RedHat: RHSA-2019-3149:01 Important: OpenShift Container Platform

    Date 18 Oct 2019
    849
    Posted By LinuxSecurity Advisories
    An update for logging-elasticsearch5-container is now available for Red Hat OpenShift Container Platform 3.11. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score,
    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA256
    
    =====================================================================
                       Red Hat Security Advisory
    
    Synopsis:          Important: OpenShift Container Platform logging-elasticsearch5-container security update
    Advisory ID:       RHSA-2019:3149-01
    Product:           Red Hat OpenShift Enterprise
    Advisory URL:      https://access.redhat.com/errata/RHSA-2019:3149
    Issue date:        2019-10-18
    CVE Names:         CVE-2017-7525 CVE-2017-15095 CVE-2017-17485 
                       CVE-2018-5968 CVE-2018-7489 CVE-2018-10237 
                       CVE-2018-11307 CVE-2018-12022 CVE-2018-12023 
                       CVE-2018-14718 CVE-2018-14719 CVE-2018-14720 
                       CVE-2018-14721 CVE-2018-19360 CVE-2018-19361 
                       CVE-2018-19362 CVE-2019-12086 CVE-2019-12384 
                       CVE-2019-12814 CVE-2019-14379 
    =====================================================================
    
    1. Summary:
    
    An update for logging-elasticsearch5-container is now available for Red Hat
    OpenShift Container Platform 3.11.
    
    Red Hat Product Security has rated this update as having a security impact
    of Important. A Common Vulnerability Scoring System (CVSS) base score,
    which gives a detailed severity rating, is available for each vulnerability
    from the CVE link(s) in the References section.
    
    2. Description:
    
    Red Hat OpenShift Container Platform is Red Hat's cloud computing
    Kubernetes application platform solution designed for on-premise or private
    cloud deployments.
    
    This advisory contains an update for jackson-databind in the
    logging-elasticsearch5 container image for Red Hat OpenShift Container
    Platform 3.11.153.
    
    Security Fix(es):
    
    * jackson-databind: Deserialization vulnerability via readValue method of
    ObjectMapper (CVE-2017-7525)
    
    * jackson-databind: Unsafe deserialization due to incomplete black list
    (incomplete fix for CVE-2017-7525) (CVE-2017-15095)
    
    * jackson-databind: Unsafe deserialization due to incomplete black list
    (incomplete fix for CVE-2017-15095) (CVE-2017-17485)
    
    * jackson-databind: Potential information exfiltration with default typing,
    serialization gadget from MyBatis (CVE-2018-11307)
    
    * jackson-databind: improper polymorphic deserialization of types from
    Jodd-db library (CVE-2018-12022)
    
    * jackson-databind: improper polymorphic deserialization of types from
    Oracle JDBC driver (CVE-2018-12023)
    
    * jackson-databind: arbitrary code execution in slf4j-ext class
    (CVE-2018-14718)
    
    * jackson-databind: arbitrary code execution in blaze-ds-opt and
    blaze-ds-core classes (CVE-2018-14719)
    
    * jackson-databind: improper polymorphic deserialization in
    axis2-transport-jms class (CVE-2018-19360)
    
    * jackson-databind: improper polymorphic deserialization in openjpa class
    (CVE-2018-19361)
    
    * jackson-databind: improper polymorphic deserialization in
    jboss-common-core class (CVE-2018-19362)
    
    * jackson-databind: failure to block the logback-core class from
    polymorphic deserialization leading to remote code execution
    (CVE-2019-12384)
    
    * jackson-databind: default typing mishandling leading to remote code
    execution (CVE-2019-14379)
    
    * jackson-databind: unsafe deserialization due to incomplete blacklist
    (incomplete fix for CVE-2017-7525 and CVE-2017-17485) (CVE-2018-5968)
    
    * jackson-databind: incomplete fix for CVE-2017-7525 permits unsafe
    serialization via c3p0 libraries (CVE-2018-7489)
    
    * guava: Unbounded memory allocation in AtomicDoubleArray and
    CompoundOrdering classes allow remote attackers to cause a denial of
    service (CVE-2018-10237)
    
    * jackson-databind: exfiltration/XXE in some JDK classes (CVE-2018-14720)
    
    * jackson-databind: server-side request forgery (SSRF) in axis2-jaxws class
    (CVE-2018-14721)
    
    * jackson-databind: polymorphic typing issue allows attacker to read
    arbitrary local files on the server. (CVE-2019-12086)
    
    * jackson-databind: polymorphic typing issue allows attacker to read
    arbitrary local files on the server via crafted JSON message.
    (CVE-2019-12814)
    
    For more details about the security issue(s), including the impact, a CVSS
    score, acknowledgments, and other related information, refer to the CVE
    page(s) listed in the References section.
    
