RedHat: RHSA-2019-3941:01 Important: OpenShift Container Platform 4.1.24

    Date20 Nov 2019
    CategoryRed Hat
    337
    Posted ByLinuxSecurity Advisories
    Red Hat OpenShift Container Platform release 4.1.24 is now available with updates to packages and images that fix several bugs and add enhancements. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score,
    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA256
    
    =====================================================================
                       Red Hat Security Advisory
    
    Synopsis:          Important: OpenShift Container Platform 4.1.24 machine-os-content-container security update
    Advisory ID:       RHSA-2019:3941-01
    Product:           Red Hat OpenShift Enterprise
    Advisory URL:      https://access.redhat.com/errata/RHSA-2019:3941
    Issue date:        2019-11-21
    CVE Names:         CVE-2018-12207 CVE-2019-14287 CVE-2019-15718 
    =====================================================================
    
    1. Summary:
    
    Red Hat OpenShift Container Platform release 4.1.24 is now available with
    updates to packages and images that fix several bugs and add enhancements.
    
    Red Hat Product Security has rated this update as having a security impact
    of Important. A Common Vulnerability Scoring System (CVSS) base score,
    which gives a detailed severity rating, is available for each vulnerability
    from the CVE link(s) in the References section.
    
    2. Description:
    
    Red Hat OpenShift Container Platform is Red Hat's cloud computing
    Kubernetes application platform solution designed for on-premise or private
    cloud deployments.
    
    This is a text-only advisory for the machine-os-content container image,
    which includes RPM packages for Red Hat Enterprise Linux CoreOS.
    
    Security Fix(es):
    
    * A flaw was found in the way Intel CPUs handle inconsistency between,
    virtual to physical memory address translations in CPU's local cache and
    system software's Paging structure entries. A privileged guest user may use
    this flaw to induce a hardware Machine Check Error on the host processor,
    resulting in a severe DoS scenario by halting the processor.
    
    System software like OS OR Virtual Machine Monitor (VMM) use virtual memory
    system for storing program instructions and data in memory.  Virtual Memory
    system uses Paging structures like Page Tables and Page Directories to
    manage system memory. The processor's Memory Management Unit (MMU) uses
    Paging structure entries to translate program's  virtual memory addresses
    to physical memory addresses. The processor stores these address
    translations into its local cache buffer called - Translation Lookaside
    Buffer (TLB).  TLB has two parts, one for instructions and other for data
    addresses.
    
    System software can modify its Paging structure entries to change address
    mappings OR certain attributes like page size etc. Upon such Paging
    structure alterations in memory, system software must invalidate the
    corresponding address translations in the processor's TLB cache. But before
    this TLB invalidation takes place, a privileged guest user may trigger an
    instruction fetch operation, which could use an already cached, but now
    invalid, virtual to physical address translation from Instruction TLB
    (ITLB). Thus accessing an invalid physical memory address and resulting in
    halting the processor due to the Machine Check Error (MCE) on Page Size
    Change. (CVE-2018-12207)
    
    * A flaw was found in the way sudo implemented running commands with an
    arbitrary user ID. If a sudoers entry is written to allow users to run a
    command as any user except root, this flaw can be used by an attacker to
    bypass that restriction. (CVE-2019-14287)
    
    * An improper authorization flaw was discovered in systemd-resolved in the
    way it configures the exposed DBus interface org.freedesktop.resolve1. An
    unprivileged local user could call all DBus methods, even when marked as
    privileged operations. An attacker could abuse this flaw by changing the
    DNS, Search Domain, LLMNR, DNSSEC, and other network link settings without
    any authorization, giving them control of the network names resolution
    process and causing the system to communicate with wrong or malicious
    servers. (CVE-2019-15718)
    
    For more details about the security issue(s), including the impact, a CVSS
    score, acknowledgments, and other related information, refer to the CVE
    page(s) listed in the References section.
    
