Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

Moderate: OpenShift Container Platform 4.6.1 image security update

Related Vulnerabilities: CVE-2020-9283   CVE-2013-0169   CVE-2018-18624   CVE-2019-11358   CVE-2019-16769   CVE-2020-7013   CVE-2020-7598   CVE-2020-7662   CVE-2020-8203   CVE-2020-11022   CVE-2020-11023   CVE-2020-11110   CVE-2020-12052   CVE-2020-12245   CVE-2020-13822   CVE-2020-14040   CVE-2020-15366   CVE-2020-10715   CVE-2020-10743   CVE-2020-14336   CVE-2013-0169   CVE-2019-11358   CVE-2020-10715   CVE-2020-9283   CVE-2020-7598   CVE-2020-11022   CVE-2020-10743   CVE-2020-7662   CVE-2020-12052   CVE-2019-16769   CVE-2020-12245   CVE-2020-13822   CVE-2020-7013   CVE-2020-11023   CVE-2018-18624   CVE-2020-14040   CVE-2020-8203   CVE-2020-15366   CVE-2020-14336   CVE-2020-11110   CVE-2020-14336   CVE-2013-0169   CVE-2016-10739   CVE-2018-9251   CVE-2018-14404   CVE-2018-14498   CVE-2018-16890   CVE-2018-18074   CVE-2018-18624   CVE-2018-18751   CVE-2018-19519   CVE-2018-20060   CVE-2018-20337   CVE-2018-20483   CVE-2018-20657   CVE-2018-20852   CVE-2019-1547   CVE-2019-1549   CVE-2019-1563   CVE-2019-3822   CVE-2019-3823   CVE-2019-3825   CVE-2019-3843   CVE-2019-3844   CVE-2019-5094   CVE-2019-5436   CVE-2019-5481   CVE-2019-5482   CVE-2019-5953   CVE-2019-6237   CVE-2019-6251   CVE-2019-6454   CVE-2019-6706   CVE-2019-7146   CVE-2019-7149   CVE-2019-7150   CVE-2019-7664   CVE-2019-7665   CVE-2019-8457   CVE-2019-8506   CVE-2019-8518   CVE-2019-8523   CVE-2019-8524   CVE-2019-8535   CVE-2019-8536   CVE-2019-8544   CVE-2019-8558   CVE-2019-8559   CVE-2019-8563   CVE-2019-8571   CVE-2019-8583   CVE-2019-8584   CVE-2019-8586   CVE-2019-8587   CVE-2019-8594   CVE-2019-8595   CVE-2019-8596   CVE-2019-8597   CVE-2019-8601   CVE-2019-8607   CVE-2019-8608   CVE-2019-8609   CVE-2019-8610   CVE-2019-8611   CVE-2019-8615   CVE-2019-8619   CVE-2019-8622   CVE-2019-8623   CVE-2019-8666   CVE-2019-8671   CVE-2019-8672   CVE-2019-8673   CVE-2019-8675   CVE-2019-8676   CVE-2019-8677   CVE-2019-8679   CVE-2019-8681   CVE-2019-8686   CVE-2019-8687   CVE-2019-8689   CVE-2019-8690   CVE-2019-8696   CVE-2019-8726   CVE-2019-8735   CVE-2019-8768   CVE-2019-11070   CVE-2019-11236   CVE-2019-11324   CVE-2019-11358   CVE-2019-11459   CVE-2019-12447   CVE-2019-12448   CVE-2019-12449   CVE-2019-12450   CVE-2019-12795   CVE-2019-13232   CVE-2019-13636   CVE-2019-13752   CVE-2019-13753   CVE-2019-14822   CVE-2019-14973   CVE-2019-15718   CVE-2019-15847   CVE-2019-16056   CVE-2019-16769   CVE-2019-17451   CVE-2019-18408   CVE-2019-19126   CVE-2019-19923   CVE-2019-19924   CVE-2019-19925   CVE-2019-19959   CVE-2019-1010180   CVE-2019-1010204   CVE-2020-1712   CVE-2020-7013   CVE-2020-7598   CVE-2020-7662   CVE-2020-8203   CVE-2020-8559   CVE-2020-9283   CVE-2020-10531   CVE-2020-10715   CVE-2020-10743   CVE-2020-11008   CVE-2020-11022   CVE-2020-11023   CVE-2020-11110   CVE-2020-12049   CVE-2020-12052   CVE-2020-12245   CVE-2020-13822   CVE-2020-14040   CVE-2020-14336   CVE-2020-15366   CVE-2020-15719  

Source

Synopsis

Moderate: OpenShift Container Platform 4.6.1 image security update

Type/Severity

Security Advisory: Moderate

Topic

An update is now available for Red Hat OpenShift Container Platform 4.6.

Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

Red Hat OpenShift Container Platform is Red Hat's cloud computing
Kubernetes application platform solution designed for on-premise or private
cloud deployments.

