Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2021.3255
OpenShift Container Platform 3.11.524 security and bug fix update
1 October 2021
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: OpenShift Container Platform
Publisher: Red Hat
Operating System: Red Hat
Impact/Access: Access Confidential Data -- Existing Account
Reduced Security -- Existing Account
Resolution: Patch/Upgrade
CVE Names: CVE-2021-25741
Reference: ESB-2021.3246
ESB-2021.3228
Original Bulletin:
https://access.redhat.com/errata/RHSA-2021:3646
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
=====================================================================
Red Hat Security Advisory
Synopsis: Important: OpenShift Container Platform 3.11.524 security and bug fix update
Advisory ID: RHSA-2021:3646-01
Product: Red Hat OpenShift Enterprise
Advisory URL: https://access.redhat.com/errata/RHSA-2021:3646
Issue date: 2021-09-30
CVE Names: CVE-2021-25741
=====================================================================
1. Summary:
Red Hat OpenShift Container Platform release 3.11.524 is now available with
updates to packages and images that fix several bugs and add enhancements.
Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.
2. Relevant releases/architectures:
Red Hat OpenShift Container Platform 3.11 - noarch, ppc64le, x86_64
3. Description:
Red Hat OpenShift Container Platform is Red Hat's cloud computing
Kubernetes application platform solution designed for on-premise or private
cloud deployments.
This advisory contains the RPM packages for Red Hat OpenShift Container
Platform. See the following advisory for the container images for
this release:
https://access.redhat.com/errata/RHBA-2021:3647
All OpenShift Container Platform 3.11 users are advised to upgrade to these
updated packages and images.
Security Fix(es):
* kubernetes: Symlink exchange can allow host filesystem access
(CVE-2021-25741)
For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.
4. Solution:
See the following documentation, which will be updated shortly for release
3.11.524, for important instructions on how to upgrade your cluster and
fully
apply this asynchronous errata update:
https://docs.openshift.com/container-platform/3.11/release_notes/ocp_3_11_r
elease_notes.html
This update is available via the Red Hat Network. Details on how to use the
Red Hat Network to apply this update are available at
https://access.redhat.com/articles/11258.
5. Bugs fixed (https://bugzilla.redhat.com/):
1993749 - CVE-2021-25741 kubernetes: Symlink exchange can allow host filesystem access
6. Package List:
Red Hat OpenShift Container Platform 3.11:
Source:
atomic-enterprise-service-catalog-3.11.524-1.git.2e6be86.el7.src.rpm
atomic-openshift-3.11.524-1.git.0.2dffce7.el7.src.rpm
atomic-openshift-cluster-autoscaler-3.11.524-1.git.99b2acf.el7.src.rpm
atomic-openshift-descheduler-3.11.524-1.git.d435537.el7.src.rpm
atomic-openshift-dockerregistry-3.11.524-1.git.3571208.el7.src.rpm
atomic-openshift-metrics-server-3.11.524-1.git.f8bf728.el7.src.rpm
atomic-openshift-node-problem-detector-3.11.524-1.git.c8f26da.el7.src.rpm
atomic-openshift-service-idler-3.11.524-1.git.39cfc66.el7.src.rpm
atomic-openshift-web-console-3.11.524-1.git.56ad978.el7.src.rpm
