Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2021.3141 Release of OpenShift Serverless 1.17.0 17 September 2021 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Openshift Serverless Publisher: Red Hat Operating System: Red Hat Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated Denial of Service -- Remote/Unauthenticated Provide Misleading Information -- Remote/Unauthenticated Access Confidential Data -- Remote/Unauthenticated Reduced Security -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2021-34558 CVE-2021-33198 CVE-2021-33197 CVE-2021-33196 CVE-2021-33195 CVE-2021-31525 CVE-2021-27918 CVE-2021-27218 CVE-2021-20305 CVE-2021-20271 CVE-2021-3703 CVE-2021-3541 CVE-2021-3537 CVE-2021-3520 CVE-2021-3518 CVE-2021-3517 CVE-2021-3516 CVE-2021-3450 CVE-2021-3449 CVE-2021-3421 CVE-2021-3326 CVE-2020-29363 CVE-2020-29362 CVE-2020-29361 CVE-2020-28196 CVE-2020-27618 CVE-2020-15358 CVE-2020-13434 CVE-2020-8927 CVE-2020-8286 CVE-2020-8285 CVE-2020-8284 CVE-2020-8231 CVE-2019-25013 CVE-2019-9169 CVE-2019-2708 CVE-2017-14502 CVE-2016-10228 Reference: ASB-2021.0152 ASB-2021.0150 Original Bulletin: https://access.redhat.com/errata/RHSA-2021:3555 https://access.redhat.com/errata/RHSA-2021:3556 Comment: This bulletin contains two (2) Red Hat security advisories. - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: Release of OpenShift Serverless 1.17.0 Advisory ID: RHSA-2021:3556-01 Product: Red Hat OpenShift Serverless Advisory URL: https://access.redhat.com/errata/RHSA-2021:3556 Issue date: 2021-09-16 CVE Names: CVE-2016-10228 CVE-2017-14502 CVE-2019-2708 CVE-2019-9169 CVE-2019-25013 CVE-2020-8231 CVE-2020-8284 CVE-2020-8285 CVE-2020-8286 CVE-2020-8927 CVE-2020-13434 CVE-2020-15358 CVE-2020-27618 CVE-2020-28196 CVE-2020-29361 CVE-2020-29362 CVE-2020-29363 CVE-2021-3326 CVE-2021-3421 CVE-2021-3449 CVE-2021-3450 CVE-2021-3516 CVE-2021-3517 CVE-2021-3518 CVE-2021-3520 CVE-2021-3537 CVE-2021-3541 CVE-2021-3703 CVE-2021-20271 CVE-2021-20305 CVE-2021-27218 CVE-2021-27918 CVE-2021-31525 CVE-2021-33195 CVE-2021-33196 CVE-2021-33197 CVE-2021-33198 CVE-2021-34558 ===================================================================== 1. Summary: Release of OpenShift Serverless 1.17.0 Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Description: Red Hat OpenShift Serverless 1.17.0 release of the OpenShift Serverless Operator. This version of the OpenShift Serverless Operator is supported on Red Hat OpenShift Container Platform versions 4.6, 4.7 and 4.8, and includes security and bug fixes and enhancements. For more information, see the documentation listed in the References section. Security Fix(es): * golang: crypto/tls: certificate of wrong type is causing TLS client to panic (CVE-2021-34558) * golang: net: lookup functions may return invalid host names (CVE-2021-33195) * golang: net/http/httputil: ReverseProxy forwards connection headers if first one is empty (CVE-2021-33197) * golang: match/big.Rat: may cause a panic or an unrecoverable fatal error if passed inputs with very large exponents (CVE-2021-33198) * golang: encoding/xml: infinite loop when using xml.NewTokenDecoder with a custom TokenReader (CVE-2021-27918) * golang: net/http: panic in ReadRequest and ReadResponse when reading a very large header (CVE-2021-31525) * golang: archive/zip: malformed archive may cause panic or memory exhaustion (CVE-2021-33196) It was found that the CVE-2021-27918, CVE-2021-31525 and CVE-2021-33196 have been incorrectly mentioned as fixed in RHSA for Serverless client kn 1.16.0. This has been fixed (CVE-2021-3703). For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. 