Alerts This Week
Warning Icon 1 764
Alerts This Week
Warning Icon 1 764

Red Hat OpenShift 2.2.10 RHSA-2016:1773-01 Important DoS Threat

red hat
Calendar Grey August 24, 2016
Dist Redhat Esm H88
Red Hat OpenShift Enterprise 2.2.10 release resolves multiple security vulnerabilities considered crucial and significant.
An update is now available for Red Hat OpenShift Enterprise 2.2

Solution

Before applying this update, make sure all previously released errata relevant to your system have been applied.

See the OpenShift Enterprise 2.2 Release Notes, which will be updated shortly for release 2.2.10, for important instructions on how to fully apply this asynchronous errata update:

ingle/2.2_Release_Notes/index.html#chap-Asynchronous_Errata_Updates

This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/articles/11258.

Summary

OpenShift Enterprise by Red Hat is the company's cloud computing Platform-as-a-Service (PaaS) solution designed for on-premise or private cloud deployments.
* The Jenkins continuous integration server has been updated to upstream version 1.651.2 LTS that addresses a large number of security issues, including open redirects, a potential denial of service, unsafe handling of user provided environment variables and several instances of sensitive information disclosure. (CVE-2014-3577, CVE-2016-0788, CVE-2016-0789, CVE-2016-0790, CVE-2016-0791, CVE-2016-0792, CVE-2016-3721, CVE-2016-3722, CVE-2016-3723, CVE-2016-3724, CVE-2016-3725, CVE-2016-3726, CVE-2016-3727, CVE-2015-7501)
Space precludes documenting all of the bug fixes and enhancements in this advisory. See the OpenShift Enterprise Technical Notes, which will be updated shortly for release 2.2.10, for details about these changes:
ingle/Technical_Notes/index.html
All OpenShift Enterprise 2 users are advised to upgrade to these updated packages.

Topics%20covered

Topics Covered

security advisory arbitrary commands security impact important fix Red Hat OpenShift

References

https://access.redhat.com/security/cve/CVE-2014-3577 https://access.redhat.com/security/cve/CVE-2015-7501 https://access.redhat.com/security/cve/CVE-2016-0788 https://access.redhat.com/security/cve/CVE-2016-0789 https://access.redhat.com/security/cve/CVE-2016-0790 https://access.redhat.com/security/cve/CVE-2016-0791 https://access.redhat.com/security/cve/CVE-2016-0792 https://access.redhat.com/security/cve/CVE-2016-3721 https://access.redhat.com/security/cve/CVE-2016-3722 https://access.redhat.com/security/cve/CVE-2016-3723 https://access.redhat.com/security/cve/CVE-2016-3724 https://access.redhat.com/security/cve/CVE-2016-3725 https://access.redhat.com/security/cve/CVE-2016-3726 https://access.redhat.com/security/cve/CVE-2016-3727 https://access.redhat.com/security/updates/classification/#important

Package List

Red Hat OpenShift Enterprise Client 2.2:
Source: rhc-1.38.7.1-1.el6op.src.rpm
noarch: rhc-1.38.7.1-1.el6op.noarch.rpm
Red Hat OpenShift Enterprise Infrastructure 2.2:
Source: activemq-5.9.0-6.redhat.611463.el6op.src.rpm openshift-origin-broker-1.16.3.2-1.el6op.src.rpm openshift-origin-broker-util-1.37.6.2-1.el6op.src.rpm rubygem-openshift-origin-admin-console-1.28.2.1-1.el6op.src.rpm rubygem-openshift-origin-controller-1.38.6.4-1.el6op.src.rpm rubygem-openshift-origin-msg-broker-mcollective-1.36.2.4-1.el6op.src.rpm rubygem-openshift-origin-routing-daemon-0.26.6.1-1.el6op.src.rpm
noarch: openshift-origin-broker-1.16.3.2-1.el6op.noarch.rpm openshift-origin-broker-util-1.37.6.2-1.el6op.noarch.rpm rubygem-openshift-origin-admin-console-1.28.2.1-1.el6op.noarch.rpm rubygem-openshift-origin-controller-1.38.6.4-1.el6op.noarch.rpm rubygem-openshift-origin-msg-broker-mcollective-1.36.2.4-1.el6op.noarch.rpm rubygem-openshift-origin-routing-daemon-0.26.6.1-1.el6op.noarch.rpm
x86_64: activemq-5.9.0-6.redhat.611463.el6op.x86_64.rpm activemq-client-5.9.0-6.redhat.611463.el6op.x86_64.rpm
Red Hat OpenShift Enterprise JBoss EAP add-on 2.2:
Source: openshift-origin-cartridge-jbosseap-2.27.4.2-1.el6op.src.rpm
noarch: openshift-origin-cartridge-jbosseap-2.27.4.2-1.el6op.noarch.rpm


Read the Full Advisory


Severity
important
Lowest
Low
Medium
High
Critical

Advisory ID: RHSA-2016:1773-01
Product: Red Hat OpenShift Enterprise
Advisory URL: https://access.redhat.com/errata/RHSA-2016:1773.html
Issue date: 2016-08-24

Topic

An update is now available for Red Hat OpenShift Enterprise 2.2.Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerabilityfrom the CVE link(s) in the References section.

Topics%20covered

Topics Covered

security advisory arbitrary commands security impact important fix Red Hat OpenShift

Relevant Releases Architectures

Red Hat OpenShift Enterprise Client 2.2 - noarch

Red Hat OpenShift Enterprise Infrastructure 2.2 - noarch, x86_64

Red Hat OpenShift Enterprise JBoss EAP add-on 2.2 - noarch

Red Hat OpenShift Enterprise Node 2.2 - noarch, x86_64

Bugs Fixed

1129074 - CVE-2014-3577 Apache HttpComponents client / Apache CXF: SSL hostname verification bypass, incomplete CVE-2012-6153 fix

1196783 - OPENSHIFT_GEAR_MEMORY_MB is not updated when resource limits change

1217403 - [RFE] separate system-level logs of cron cartridge from gear-level logs

1266239 - [RFE] Make user variables maximum value configurable.

1274852 - Routing Daemon does not update LB when head gear is moved.

1279330 - CVE-2015-7501 apache-commons-collections: InvokerTransformer code execution during deserialisation

1282852 - Tomcat Does not properly parse spaces in JVM parameters/setttings

1311722 - Deleting a multi-version cartridge on the node fails silently

1311946 - CVE-2016-0788 jenkins: Remote code execution vulnerability in remoting module (SECURITY-232)

1311947 - CVE-2016-0789 jenkins: HTTP response splitting vulnerability (SECURITY-238)

1311948 - CVE-2016-0790 jenkins: Non-constant time comparison of API token (SECURITY-241)

1311949 - CVE-2016-0791 jenkins: Non-constant time comparison of CSRF crumbs (SECURITY-245)

1311950 - CVE-2016-0792 jenkins: Remote code execution through remote API (SECURITY-247)

1335415 - CVE-2016-3721 jenkins: Arbitrary build parameters are passed to build scripts as environment variables (SECURITY-170)

1335416 - CVE-2016-3722 jenkins: Malicious users with multiple user accounts can prevent other users from logging in (SECURITY-243)

Read the Full Advisory

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Your message here