golang-github-openshift-oauth-proxy-3.11.524-1.git.edebe84.el7.src.rpm
golang-github-prometheus-alertmanager-3.11.524-1.git.13de638.el7.src.rpm
golang-github-prometheus-node_exporter-3.11.524-1.git.609cd20.el7.src.rpm
golang-github-prometheus-prometheus-3.11.524-1.git.99aae51.el7.src.rpm
openshift-ansible-3.11.524-1.git.0.150f8a9.el7.src.rpm
openshift-enterprise-autoheal-3.11.524-1.git.f2f435d.el7.src.rpm
openshift-enterprise-cluster-capacity-3.11.524-1.git.22be164.el7.src.rpm
openshift-kuryr-3.11.524-1.git.b234b49.el7.src.rpm
noarch:
atomic-openshift-docker-excluder-3.11.524-1.git.0.2dffce7.el7.noarch.rpm
atomic-openshift-excluder-3.11.524-1.git.0.2dffce7.el7.noarch.rpm
openshift-ansible-3.11.524-1.git.0.150f8a9.el7.noarch.rpm
openshift-ansible-docs-3.11.524-1.git.0.150f8a9.el7.noarch.rpm
openshift-ansible-playbooks-3.11.524-1.git.0.150f8a9.el7.noarch.rpm
openshift-ansible-roles-3.11.524-1.git.0.150f8a9.el7.noarch.rpm
openshift-ansible-test-3.11.524-1.git.0.150f8a9.el7.noarch.rpm
openshift-kuryr-cni-3.11.524-1.git.b234b49.el7.noarch.rpm
openshift-kuryr-common-3.11.524-1.git.b234b49.el7.noarch.rpm
openshift-kuryr-controller-3.11.524-1.git.b234b49.el7.noarch.rpm
python2-kuryr-kubernetes-3.11.524-1.git.b234b49.el7.noarch.rpm
ppc64le:
atomic-enterprise-service-catalog-3.11.524-1.git.2e6be86.el7.ppc64le.rpm
atomic-enterprise-service-catalog-svcat-3.11.524-1.git.2e6be86.el7.ppc64le.rpm
atomic-openshift-3.11.524-1.git.0.2dffce7.el7.ppc64le.rpm
atomic-openshift-clients-3.11.524-1.git.0.2dffce7.el7.ppc64le.rpm
atomic-openshift-cluster-autoscaler-3.11.524-1.git.99b2acf.el7.ppc64le.rpm
atomic-openshift-descheduler-3.11.524-1.git.d435537.el7.ppc64le.rpm
atomic-openshift-hyperkube-3.11.524-1.git.0.2dffce7.el7.ppc64le.rpm
atomic-openshift-hypershift-3.11.524-1.git.0.2dffce7.el7.ppc64le.rpm
atomic-openshift-master-3.11.524-1.git.0.2dffce7.el7.ppc64le.rpm
atomic-openshift-metrics-server-3.11.524-1.git.f8bf728.el7.ppc64le.rpm
atomic-openshift-node-3.11.524-1.git.0.2dffce7.el7.ppc64le.rpm
atomic-openshift-node-problem-detector-3.11.524-1.git.c8f26da.el7.ppc64le.rpm
atomic-openshift-pod-3.11.524-1.git.0.2dffce7.el7.ppc64le.rpm
atomic-openshift-sdn-ovs-3.11.524-1.git.0.2dffce7.el7.ppc64le.rpm
atomic-openshift-service-idler-3.11.524-1.git.39cfc66.el7.ppc64le.rpm
atomic-openshift-template-service-broker-3.11.524-1.git.0.2dffce7.el7.ppc64le.rpm
atomic-openshift-tests-3.11.524-1.git.0.2dffce7.el7.ppc64le.rpm
atomic-openshift-web-console-3.11.524-1.git.56ad978.el7.ppc64le.rpm
golang-github-openshift-oauth-proxy-3.11.524-1.git.edebe84.el7.ppc64le.rpm
openshift-enterprise-autoheal-3.11.524-1.git.f2f435d.el7.ppc64le.rpm
openshift-enterprise-cluster-capacity-3.11.524-1.git.22be164.el7.ppc64le.rpm
prometheus-3.11.524-1.git.99aae51.el7.ppc64le.rpm
prometheus-alertmanager-3.11.524-1.git.13de638.el7.ppc64le.rpm
prometheus-node-exporter-3.11.524-1.git.609cd20.el7.ppc64le.rpm
x86_64:
atomic-enterprise-service-catalog-3.11.524-1.git.2e6be86.el7.x86_64.rpm
atomic-enterprise-service-catalog-svcat-3.11.524-1.git.2e6be86.el7.x86_64.rpm
atomic-openshift-3.11.524-1.git.0.2dffce7.el7.x86_64.rpm
atomic-openshift-clients-3.11.524-1.git.0.2dffce7.el7.x86_64.rpm
atomic-openshift-clients-redistributable-3.11.524-1.git.0.2dffce7.el7.x86_64.rpm
