Red Hat 9040 Published by

An OpenShift Container Platform 4.6.1 image security update has been released.



RHSA-2020:4298-01: Moderate: OpenShift Container Platform 4.6.1 image security update



=====================================================================
Red Hat Security Advisory

Synopsis: Moderate: OpenShift Container Platform 4.6.1 image security update
Advisory ID: RHSA-2020:4298-01
Product: Red Hat OpenShift Enterprise
Advisory URL:   https://access.redhat.com/errata/RHSA-2020:4298
Issue date: 2020-10-27
CVE Names: CVE-2013-0169 CVE-2016-10739 CVE-2018-9251
CVE-2018-14404 CVE-2018-14498 CVE-2018-16890
CVE-2018-18074 CVE-2018-18624 CVE-2018-18751
CVE-2018-19519 CVE-2018-20060 CVE-2018-20337
CVE-2018-20483 CVE-2018-20657 CVE-2018-20852
CVE-2019-1547 CVE-2019-1549 CVE-2019-1563
CVE-2019-3822 CVE-2019-3823 CVE-2019-3825
CVE-2019-3843 CVE-2019-3844 CVE-2019-5094
CVE-2019-5436 CVE-2019-5481 CVE-2019-5482
CVE-2019-5953 CVE-2019-6237 CVE-2019-6251
CVE-2019-6454 CVE-2019-6706 CVE-2019-7146
CVE-2019-7149 CVE-2019-7150 CVE-2019-7664
CVE-2019-7665 CVE-2019-8457 CVE-2019-8506
CVE-2019-8518 CVE-2019-8523 CVE-2019-8524
CVE-2019-8535 CVE-2019-8536 CVE-2019-8544
CVE-2019-8558 CVE-2019-8559 CVE-2019-8563
CVE-2019-8571 CVE-2019-8583 CVE-2019-8584
CVE-2019-8586 CVE-2019-8587 CVE-2019-8594
CVE-2019-8595 CVE-2019-8596 CVE-2019-8597
CVE-2019-8601 CVE-2019-8607 CVE-2019-8608
CVE-2019-8609 CVE-2019-8610 CVE-2019-8611
CVE-2019-8615 CVE-2019-8619 CVE-2019-8622
CVE-2019-8623 CVE-2019-8666 CVE-2019-8671
CVE-2019-8672 CVE-2019-8673 CVE-2019-8675
CVE-2019-8676 CVE-2019-8677 CVE-2019-8679
CVE-2019-8681 CVE-2019-8686 CVE-2019-8687
CVE-2019-8689 CVE-2019-8690 CVE-2019-8696
CVE-2019-8726 CVE-2019-8735 CVE-2019-8768
CVE-2019-11070 CVE-2019-11236 CVE-2019-11324
CVE-2019-11358 CVE-2019-11459 CVE-2019-12447
CVE-2019-12448 CVE-2019-12449 CVE-2019-12450
CVE-2019-12795 CVE-2019-13232 CVE-2019-13636
CVE-2019-13752 CVE-2019-13753 CVE-2019-14822
CVE-2019-14973 CVE-2019-15718 CVE-2019-15847
CVE-2019-16056 CVE-2019-16769 CVE-2019-17451
CVE-2019-18408 CVE-2019-19126 CVE-2019-19923
CVE-2019-19924 CVE-2019-19925 CVE-2019-19959
CVE-2019-1010180 CVE-2019-1010204 CVE-2020-1712
CVE-2020-7013 CVE-2020-7598 CVE-2020-7662
CVE-2020-8203 CVE-2020-9283 CVE-2020-10531
CVE-2020-10715 CVE-2020-10743 CVE-2020-11008
CVE-2020-11022 CVE-2020-11023 CVE-2020-11110
CVE-2020-12049 CVE-2020-12052 CVE-2020-12245
CVE-2020-13822 CVE-2020-14040 CVE-2020-14336
CVE-2020-15366 CVE-2020-15719
=====================================================================

1. Summary:

An update is now available for Red Hat OpenShift Container Platform 4.6.

Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.

2. Description:

Red Hat OpenShift Container Platform is Red Hat's cloud computing
Kubernetes application platform solution designed for on-premise or private
cloud deployments.

