RedHat: RHSA-2021-1515:01 Important: Openshift Logging Bug Fix Rele...

Advisories

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Important: Openshift Logging Bug Fix Release (5.0.3)
Advisory ID:       RHSA-2021:1515-01
Product:           Red Hat OpenShift Enterprise
Advisory URL:      https://access.redhat.com/errata/RHSA-2021:1515
Issue date:        2021-05-06
CVE Names:         CVE-2018-14718 CVE-2018-14719 CVE-2018-14720 
                   CVE-2018-14721 CVE-2018-19360 CVE-2018-19361 
                   CVE-2018-19362 CVE-2019-14379 CVE-2020-15586 
                   CVE-2020-16845 CVE-2020-24750 CVE-2020-35490 
                   CVE-2020-35491 CVE-2020-35728 CVE-2020-36179 
                   CVE-2020-36180 CVE-2020-36181 CVE-2020-36182 
                   CVE-2020-36183 CVE-2020-36184 CVE-2020-36185 
                   CVE-2020-36186 CVE-2020-36187 CVE-2020-36188 
                   CVE-2020-36189 CVE-2021-2163 CVE-2021-20190 
=====================================================================

1. Summary:

Openshift Logging Bug Fix Release (5.0.3)
This release includes a security update.

Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.

2. Description:

Openshift Logging Bug Fix Release (5.0.3)

Security Fix(es):

* jackson-databind: arbitrary code execution in slf4j-ext class
(CVE-2018-14718)

* jackson-databind: arbitrary code execution in blaze-ds-opt and
blaze-ds-core classes (CVE-2018-14719)

* jackson-databind: improper polymorphic deserialization in
axis2-transport-jms class (CVE-2018-19360)

* jackson-databind: improper polymorphic deserialization in openjpa class
(CVE-2018-19361)

* jackson-databind: improper polymorphic deserialization in
jboss-common-core class (CVE-2018-19362)

* jackson-databind: default typing mishandling leading to remote code
execution (CVE-2019-14379)

* jackson-databind: Serialization gadgets in
com.pastdev.httpcomponents.configuration.JndiConfiguration (CVE-2020-24750)

* jackson-databind: mishandles the interaction between serialization
gadgets and typing, related to
org.apache.commons.dbcp2.datasources.PerUserPoolDataSource (CVE-2020-35490)

* jackson-databind: mishandles the interaction between serialization
gadgets and typing, related to
org.apache.commons.dbcp2.datasources.SharedPoolDataSource (CVE-2020-35491)

* jackson-databind: mishandles the interaction between serialization
gadgets and typing, related to
com.oracle.wls.shaded.org.apache.xalan.lib.sql.JNDIConnectionPool
(CVE-2020-35728)

* jackson-databind: mishandles the interaction between serialization
gadgets and typing, related to
oadd.org.apache.commons.dbcp.cpdsadapter.DriverAdapterCPDS (CVE-2020-36179)

* jackson-databind: mishandles the interaction between serialization
gadgets and typing, related to
org.apache.commons.dbcp2.cpdsadapter.DriverAdapterCPDS (CVE-2020-36180)

* jackson-databind: mishandles the interaction between serialization
gadgets and typing, related to
org.apache.tomcat.dbcp.dbcp.cpdsadapter.DriverAdapterCPDS (CVE-2020-36181)

* jackson-databind: mishandles the interaction between serialization
gadgets and typing, related to
org.apache.tomcat.dbcp.dbcp2.cpdsadapter.DriverAdapterCPDS (CVE-2020-36182)

* jackson-databind: mishandles the interaction between serialization
gadgets and typing, related to
org.docx4j.org.apache.xalan.lib.sql.JNDIConnectionPool (CVE-2020-36183)

* jackson-databind: mishandles the interaction between serialization
gadgets and typing, related to
org.apache.tomcat.dbcp.dbcp2.datasources.PerUserPoolDataSource
(CVE-2020-36184)

* jackson-databind: mishandles the interaction between serialization
gadgets and typing, related to
org.apache.tomcat.dbcp.dbcp2.datasources.SharedPoolDataSource
(CVE-2020-36185)

* jackson-databind: mishandles the interaction between serialization
gadgets and typing, related to
org.apache.tomcat.dbcp.dbcp.datasources.PerUserPoolDataSource
(CVE-2020-36186)

* jackson-databind: mishandles the interaction between serialization
gadgets and typing, related to
org.apache.tomcat.dbcp.dbcp.datasources.SharedPoolDataSource
(CVE-2020-36187)

* jackson-databind: mishandles the interaction between serialization
gadgets and typing, related to
com.newrelic.agent.deps.ch.qos.logback.core.db.JNDIConnectionSource
(CVE-2020-36188)

* jackson-databind: mishandles the interaction between serialization
gadgets and typing, related to
com.newrelic.agent.deps.ch.qos.logback.core.db.DriverManagerConnectionSourc
e (CVE-2020-36189)

* jackson-databind: mishandles the interaction between serialization
gadgets and typing, related to javax.swing (CVE-2021-20190)

* jackson-databind: exfiltration/XXE in some JDK classes (CVE-2018-14720)

* jackson-databind: server-side request forgery (SSRF) in axis2-jaxws class
(CVE-2018-14721)

