjWX9erEAQhd5w//U++QogUQ3FDdUVem1ZpSBT7w4WE+0gqH
rAcT6n8cyqtpP1org15p1kxaq6SJ5IV9giM9oYeCKMITO53kSwd6rmn4impNDq24
PgEyCJnhobV/p2gW8t6Wr3HtK5gBitxW/jgFinR6w1E1u53UIglr5Da+4a4tRQf+
k00CwChsgSY0vjpAV7FmKBWrfQRBG4rR5bPSuLl0ZM6O3d4xliVUIxN21J32i3FO
IYATfuWwXn1w4WC8YcVYQ7Ts4V8RI8VcXH8wZxc001Pbtcx3++SNvjK/l+Yb+k//
thi1IG4AS2sWUpWmIXqV+sb88BxkozVfR/cWLxB7St/nrtP3XhuPDaBkGSTrtZcL
oAKKKrT6EEzqeEzubUSg2C7PeZs+WTuDP4hqBnEfCbNXWF1PMmMkPBI4bvbkX87n
/F/x9JzFBOToXDCjQ+s/BHlPu4kUfNbEiCLO1nIGkXdrPzWJnIG8p3NA8k/A8TYy
mQie9Gd47d14ZRwii7O+h44sYbcyXdPyBYcZwz3u4M7QtJoO/SUx7lzHSnJSSeFq
FTDNYRnWv5QBDoBl7sSsu1h29oOjGI/fl6tsjFzs6sSmhPzStO8arQUmbRfSEsUO
wpAqDYcKrrOuv9pEyonEd5F1t6RF4Bgo70gVhSy3hkmRN+ELxB1ONOmQZsROj6gU
e/6gdn9JrKM=
=JvSq
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBYNv19ONLKJtyKPYoAQgYOw//faLBFhEOQtYViWSh+WUg2ihV6mlcpDDp
m0lxT2rlA+nete8kUYTrLPbdEVvocb7I+ATXnjCU4uE5eoYNw/A5Ink2PspIpTMG
awMFOihPZ79ZJJLeQwN9HKoCRGageXoMYTsGhTQ3oTShMkeaXzmDigLRnK2o3Dtl
U2i96CHHc95V/sb8cgfci35NKU48c0bSoPEzSOQm6hbWqS3AuPQh+2ROjDTMYHKA
Z7Mk6CloqiIYz0lALvogXY/d01gGDJmxN4lYqQooJ5v0IsfFadfTWYI68HAcKiFb
kLNjehRZNuVjYcW1V/nZn2uz7bXzw5V6yDYPUUnQGAXCSTgt4iVdO/vlTtIcv2yI
qbgK/JERHj0Io1/zB4qZptcTqFimCZScPI+t4fAgBTcThADAoEP76riFzQVGeJ24
p4OAJ6khKo6gdETxx8Ilc+oKr9Fev198Z4oW40JmGfMG5utwSiahXHnjpcOe55/1
ihHrRUhVFX+LkgjMvzE0Nzucdj2Te63T+dXa/EGiotkiyujL8WxQZVJvGXP4s6aM
X3QPFW1jjg3+uKxlng4FxEPndento8bByJxM6pYqzynMr0chqrplOZaLonY9Nl19
LqskXGiBcuh7CpcwS6d0nWU0FxU2UgTe4GKlIOQEEFK6+4poKNR3uWW2uWrMjTUF
TyTRTnPFqVc=
=n/vT
-----END PGP SIGNATURE-----