Alerts This Week
Warning Icon 1 764
Alerts This Week
Warning Icon 1 764

Red Hat OpenShift 3.2: RHSA-2016-1836-01 Moderate: XSS Exploit

red hat
Calendar Grey September 8, 2016
Dist Redhat Esm H88
Red Hat OpenShift Platform Grafana update mitigates vulnerabilities, encompassing token theft and CSRF exploits. Discover additional details!
An update for Red Hat OpenShift Enterprise Kibana images is now available

Solution

Before applying this update, make sure all previously released errata relevant to your system have been applied.

For details on how to apply this update, refer to:

https://access.redhat.com/articles/11258

The following images are included in this errata:

openshift3/logging-kibana:3.1.1-10 openshift3/logging-elasticsearch:3.1.1-14 openshift3/logging-kibana:3.2.1-5 openshift3/logging-elasticsearch:3.2.1-7

Summary

OpenShift Enterprise by Red Hat is the company's cloud computing Platform- as-a-Service (PaaS) solution designed for on-premise or private cloud deployments.
Security Fix(es):
* A flaw was found in Kibana's logging functionality. If custom logging output was configured in Kibana, private user data could be written to the Kibana log files. A system attacker could use this data to hijack sessions of other users when using Kibana behind some form of authentication such as Shield.
* A cross-site scripting (XSS) flaw was found in Kibana. A remote attacker could use this flaw to inject arbitrary web script into pages served to other users.

Topics%20covered

Topics Covered

security advisory moderate threat session hijack XSS exploit Red Hat OpenShift Kibana update

References

https://access.redhat.com/security/updates/classification/#moderate

Package List

Red Hat OpenShift Enterprise 3.1:
Source: kibana-4.1.11-1.el7.src.rpm openshift-elasticsearch-plugin-0.16.0.redhat_1-1.el7.src.rpm
noarch: openshift-elasticsearch-plugin-0.16.0.redhat_1-1.el7.noarch.rpm
x86_64: kibana-4.1.11-1.el7.x86_64.rpm kibana-debuginfo-4.1.11-1.el7.x86_64.rpm
Red Hat OpenShift Enterprise 3.2:
Source: kibana-4.1.11-1.el7.src.rpm openshift-elasticsearch-plugin-0.16.0.redhat_1-1.el7.src.rpm
noarch: openshift-elasticsearch-plugin-0.16.0.redhat_1-1.el7.noarch.rpm
x86_64: kibana-4.1.11-1.el7.x86_64.rpm kibana-debuginfo-4.1.11-1.el7.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/


Advisory ID: RHSA-2016:1836-01
Product: Red Hat OpenShift Enterprise
Advisory URL: https://access.redhat.com/errata/RHSA-2016:1836
Issue date: 2016-09-08

Topic

An update for Red Hat OpenShift Enterprise Kibana images is now available.Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, whichgives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Topics%20covered

Topics Covered

security advisory moderate threat session hijack XSS exploit Red Hat OpenShift Kibana update

Relevant Releases Architectures

Red Hat OpenShift Enterprise 3.1 - noarch, x86_64

Red Hat OpenShift Enterprise 3.2 - noarch, x86_64

Bugs Fixed

1364389 - kibana: XSS vulnerability

1364394 - kibana: Session hijack via stealing cookies and auth headers from log

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Your message here