    3. Solution:
    
    See the following documentation, which will be updated shortly for this
    release, for important instructions on how to upgrade your cluster and
    fully apply this asynchronous errata update:
    
    https://docs.openshift.com/container-platform/3.11/release_notes/ocp_3_11_r
    elease_notes.html
    
    4. Bugs fixed (https://bugzilla.redhat.com/):
    
    1462702 - CVE-2017-7525 jackson-databind: Deserialization vulnerability via readValue method of ObjectMapper
    1506612 - CVE-2017-15095 jackson-databind: Unsafe deserialization due to incomplete black list (incomplete fix for CVE-2017-7525)
    1528565 - CVE-2017-17485 jackson-databind: Unsafe deserialization due to incomplete black list (incomplete fix for CVE-2017-15095)
    1538332 - CVE-2018-5968 jackson-databind: unsafe deserialization due to incomplete blacklist (incomplete fix for CVE-2017-7525 and CVE-2017-17485)
    1549276 - CVE-2018-7489 jackson-databind: incomplete fix for CVE-2017-7525 permits unsafe serialization via c3p0 libraries
    1573391 - CVE-2018-10237 guava: Unbounded memory allocation in AtomicDoubleArray and CompoundOrdering classes allow remote attackers to cause a denial of service
    1666415 - CVE-2018-14718 jackson-databind: arbitrary code execution in slf4j-ext class
    1666418 - CVE-2018-14719 jackson-databind: arbitrary code execution in blaze-ds-opt and blaze-ds-core classes
    1666423 - CVE-2018-14720 jackson-databind: exfiltration/XXE in some JDK classes
    1666428 - CVE-2018-14721 jackson-databind: server-side request forgery (SSRF) in axis2-jaxws class
    1666482 - CVE-2018-19360 jackson-databind: improper polymorphic deserialization in axis2-transport-jms class
    1666484 - CVE-2018-19361 jackson-databind: improper polymorphic deserialization in openjpa class
    1666489 - CVE-2018-19362 jackson-databind: improper polymorphic deserialization in jboss-common-core class
    1671096 - CVE-2018-12023 jackson-databind: improper polymorphic deserialization of types from Oracle JDBC driver
    1671097 - CVE-2018-12022 jackson-databind: improper polymorphic deserialization of types from Jodd-db library
    1677341 - CVE-2018-11307 jackson-databind: Potential information exfiltration with default typing, serialization gadget from MyBatis
    1713468 - CVE-2019-12086 jackson-databind: polymorphic typing issue allows attacker to read arbitrary local files on the server.
    1725795 - CVE-2019-12814 jackson-databind: polymorphic typing issue allows attacker to read arbitrary local files on the server via crafted JSON message.
    1725807 - CVE-2019-12384 jackson-databind: failure to block the logback-core class from polymorphic deserialization leading to remote code execution
    1737517 - CVE-2019-14379 jackson-databind: default typing mishandling leading to remote code execution
    