Security Fix(es):

* golang.org/x/crypto: Processing of crafted ssh-ed25519 public keys allows
for panic (CVE-2020-9283)

* SSL/TLS: CBC padding timing attack (lucky-13) (CVE-2013-0169)

* grafana: XSS vulnerability via a column style on the "Dashboard > Table
Panel" screen (CVE-2018-18624)

* js-jquery: prototype pollution in object's prototype leading to denial of
service or remote code execution or property injection (CVE-2019-11358)

* npm-serialize-javascript: XSS via unsafe characters in serialized regular
expressions (CVE-2019-16769)

* kibana: Prototype pollution in TSVB could result in arbitrary code
execution (ESA-2020-06) (CVE-2020-7013)

* nodejs-minimist: prototype pollution allows adding or modifying
properties of Object.prototype using a constructor or __proto__ payload
(CVE-2020-7598)

* npmjs-websocket-extensions: ReDoS vulnerability in
Sec-WebSocket-Extensions parser (CVE-2020-7662)

* nodejs-lodash: prototype pollution in zipObjectDeep function
(CVE-2020-8203)

* jquery: Cross-site scripting due to improper injQuery.htmlPrefilter
method (CVE-2020-11022)

* jQuery: passing HTML containing elements to manipulation methods
could result in untrusted code execution (CVE-2020-11023)

* grafana: stored XSS (CVE-2020-11110)

* grafana: XSS annotation popup vulnerability (CVE-2020-12052)

* grafana: XSS via column.title or cellLinkTooltip (CVE-2020-12245)

* nodejs-elliptic: improper encoding checks allows a certain degree of
signature malleability in ECDSA signatures (CVE-2020-13822)

* golang.org/x/text: possibility to trigger an infinite loop in
encoding/unicode could lead to crash (CVE-2020-14040)

* nodejs-ajv: prototype pollution via crafted JSON schema in ajv.validate
function (CVE-2020-15366)

* openshift/console: text injection on error page via crafted url
(CVE-2020-10715)

* kibana: X-Frame-Option not set by default might lead to clickjacking
(CVE-2020-10743)

* openshift: restricted SCC allows pods to craft custom network packets
(CVE-2020-14336)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

3. Solution:

For OpenShift Container Platform 4.6 see the following documentation, which
will be updated shortly for this release, for important instructions on how
to upgrade your cluster and fully apply this asynchronous errata update:

  https://docs.openshift.com/container-platform/4.6/release_notes/ocp-4-6-rel
ease-notes.html

Details on how to access this content are available at
  https://docs.openshift.com/container-platform/4.6/updating/updating-cluster
- -cli.html.

4. Bugs fixed (  https://bugzilla.redhat.com/):

907589 - CVE-2013-0169 SSL/TLS: CBC padding timing attack (lucky-13)
1701972 - CVE-2019-11358 jquery: Prototype pollution in object's prototype leading to denial of service, remote code execution, or property injection
1767665 - CVE-2020-10715 openshift/console: text injection on error page via crafted url
1804533 - CVE-2020-9283 golang.org/x/crypto: Processing of crafted ssh-ed25519 public keys allows for panic
1813344 - CVE-2020-7598 nodejs-minimist: prototype pollution allows adding or modifying properties of Object.prototype using a constructor or __proto__ payload
1828406 - CVE-2020-11022 jquery: Cross-site scripting due to improper injQuery.htmlPrefilter method
1834550 - CVE-2020-10743 kibana: X-Frame-Option not set by default might lead to clickjacking
1845982 - CVE-2020-7662 npmjs-websocket-extensions: ReDoS vulnerability in Sec-WebSocket-Extensions parser
1848089 - CVE-2020-12052 grafana: XSS annotation popup vulnerability
1848092 - CVE-2019-16769 npm-serialize-javascript: XSS via unsafe characters in serialized regular expressions
1848643 - CVE-2020-12245 grafana: XSS via column.title or cellLinkTooltip
1848647 - CVE-2020-13822 nodejs-elliptic: improper encoding checks allows a certain degree of signature malleability in ECDSA signatures
1849044 - CVE-2020-7013 kibana: Prototype pollution in TSVB could result in arbitrary code execution (ESA-2020-06)
1850004 - CVE-2020-11023 jquery: Passing HTML containing elements to manipulation methods could result in untrusted code execution
1850572 - CVE-2018-18624 grafana: XSS vulnerability via a column style on the "Dashboard > Table Panel" screen
1853652 - CVE-2020-14040 golang.org/x/text: possibility to trigger an infinite loop in encoding/unicode could lead to crash
1857412 - CVE-2020-8203 nodejs-lodash: prototype pollution in zipObjectDeep function
1857977 - CVE-2020-15366 nodejs-ajv: prototype pollution via crafted JSON schema in ajv.validate function
1858981 - CVE-2020-14336 openshift: restricted SCC allows pods to craft custom network packets
1861044 - CVE-2020-11110 grafana: stored XSS
1874671 - CVE-2020-14336 ose-machine-config-operator-container: openshift: restricted SCC allows pods to craft custom network packets [openshift-4]