Security Fix(es):

  • golang.org/x/crypto: Processing of crafted ssh-ed25519 public keys allows for panic (CVE-2020-9283)
  • SSL/TLS: CBC padding timing attack (lucky-13) (CVE-2013-0169)
  • grafana: XSS vulnerability via a column style on the "Dashboard > Table Panel" screen (CVE-2018-18624)
  • js-jquery: prototype pollution in object's prototype leading to denial of service or remote code execution or property injection (CVE-2019-11358)
  • npm-serialize-javascript: XSS via unsafe characters in serialized regular expressions (CVE-2019-16769)
  • kibana: Prototype pollution in TSVB could result in arbitrary code execution (ESA-2020-06) (CVE-2020-7013)
  • nodejs-minimist: prototype pollution allows adding or modifying properties of Object.prototype using a constructor or __proto__ payload (CVE-2020-7598)
  • npmjs-websocket-extensions: ReDoS vulnerability in Sec-WebSocket-Extensions parser (CVE-2020-7662)
  • nodejs-lodash: prototype pollution in zipObjectDeep function (CVE-2020-8203)
  • jquery: Cross-site scripting due to improper injQuery.htmlPrefilter method (CVE-2020-11022)
  • jQuery: passing HTML containing
  • grafana: stored XSS (CVE-2020-11110)
  • grafana: XSS annotation popup vulnerability (CVE-2020-12052)
  • grafana: XSS via column.title or cellLinkTooltip (CVE-2020-12245)
  • nodejs-elliptic: improper encoding checks allows a certain degree of signature malleability in ECDSA signatures (CVE-2020-13822)
  • golang.org/x/text: possibility to trigger an infinite loop in encoding/unicode could lead to crash (CVE-2020-14040)
  • nodejs-ajv: prototype pollution via crafted JSON schema in ajv.validate function (CVE-2020-15366)
  • openshift/console: text injection on error page via crafted url (CVE-2020-10715)
  • kibana: X-Frame-Option not set by default might lead to clickjacking (CVE-2020-10743)
  • openshift: restricted SCC allows pods to craft custom network packets (CVE-2020-14336)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Solution

For OpenShift Container Platform 4.6 see the following documentation, which
will be updated shortly for this release, for important instructions on how
to upgrade your cluster and fully apply this asynchronous errata update:

https://docs.openshift.com/container-platform/4.6/release_notes/ocp-4-6-release-notes.html

Details on how to access this content are available at
https://docs.openshift.com/container-platform/4.6/updating/updating-cluster-cli.html.

Affected Products

  • Red Hat OpenShift Container Platform 4.6 for RHEL 8 x86_64
  • Red Hat OpenShift Container Platform 4.6 for RHEL 7 x86_64
  • Red Hat OpenShift Container Platform for Power 4.6 for RHEL 8 ppc64le
  • Red Hat OpenShift Container Platform for IBM Z and LinuxONE 4.6 for RHEL 8 s390x

Fixes

  • BZ - 907589 - CVE-2013-0169 SSL/TLS: CBC padding timing attack (lucky-13)
  • BZ - 1701972 - CVE-2019-11358 jquery: Prototype pollution in object's prototype leading to denial of service, remote code execution, or property injection
  • BZ - 1767665 - CVE-2020-10715 openshift/console: text injection on error page via crafted url
  • BZ - 1804533 - CVE-2020-9283 golang.org/x/crypto: Processing of crafted ssh-ed25519 public keys allows for panic
  • BZ - 1813344 - CVE-2020-7598 nodejs-minimist: prototype pollution allows adding or modifying properties of Object.prototype using a constructor or __proto__ payload
  • BZ - 1828406 - CVE-2020-11022 jquery: Cross-site scripting due to improper injQuery.htmlPrefilter method
  • BZ - 1834550 - CVE-2020-10743 kibana: X-Frame-Option not set by default might lead to clickjacking
  • BZ - 1845982 - CVE-2020-7662 npmjs-websocket-extensions: ReDoS vulnerability in Sec-WebSocket-Extensions parser
  • BZ - 1848089 - CVE-2020-12052 grafana: XSS annotation popup vulnerability
  • BZ - 1848092 - CVE-2019-16769 npm-serialize-javascript: XSS via unsafe characters in serialized regular expressions
  • BZ - 1848643 - CVE-2020-12245 grafana: XSS via column.title or cellLinkTooltip
  • BZ - 1848647 - CVE-2020-13822 nodejs-elliptic: improper encoding checks allows a certain degree of signature malleability in ECDSA signatures
  • BZ - 1849044 - CVE-2020-7013 kibana: Prototype pollution in TSVB could result in arbitrary code execution (ESA-2020-06)
  • BZ - 1850004 - CVE-2020-11023 jquery: Passing HTML containing <option> elements to manipulation methods could result in untrusted code execution
  • BZ - 1850572 - CVE-2018-18624 grafana: XSS vulnerability via a column style on the "Dashboard > Table Panel" screen
  • BZ - 1853652 - CVE-2020-14040 golang.org/x/text: possibility to trigger an infinite loop in encoding/unicode could lead to crash
  • BZ - 1857412 - CVE-2020-8203 nodejs-lodash: prototype pollution in zipObjectDeep function
  • BZ - 1857977 - CVE-2020-15366 nodejs-ajv: prototype pollution via crafted JSON schema in ajv.validate function
  • BZ - 1858981 - CVE-2020-14336 openshift: restricted SCC allows pods to craft custom network packets
  • BZ - 1861044 - CVE-2020-11110 grafana: stored XSS
  • BZ - 1874671 - CVE-2020-14336 ose-machine-config-operator-container: openshift: restricted SCC allows pods to craft custom network packets [openshift-4]

CVEs

References

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started