    5. References:
    
    https://access.redhat.com/security/cve/CVE-2017-7525
    https://access.redhat.com/security/cve/CVE-2017-15095
    https://access.redhat.com/security/cve/CVE-2017-17485
    https://access.redhat.com/security/cve/CVE-2018-5968
    https://access.redhat.com/security/cve/CVE-2018-7489
    https://access.redhat.com/security/cve/CVE-2018-10237
    https://access.redhat.com/security/cve/CVE-2018-11307
    https://access.redhat.com/security/cve/CVE-2018-12022
    https://access.redhat.com/security/cve/CVE-2018-12023
    https://access.redhat.com/security/cve/CVE-2018-14718
    https://access.redhat.com/security/cve/CVE-2018-14719
    https://access.redhat.com/security/cve/CVE-2018-14720
    https://access.redhat.com/security/cve/CVE-2018-14721
    https://access.redhat.com/security/cve/CVE-2018-19360
    https://access.redhat.com/security/cve/CVE-2018-19361
    https://access.redhat.com/security/cve/CVE-2018-19362
    https://access.redhat.com/security/cve/CVE-2019-12086
    https://access.redhat.com/security/cve/CVE-2019-12384
    https://access.redhat.com/security/cve/CVE-2019-12814
    https://access.redhat.com/security/cve/CVE-2019-14379
    https://access.redhat.com/security/updates/classification/#important
    
    6. Contact:
    
    The Red Hat security contact is . More contact
    details at https://access.redhat.com/security/team/contact/
    
    Copyright 2019 Red Hat, Inc.
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1
    
    iQIVAwUBXaoYI9zjgjWX9erEAQj/Fg/+ODHxxpzww4u9UjUNO4XQWe+v9zAzdMmv
    haPdmEGp4X9wQbAerbu6uERE8yrox+N3VN84dAgmKoim76Y5zMwad9o2LJF7c9rw
    KlcPP7zsQ5bKTLi17e/sGUimNcKO83sKcEivqAlw3VzeH3nSigjq3FpF4zgASarf
    NV1EnBBYoCt2wuLaiCjRN4V5xe3DlQ8Np9Cptp5OcSlvavdN5NMGLxNjleCBW4OP
    LH+QiOf48BOyH39KZLkmh+8LG69Ig64Wvcf26JnlhNLpK92iACjtK/XM3vy7SBwd
    sTpKZQNHGd1eMd5pCx0+UmoLAzO+W9C9yeb5mUvQrCWQArZ4mTR5uiUy8hSoY2XL
    DBHBqJm04ECKjrAMYu1GAb938aBLsUjZ3ltPLj9cXi0cqI6HxDyvWMu/IUjiemt5
    5VM+AZ3lR44esY7528BhjQFrYHJfIQn28ovCktHo1ZMaEk2bwqy6VgY1ywf5xT7Q
    JLzo02/cS9tawtaIJiCzKYYIdyW+dw6OvDZyFoyNcDpyPL2YwVnS5CQTm6OJI6Dy
    Opdn59EYbXeK0Vk4ttBOFbIvpWXmg3oFkpgkwmzdyeREPsyxe7mrEZOVZH0BKc3R
    BcW9U/ilaNvQJzX8dXBSwNJysNnnVg5l1VVKH5jpwLQ1jkWrDQBWT2rhEg4g7/9c
    X6iG41oXhxM=
    =cwZr
    -----END PGP SIGNATURE-----
    
    --
    RHSA-announce mailing list
    This email address is being protected from spambots. You need JavaScript enabled to view it.
    https://www.redhat.com/mailman/listinfo/rhsa-announce
    

    LinuxSecurity Poll

    If you are using full-disk encryption: are you concerned about the resulting performance hit?

    No answer selected. Please try again.
    Please select either existing option or enter your own, however not both.
    Please select minimum 0 answer(s) and maximum 2 answer(s).
    /main-polls/34-if-you-are-using-full-disk-encryption-are-you-concerned-about-the-resulting-performance-hit?task=poll.vote&format=json
    34
    radio
    [{"id":"120","title":"Yes","votes":"13","type":"x","order":"1","pct":61.9,"resources":[]},{"id":"121","title":"No ","votes":"8","type":"x","order":"2","pct":38.1,"resources":[]}] ["#ff5b00","#4ac0f2","#b80028","#eef66c","#60bb22","#b96a9a","#62c2cc"] ["rgba(255,91,0,0.7)","rgba(74,192,242,0.7)","rgba(184,0,40,0.7)","rgba(238,246,108,0.7)","rgba(96,187,34,0.7)","rgba(185,106,154,0.7)","rgba(98,194,204,0.7)"] 350
    bottom 200

    Advisories

    Please enable / Bitte aktiviere JavaScript!
    Veuillez activer / Por favor activa el Javascript![ ? ]

    We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.