5. References:

  https://access.redhat.com/security/cve/CVE-2013-0169
  https://access.redhat.com/security/cve/CVE-2016-10739
  https://access.redhat.com/security/cve/CVE-2018-9251
  https://access.redhat.com/security/cve/CVE-2018-14404
  https://access.redhat.com/security/cve/CVE-2018-14498
  https://access.redhat.com/security/cve/CVE-2018-16890
  https://access.redhat.com/security/cve/CVE-2018-18074
  https://access.redhat.com/security/cve/CVE-2018-18624
  https://access.redhat.com/security/cve/CVE-2018-18751
  https://access.redhat.com/security/cve/CVE-2018-19519
  https://access.redhat.com/security/cve/CVE-2018-20060
  https://access.redhat.com/security/cve/CVE-2018-20337
  https://access.redhat.com/security/cve/CVE-2018-20483
  https://access.redhat.com/security/cve/CVE-2018-20657
  https://access.redhat.com/security/cve/CVE-2018-20852
  https://access.redhat.com/security/cve/CVE-2019-1547
  https://access.redhat.com/security/cve/CVE-2019-1549
  https://access.redhat.com/security/cve/CVE-2019-1563
  https://access.redhat.com/security/cve/CVE-2019-3822
  https://access.redhat.com/security/cve/CVE-2019-3823
  https://access.redhat.com/security/cve/CVE-2019-3825
  https://access.redhat.com/security/cve/CVE-2019-3843
  https://access.redhat.com/security/cve/CVE-2019-3844
  https://access.redhat.com/security/cve/CVE-2019-5094
  https://access.redhat.com/security/cve/CVE-2019-5436
  https://access.redhat.com/security/cve/CVE-2019-5481
  https://access.redhat.com/security/cve/CVE-2019-5482
  https://access.redhat.com/security/cve/CVE-2019-5953
  https://access.redhat.com/security/cve/CVE-2019-6237
  https://access.redhat.com/security/cve/CVE-2019-6251
  https://access.redhat.com/security/cve/CVE-2019-6454
  https://access.redhat.com/security/cve/CVE-2019-6706
  https://access.redhat.com/security/cve/CVE-2019-7146
  https://access.redhat.com/security/cve/CVE-2019-7149
  https://access.redhat.com/security/cve/CVE-2019-7150
  https://access.redhat.com/security/cve/CVE-2019-7664
  https://access.redhat.com/security/cve/CVE-2019-7665
  https://access.redhat.com/security/cve/CVE-2019-8457
  https://access.redhat.com/security/cve/CVE-2019-8506
  https://access.redhat.com/security/cve/CVE-2019-8518
  https://access.redhat.com/security/cve/CVE-2019-8523
  https://access.redhat.com/security/cve/CVE-2019-8524
  https://access.redhat.com/security/cve/CVE-2019-8535
  https://access.redhat.com/security/cve/CVE-2019-8536
  https://access.redhat.com/security/cve/CVE-2019-8544
  https://access.redhat.com/security/cve/CVE-2019-8558
  https://access.redhat.com/security/cve/CVE-2019-8559
  https://access.redhat.com/security/cve/CVE-2019-8563
  https://access.redhat.com/security/cve/CVE-2019-8571
  https://access.redhat.com/security/cve/CVE-2019-8583
  https://access.redhat.com/security/cve/CVE-2019-8584
  https://access.redhat.com/security/cve/CVE-2019-8586
  https://access.redhat.com/security/cve/CVE-2019-8587
  https://access.redhat.com/security/cve/CVE-2019-8594
  https://access.redhat.com/security/cve/CVE-2019-8595
  https://access.redhat.com/security/cve/CVE-2019-8596
  https://access.redhat.com/security/cve/CVE-2019-8597
  https://access.redhat.com/security/cve/CVE-2019-8601
  https://access.redhat.com/security/cve/CVE-2019-8607
  https://access.redhat.com/security/cve/CVE-2019-8608
  https://access.redhat.com/security/cve/CVE-2019-8609
  https://access.redhat.com/security/cve/CVE-2019-8610
  https://access.redhat.com/security/cve/CVE-2019-8611
  https://access.redhat.com/security/cve/CVE-2019-8615
  https://access.redhat.com/security/cve/CVE-2019-8619
  https://access.redhat.com/security/cve/CVE-2019-8622
  https://access.redhat.com/security/cve/CVE-2019-8623
  https://access.redhat.com/security/cve/CVE-2019-8666
  https://access.redhat.com/security/cve/CVE-2019-8671