3. Solution: See the Red Hat OpenShift Container Platform 4.6 documentation at: https://access.redhat.com/documentation/en-us/openshift_container_platform/ 4.6/html/serverless/index See the Red Hat OpenShift Container Platform 4.7 documentation at: https://access.redhat.com/documentation/en-us/openshift_container_platform/ 4.7/html/serverless/index See the Red Hat OpenShift Container Platform 4.8 documentation at: https://access.redhat.com/documentation/en-us/openshift_container_platform/ 4.8/html/serverless/index 4. Bugs fixed (https://bugzilla.redhat.com/): 1983596 - CVE-2021-34558 golang: crypto/tls: certificate of wrong type is causing TLS client to panic 1983651 - Release of OpenShift Serverless Serving 1.17.0 1983654 - Release of OpenShift Serverless Eventing 1.17.0 1989564 - CVE-2021-33195 golang: net: lookup functions may return invalid host names 1989570 - CVE-2021-33197 golang: net/http/httputil: ReverseProxy forwards connection headers if first one is empty 1989575 - CVE-2021-33198 golang: math/big.Rat: may cause a panic or an unrecoverable fatal error if passed inputs with very large exponents 1992955 - CVE-2021-3703 serverless: incomplete fix for CVE-2021-27918 / CVE-2021-31525 / CVE-2021-33196 5. References: https://access.redhat.com/security/cve/CVE-2016-10228 https://access.redhat.com/security/cve/CVE-2017-14502 https://access.redhat.com/security/cve/CVE-2019-2708 https://access.redhat.com/security/cve/CVE-2019-9169 https://access.redhat.com/security/cve/CVE-2019-25013 https://access.redhat.com/security/cve/CVE-2020-8231 https://access.redhat.com/security/cve/CVE-2020-8284 https://access.redhat.com/security/cve/CVE-2020-8285 https://access.redhat.com/security/cve/CVE-2020-8286 https://access.redhat.com/security/cve/CVE-2020-8927 https://access.redhat.com/security/cve/CVE-2020-13434 https://access.redhat.com/security/cve/CVE-2020-15358 https://access.redhat.com/security/cve/CVE-2020-27618 https://access.redhat.com/security/cve/CVE-2020-28196 https://access.redhat.com/security/cve/CVE-2020-29361 https://access.redhat.com/security/cve/CVE-2020-29362 https://access.redhat.com/security/cve/CVE-2020-29363 https://access.redhat.com/security/cve/CVE-2021-3326 https://access.redhat.com/security/cve/CVE-2021-3421 https://access.redhat.com/security/cve/CVE-2021-3449 https://access.redhat.com/security/cve/CVE-2021-3450 https://access.redhat.com/security/cve/CVE-2021-3516 https://access.redhat.com/security/cve/CVE-2021-3517 https://access.redhat.com/security/cve/CVE-2021-3518 https://access.redhat.com/security/cve/CVE-2021-3520 https://access.redhat.com/security/cve/CVE-2021-3537 https://access.redhat.com/security/cve/CVE-2021-3541 https://access.redhat.com/security/cve/CVE-2021-3703 https://access.redhat.com/security/cve/CVE-2021-20271 https://access.redhat.com/security/cve/CVE-2021-20305 https://access.redhat.com/security/cve/CVE-2021-27218 https://access.redhat.com/security/cve/CVE-2021-27918 https://access.redhat.com/security/cve/CVE-2021-31525 https://access.redhat.com/security/cve/CVE-2021-33195 https://access.redhat.com/security/cve/CVE-2021-33196 https://access.redhat.com/security/cve/CVE-2021-33197 https://access.redhat.com/security/cve/CVE-2021-33198 https://access.redhat.com/security/cve/CVE-2021-34558 https://access.redhat.com/security/updates/classification/#moderate https://access.redhat.com/documentation/en-us/openshift_container_platform/4.6/html/serverless/index https://access.redhat.com/documentation/en-us/openshift_container_platform/4.7/html/serverless/index https://access.redhat.com/documentation/en-us/openshift_container_platform/4.8/html/serverless/index 6. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2021 Red Hat, Inc. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBYUOQNtzjgjWX9erEAQgfrA//WVhFv3NmzNhqlaxh6WdgsRxc1GFoOHis BNHlHLCZcozHybe2Pfj1QWEZy3W933Dqt1oWcCQ79AIQ7xITAv4Y68uGq4nUJIlk aF9NFkS12xnJSSAGLeeJQC+dJ57r1sTixA2C4fkGQmSveTgNuLqHEdM2/0vDI2+U Zu5Hx9OWaodPhqko8jlapfP5TWMviWg4mztKiM2Io01VsQrKIMUoWE2pAN5TZlrB Fo3HNghEJwibQL7nWqekz9Lx0Rud9jl/mOEUy0TQFmW+IOX4hxa0alQtLxVAdFf0 L8Yc9xQxGUV7wjlnWKyPCaoCRHZ4sRVxW1Ybdbc2IbAZG0iy8a024EBtpKgZpBbl xpEItn7P6+a3cQWybAP4qcqgIB6e3VseQoqDgnwVHUFx62/A9MxqOUw/3g5IQVRv sTLXMMCDb6vsMhostUaF5R2tuWGscezqcU6PTkoHYof0W28HGIhA1LrCCrRlrqcm SC36nHginXnhpANi45zkRgJYhz764fzTcR2q73nAHh9353SuDdoEGZKxrjAc6s09 Rz6qoFsCK22arV8Nv5qTNHUvYH8v7/GYG6PWeaju+C7XoB7F3vrRlYkCDbkowlJS WfgovLxNTNqYB2JP6V2mPDSW2gSBqdohcYMDVmZ9zJSNbkcF5yRBLrKt2TmvrvmJ 2SHG1JoPDMg= =a+6D - -----END PGP SIGNATURE----- - -------------------------------------------------------------------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: Release of OpenShift Serverless Client kn 1.17.0 Advisory ID: RHSA-2021:3555-01 Product: Red Hat OpenShift Serverless Advisory URL: https://access.redhat.com/errata/RHSA-2021:3555 Issue date: 2021-09-16 CVE Names: CVE-2021-3703 CVE-2021-27918 CVE-2021-31525 CVE-2021-33195 CVE-2021-33196 CVE-2021-33197 CVE-2021-33198 CVE-2021-34558 ===================================================================== 1. Summary: Release of OpenShift Serverless Client kn 1.17.0 Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Openshift Serverless 1 on RHEL 8Base - ppc64le, s390x, x86_64 3. Description: Red Hat OpenShift Serverless Client kn 1.17.0 provides a CLI to interact with Red Hat OpenShift Serverless 1.17.0. The kn CLI is delivered as an RPM package for installation on RHEL platforms, and as binaries for non-Linux platforms. Security Fix(es): * serverless: incomplete fix for CVE-2021-27918 / CVE-2021-31525 / CVE-2021-33196 (CVE-2021-3703) * golang: crypto/tls: certificate of wrong type is causing TLS client to panic (CVE-2021-34558) * golang: net: lookup functions may return invalid host names (CVE-2021-33195) * golang: net/http/httputil: ReverseProxy forwards connection headers if first one is empty (CVE-2021-33197) * golang: match/big.Rat: may cause a panic or an unrecoverable fatal error if passed inputs with very large exponents (CVE-2021-33198) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. 4. Solution: See the Red Hat OpenShift Container Platform 4.6 documentation at: https://access.redhat.com/documentation/en-us/openshift_container_platform/ 4.6/html/serverless/index See the Red Hat OpenShift Container Platform 4.7 documentation at: https://access.redhat.com/documentation/en-us/openshift_container_platform/ 4.7/html/serverless/index See the Red Hat OpenShift Container Platform 4.8 documentation at: https://access.redhat.com/documentation/en-us/openshift_container_platform/ 4.8/html/serverless/index 