atomic-openshift-cluster-autoscaler-3.11.524-1.git.99b2acf.el7.x86_64.rpm
atomic-openshift-descheduler-3.11.524-1.git.d435537.el7.x86_64.rpm
atomic-openshift-dockerregistry-3.11.524-1.git.3571208.el7.x86_64.rpm
atomic-openshift-hyperkube-3.11.524-1.git.0.2dffce7.el7.x86_64.rpm
atomic-openshift-hypershift-3.11.524-1.git.0.2dffce7.el7.x86_64.rpm
atomic-openshift-master-3.11.524-1.git.0.2dffce7.el7.x86_64.rpm
atomic-openshift-metrics-server-3.11.524-1.git.f8bf728.el7.x86_64.rpm
atomic-openshift-node-3.11.524-1.git.0.2dffce7.el7.x86_64.rpm
atomic-openshift-node-problem-detector-3.11.524-1.git.c8f26da.el7.x86_64.rpm
atomic-openshift-pod-3.11.524-1.git.0.2dffce7.el7.x86_64.rpm
atomic-openshift-sdn-ovs-3.11.524-1.git.0.2dffce7.el7.x86_64.rpm
atomic-openshift-service-idler-3.11.524-1.git.39cfc66.el7.x86_64.rpm
atomic-openshift-template-service-broker-3.11.524-1.git.0.2dffce7.el7.x86_64.rpm
atomic-openshift-tests-3.11.524-1.git.0.2dffce7.el7.x86_64.rpm
atomic-openshift-web-console-3.11.524-1.git.56ad978.el7.x86_64.rpm
golang-github-openshift-oauth-proxy-3.11.524-1.git.edebe84.el7.x86_64.rpm
openshift-enterprise-autoheal-3.11.524-1.git.f2f435d.el7.x86_64.rpm
openshift-enterprise-cluster-capacity-3.11.524-1.git.22be164.el7.x86_64.rpm
prometheus-3.11.524-1.git.99aae51.el7.x86_64.rpm
prometheus-alertmanager-3.11.524-1.git.13de638.el7.x86_64.rpm
prometheus-node-exporter-3.11.524-1.git.609cd20.el7.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/
7. References:
https://access.redhat.com/security/cve/CVE-2021-25741
https://access.redhat.com/security/updates/classification/#important
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2021 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIVAwUBYVYQeNzjgjWX9erEAQhH5A//Sz4+htQsyGwcI9rNLj+p/nVa8j48oNQ/
ZG11CWdacjxfotv7ORuEty30NbmPH8YLE6Ffy4X5dxMbOt9Vbp6ZfKa1GyKh27xk
eQcGxLVx4V87n+JAwIwJalD77RPtEm8vqb48jXnHl7x46mLOOTaJdk6bK7ZA9eIH
cpD1osLiDVPyuCZHdk8iJAUajpYHUI+f3gi16ZHijPEqTJMILxAUZdtTQkgIMJhX
BWyfdiu7tMBZT6MmLOq2HLrPVuNHoY4ocdEEajD409fW6szMtJtKhmNfYbHGQnP3
HkLWHGdSXHbUJeGBQHc1zmOwslKnC2aYi5uyowO6UlXGv3k2hI+Ysq1qmtc1jcZ6
a707DBPoKrkfUEhafMPUFs4lJlb5DsgHINN2TAijNKYdCDKaz7+z1+CVtbVTyF4m
UD3LUlrzssWFZLDnTNLdKslfT1C8TsCSV8t62kCcFPy2SQClEfk03Y3oyDDgyTZw
K25zqMAdQD6InTnD5y3WDl80NXW5rzg3kJSCha7rStckqS82UOAdhkNsqOvceKQx
PmOAk//AU4HtCe9jxZbkzQDhKjrXf7UjicAu2JaZ8aBqORYFHuaEglkqnswVMmkU
FvjUWpzu2ApEkuzEu6K60pfCXimwwkiADIyVrYGZd5HL9C/iPzXdXTb7a3vt+hBs
NvjoSmP1L/A=
=k8kX
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBYVZRz+NLKJtyKPYoAQi/1BAAgNUFTnFz4sVgeJbMzx28elxxvPj1uZE9
bFqhJDfYTh7xtAQVMzOkrVil0E73LQIJvO1S3YTuSDxqK6d54XjMy43piHxsEx4W
8tVrc8M5qDrlaijfdvt9pYqBKdwZCVhLjctvOps+WvUDaheFlmDkz6EgsUr4od6v
k/93ufBa3sM5QdBoE4MAPtK4TqqQgrF8vIpVR+lrExI5Mq4oXYTY8SeItFU2luQQ
PrEEJmNxwhRucDVwK09irC/eqQvtOsCJUbsUbsEeWTy/tJpb0bNexpP2UyUUUQch
IWXwtjrU5TBET7j3okjHtZFapgO/YPBJdlEeURqvsgS+oddTnmMVDlfwDEDH8Opi
3zyu0AeThqYj2o+ltsBdSvswpQeQHq1N9urgSW7aVRUHJmEJfv7f8ksE9kNn8CSa
mnlVAHewrkyJ2hVlNeMhaCyc3UwKRl75j7IvbWpWAoMFYajbXVN2jwcdq4qyBZVg
uhw5HQd51enEr02h/tWN6binEUzbgSD52dvxp5AEkkrlP6yUGkgm4UNa/ABy6Hcj
yqXaRcU9F+eVtqUt+n4c+/1r5oxFE8EW7UBDcB+8jhmJFEZgdwk9KPtFa7/c16Vb
/zenBiNn6Zr3Tq/S5E4tyg/0/Dhc2jFc9QHEFZi9qt67V2Ve9hniH/3Lf/edL0xD
BqRnE8T+BKY=
=rCDB
-----END PGP SIGNATURE-----