  https://access.redhat.com/security/cve/CVE-2019-8672
  https://access.redhat.com/security/cve/CVE-2019-8673
  https://access.redhat.com/security/cve/CVE-2019-8675
  https://access.redhat.com/security/cve/CVE-2019-8676
  https://access.redhat.com/security/cve/CVE-2019-8677
  https://access.redhat.com/security/cve/CVE-2019-8679
  https://access.redhat.com/security/cve/CVE-2019-8681
  https://access.redhat.com/security/cve/CVE-2019-8686
  https://access.redhat.com/security/cve/CVE-2019-8687
  https://access.redhat.com/security/cve/CVE-2019-8689
  https://access.redhat.com/security/cve/CVE-2019-8690
  https://access.redhat.com/security/cve/CVE-2019-8696
  https://access.redhat.com/security/cve/CVE-2019-8726
  https://access.redhat.com/security/cve/CVE-2019-8735
  https://access.redhat.com/security/cve/CVE-2019-8768
  https://access.redhat.com/security/cve/CVE-2019-11070
  https://access.redhat.com/security/cve/CVE-2019-11236
  https://access.redhat.com/security/cve/CVE-2019-11324
  https://access.redhat.com/security/cve/CVE-2019-11358
  https://access.redhat.com/security/cve/CVE-2019-11459
  https://access.redhat.com/security/cve/CVE-2019-12447
  https://access.redhat.com/security/cve/CVE-2019-12448
  https://access.redhat.com/security/cve/CVE-2019-12449
  https://access.redhat.com/security/cve/CVE-2019-12450
  https://access.redhat.com/security/cve/CVE-2019-12795
  https://access.redhat.com/security/cve/CVE-2019-13232
  https://access.redhat.com/security/cve/CVE-2019-13636
  https://access.redhat.com/security/cve/CVE-2019-13752
  https://access.redhat.com/security/cve/CVE-2019-13753
  https://access.redhat.com/security/cve/CVE-2019-14822
  https://access.redhat.com/security/cve/CVE-2019-14973
  https://access.redhat.com/security/cve/CVE-2019-15718
  https://access.redhat.com/security/cve/CVE-2019-15847
  https://access.redhat.com/security/cve/CVE-2019-16056
  https://access.redhat.com/security/cve/CVE-2019-16769
  https://access.redhat.com/security/cve/CVE-2019-17451
  https://access.redhat.com/security/cve/CVE-2019-18408
  https://access.redhat.com/security/cve/CVE-2019-19126
  https://access.redhat.com/security/cve/CVE-2019-19923
  https://access.redhat.com/security/cve/CVE-2019-19924
  https://access.redhat.com/security/cve/CVE-2019-19925
  https://access.redhat.com/security/cve/CVE-2019-19959
  https://access.redhat.com/security/cve/CVE-2019-1010180
  https://access.redhat.com/security/cve/CVE-2019-1010204
  https://access.redhat.com/security/cve/CVE-2020-1712
  https://access.redhat.com/security/cve/CVE-2020-7013
  https://access.redhat.com/security/cve/CVE-2020-7598
  https://access.redhat.com/security/cve/CVE-2020-7662
  https://access.redhat.com/security/cve/CVE-2020-8203
  https://access.redhat.com/security/cve/CVE-2020-9283
  https://access.redhat.com/security/cve/CVE-2020-10531
  https://access.redhat.com/security/cve/CVE-2020-10715
  https://access.redhat.com/security/cve/CVE-2020-10743
  https://access.redhat.com/security/cve/CVE-2020-11008
  https://access.redhat.com/security/cve/CVE-2020-11022
  https://access.redhat.com/security/cve/CVE-2020-11023
  https://access.redhat.com/security/cve/CVE-2020-11110
  https://access.redhat.com/security/cve/CVE-2020-12049
  https://access.redhat.com/security/cve/CVE-2020-12052
  https://access.redhat.com/security/cve/CVE-2020-12245
  https://access.redhat.com/security/cve/CVE-2020-13822
  https://access.redhat.com/security/cve/CVE-2020-14040
  https://access.redhat.com/security/cve/CVE-2020-14336
  https://access.redhat.com/security/cve/CVE-2020-15366
  https://access.redhat.com/security/cve/CVE-2020-15719
  https://access.redhat.com/security/updates/classification/#moderate

6. Contact:

The Red Hat security contact is . More contact
details at   https://access.redhat.com/security/team/contact/

Copyright 2020 Red Hat, Inc.