    3. Solution:
    
    For OpenShift Container Platform 4.1 see the following documentation, which
    will be updated shortly for release 4.1.24, for important instructions on
    how to upgrade your cluster and fully apply this asynchronous errata
    update:
    
    https://docs.openshift.com/container-platform/4.1/release_notes/ocp-4-1-rel
    ease-notes.html
    
    4. Bugs fixed (https://bugzilla.redhat.com/):
    
    1646768 - CVE-2018-12207 hw: Machine Check Error on Page Size Change (IFU)
    1746057 - CVE-2019-15718 systemd: systemd-resolved allows unprivileged users to configure DNS
    1760531 - CVE-2019-14287 sudo: Privilege escalation via 'Runas' specification with 'ALL' keyword
    
    5. References:
    
    https://access.redhat.com/security/cve/CVE-2018-12207
    https://access.redhat.com/security/cve/CVE-2019-14287
    https://access.redhat.com/security/cve/CVE-2019-15718
    https://access.redhat.com/security/updates/classification/#important
    https://access.redhat.com/security/vulnerabilities/ifu-page-mce
    
    6. Contact:
    
    The Red Hat security contact is . More contact
    details at https://access.redhat.com/security/team/contact/
    
    Copyright 2019 Red Hat, Inc.
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1
    
    iQIVAwUBXdZfNtzjgjWX9erEAQiIJA/8DVpw4bPJ/QftagWt+yTuVrElc8k0ilKD
    Nm5N28A+S4n7FThUMq261i9a/vaNMRe0aA1iaRtU+65jLGZQK42QNrVSHrWb+URe
    TL6g1IWD/nzCVB7jW7pER8kraHw3YDxgGmpDite38SZ6xF8lU57Vzn5a9btRbKfU
    D0i+Lp7ak0PCZ280B/LCSsZtB1wN4U1knVQKOsNd8AE5C6bB6dXLD0eVMur5aWMI
    0IZy0rzLHHZIMEhAxXyssyFGnm3EDqjjFp27dScD9nEMemToduyK82pJTOfIUusx
    geFGYQhKC3ZXCNG1pHzqF9Llzy4gcvYuhW85tT4ICbDaGnYOmmAh/dpWlevJm2Le
    A7WPEQSxUUH1SCr7RrDrWqz04uPkvZJgzwV8vNH5FtnbLsCF4RI1fKJY5rZ/NOil
    0YMR28rRQYJcK7MvwLbQCwRTQx3lk4NcV3V1RYn3Igi6dsIw++6/sIsbzhtPJF9A
    LuTf5v55MMhQI062yT6seorAPIcKtTk90PkXXihQrY+i2kkdkYIBDLs9fRAJU0Va
    10eaTc2NC535bd/NliwPnPEn4RaXXTImMA+HhEhX/arAJ88sW0hyWyyBE+DkJAb4
    KGYHvPMefV10tj9gJPoXHr9InuCCSb37cAvJn5FzInCZ5181E4D8Vxv4HZIAi8P0
    7YKxx54lRpE=
    =9Xq5
    -----END PGP SIGNATURE-----
    
    --
    RHSA-announce mailing list
    This email address is being protected from spambots. You need JavaScript enabled to view it.
    https://www.redhat.com/mailman/listinfo/rhsa-announce
    
    
    You are not authorised to post comments.

    Comments powered by CComment

    LinuxSecurity Poll

    What do you think of the articles on LinuxSecurity?

    No answer selected. Please try again.
    Please select either existing option or enter your own, however not both.
    Please select minimum 0 answer(s) and maximum 3 answer(s).
    /main-polls/24-what-do-you-think-of-the-quality-of-the-articles-on-linuxsecurity?task=poll.vote&format=json
    24
    radio
    [{"id":"87","title":"Excellent, don't change a thing!","votes":"65","type":"x","order":"1","pct":57.52,"resources":[]},{"id":"88","title":"Should be more technical","votes":"15","type":"x","order":"2","pct":13.27,"resources":[]},{"id":"89","title":"Should include more HOWTOs","votes":"33","type":"x","order":"3","pct":29.2,"resources":[]}]["#ff5b00","#4ac0f2","#b80028","#eef66c","#60bb22","#b96a9a","#62c2cc"]["rgba(255,91,0,0.7)","rgba(74,192,242,0.7)","rgba(184,0,40,0.7)","rgba(238,246,108,0.7)","rgba(96,187,34,0.7)","rgba(185,106,154,0.7)","rgba(98,194,204,0.7)"]350
    bottom200

    We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.