5. Bugs fixed (https://bugzilla.redhat.com/): 1983596 - CVE-2021-34558 golang: crypto/tls: certificate of wrong type is causing TLS client to panic 1983656 - Release of Openshift Serverless Client 1.17.0 1989564 - CVE-2021-33195 golang: net: lookup functions may return invalid host names 1989570 - CVE-2021-33197 golang: net/http/httputil: ReverseProxy forwards connection headers if first one is empty 1989575 - CVE-2021-33198 golang: math/big.Rat: may cause a panic or an unrecoverable fatal error if passed inputs with very large exponents 1992955 - CVE-2021-3703 serverless: incomplete fix for CVE-2021-27918 / CVE-2021-31525 / CVE-2021-33196 6. Package List: Openshift Serverless 1 on RHEL 8Base: Source: openshift-serverless-clients-0.23.2-1.el8.src.rpm ppc64le: openshift-serverless-clients-0.23.2-1.el8.ppc64le.rpm s390x: openshift-serverless-clients-0.23.2-1.el8.s390x.rpm x86_64: openshift-serverless-clients-0.23.2-1.el8.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2021-3703 https://access.redhat.com/security/cve/CVE-2021-27918 https://access.redhat.com/security/cve/CVE-2021-31525 https://access.redhat.com/security/cve/CVE-2021-33195 https://access.redhat.com/security/cve/CVE-2021-33196 https://access.redhat.com/security/cve/CVE-2021-33197 https://access.redhat.com/security/cve/CVE-2021-33198 https://access.redhat.com/security/cve/CVE-2021-34558 https://access.redhat.com/security/updates/classification/#moderate https://access.redhat.com/documentation/en-us/openshift_container_platform/4.6/html/serverless/index https://access.redhat.com/documentation/en-us/openshift_container_platform/4.7/html/serverless/index https://access.redhat.com/documentation/en-us/openshift_container_platform/4.8/html/serverless/index 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2021 Red Hat, Inc. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBYUNhGtzjgjWX9erEAQhUcxAAmN7vKLTl/t0hC3WDurdOtNxI7kxj5Kcb 4+SuPvri0UBBT1jo5qxY2muIGZusE5bS4expgWZ17sBbSbCtX+DA+Z28OHICUhnP F29FchYX7D59+03DX0KS09NFMXOzPaNOPu3WEleHH6q5bgsGof7FM2CnpguWcKcx 5TwtH18Qxx4F0+TgLjNHnlPOum9wUkPKhPLYhispGOcrqzCLT/PV0n2k2db1aGSz MLfVlZWUrKt6oyVJC2XWR97CYsafyVIpRx7cAHVFmd8pvVBGsDY35L2x9MHmv7rL btMuVtFz/9H2+uS10vPov+6qEwYWqtsm0hDjXvix6imn58iegDZhtajk2Vxg//Nx NDL2qlnKaZVpPF52kubm6pOnGso8g9Dh8dN2imh6FfViuIihL9STHMNKDMEeUIG5 IXHdMs7DvmxFnKwySXTpWvufZvCwgYOUO0SLksUt08OiiHCCSVX580rMmP0wWr8r bSrwhaSoCMF10wXjQEUkWpc7a3LhwtK3XjEAbJAPVhaX5kIBU0Do2e9djAPQ2zNs ELHzOYtF2pVzTGspyoaw4ZtCebes3lr0hXJfjt6sHfBa0tqRyFPq9jSeN9uwirNS HC5GrNqJfzOjTHXvKkMo5eSL+CrewmoHSoCxSPmR39C9hfNlf1HXr6gL1VshLABJ yaUX2YIfMBs= =ZojB - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBYUP6HeNLKJtyKPYoAQg5tw/9H3uPSLldHyYfuywSwPlpvOPOF7C2Ei+z ZGppzb7fBWyKv0oB41PjIUFd26Ph+ANJKPbNfffbe17siT5rht4dsVVK9/f+Hqui Fovma68q8nnfysL3U62mwmw9dVKxbUA4g0MZxMWN9HC/SSMRK1hx2Qya0qBzp5k4 tgeiGsDuFpJRudWp3SdR5VxgxIacUaLiYUcsIi/FxhBjXePUzc1tW+00KZTbEU4r +iwgM1AffGciCloeDNh5BXDx+/cEOJf7aWOuTdVdZ7wcLXKXDy+xVapADa+NbPgL A1kOlGf4DyvsQziinciIdQ8BokxQHP5EJM+QAHgWVeU0C3U2bgYUdBVw/aA8sZf7 ab3T2zHyONSweol5WRukHj7lQcMHeC37o9nZ1eLPDk3afM05dTLN4xC0/PB5c97c XMBXfCXt99KL0jSlQesSMjYo+lsDK7AFlzQ6m1AMtMVcUICylNui39UlNZsOGnLP E/iYPjRW/lVL4/kk4tagvY/BlD/LFVxwP0xhCoh3H7w3jROPc4beaBRiHp/CRlN+ EdIrySGy/HlVlAHl6ckg3kipxzGihaneUFiQ9n0DJkcUYcSouNoL8IcxV5EwRImK TgR6DDl30laib8xueVjjx9YgP7hHN/OGN7TaasE70t5AcpDRFtahF596BbXwAszK VKdYuULdsYk= =ePH1 -----END PGP SIGNATURE-----