* golang: data race in certain net/http servers including ReverseProxy can
lead to DoS (CVE-2020-15586)

* golang: ReadUvarint and ReadVarint can read an unlimited number of bytes
from invalid inputs (CVE-2020-16845)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

3. Solution:

For OpenShift Container Platform 4.7 see the following documentation, which
will be updated shortly for this release, for important instructions on how
to upgrade your cluster and fully apply this errata update:

https://docs.openshift.com/container-platform/4.7/release_notes/ocp-4-7-rel
ease-notes.html

For Red Hat OpenShift Logging 5.0, see the following instructions to apply
this update:

https://docs.openshift.com/container-platform/4.7/logging/cluster-logging-u
pgrading.html

4. JIRA issues fixed (https://issues.jboss.org/):

LOG-1224 - Release 5.0 - ClusterLogForwarder namespace-specific log forwarding does not work as expected
LOG-1232 - 5.0 - Bug 1859004 - Sometimes the eventrouter couldn't gather event logs.
LOG-1234 - CVE-2020-15586 CVE-2020-16845 openshift-eventrouter: various flaws [openshift-4]
LOG-1299 - Release 5.0 Forwarding logs to Kafka using Chained certificates fails with error "state=error: certificate verify failed (unable to get local issuer certificate)"

5. References:

https://access.redhat.com/security/cve/CVE-2018-14718
https://access.redhat.com/security/cve/CVE-2018-14719
https://access.redhat.com/security/cve/CVE-2018-14720
https://access.redhat.com/security/cve/CVE-2018-14721
https://access.redhat.com/security/cve/CVE-2018-19360
https://access.redhat.com/security/cve/CVE-2018-19361
https://access.redhat.com/security/cve/CVE-2018-19362
https://access.redhat.com/security/cve/CVE-2019-14379
https://access.redhat.com/security/cve/CVE-2020-15586
https://access.redhat.com/security/cve/CVE-2020-16845
https://access.redhat.com/security/cve/CVE-2020-24750
https://access.redhat.com/security/cve/CVE-2020-35490
https://access.redhat.com/security/cve/CVE-2020-35491
https://access.redhat.com/security/cve/CVE-2020-35728
https://access.redhat.com/security/cve/CVE-2020-36179
https://access.redhat.com/security/cve/CVE-2020-36180
https://access.redhat.com/security/cve/CVE-2020-36181
https://access.redhat.com/security/cve/CVE-2020-36182
https://access.redhat.com/security/cve/CVE-2020-36183
https://access.redhat.com/security/cve/CVE-2020-36184
https://access.redhat.com/security/cve/CVE-2020-36185
https://access.redhat.com/security/cve/CVE-2020-36186
https://access.redhat.com/security/cve/CVE-2020-36187
https://access.redhat.com/security/cve/CVE-2020-36188
https://access.redhat.com/security/cve/CVE-2020-36189
https://access.redhat.com/security/cve/CVE-2021-2163
https://access.redhat.com/security/cve/CVE-2021-20190
https://access.redhat.com/security/updates/classification/#important
null

6. Contact:

The Red Hat security contact is . More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2021 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBYJPx/tzjgjWX9erEAQhU1w//duH+XRDFd5UPYZH3ss74av1gBaKVsoHv
OFaJKj5hVJ3bmq4FHiNE6MEZt1NtTWE9v/NFaiS8GWzPy6ay5J4LHCNgAoJQ23IU
EUBqfee/p7zsV6RkAOBXe6Y8OTGOGdtDZwE5RcpqPlc4ZUEloWcZaaW2u+MLkPZj
Z7I/ubCqVtsiieKGD3CY3ODwWs5MvCO0F8CA2aqCmRFzy/rPau2ANvlLY1cUrWPc
Rc9b7/w6ubtzB/BEAWJX+TCHPRcUuGSK1eaYU8vb8KfELnQ2ADKotM61gU43x/wN
kxPcsjJEB34OZEMrdYFSQyCyQCLfMLl1zOWYZfXEosktZdPhaTXC2FhIsn69lUEK
kjqKxsFfbvtiP1ua/AFU41XPlu+mI6TPYqo0PbVcrHV5u1wVDIj3FsjGjw3hzBcf
HYO0DL3lj2VXx1jiFT70Q2pnLw/qtIGT7nf14mqWYLlTwXM1rsQHsfp5PbXOgN9z
APLp9GXLw92UFMyqqitFuHJI5OIjqtFVMFYoCEI3h0X/mxRFbQPNAWJ1F2jv0FBA
HlxKuPwuCkd2jLpUqu6avTjHegacQSS3jDfnbmpLCurptbNj7sYslsbjLfJyZUH6
1pMaj/XjZW5LhN2xOI0HR19gjyQVRqq1k7mJo2x9Y9yJ9zC6sA24wyLMxPSIB6fj
WRIWZmIwf4s=
=fcX6
-----END PGP SIGNATURE-----

--
RHSA-announce mailing list
[email protected]
https://listman.redhat.com/mailman/listinfo/rhsa-announce

RedHat: RHSA-2021-1515:01 Important: Openshift Logging Bug Fix Release

Openshift Logging Bug Fix Release (5.0.3) This release includes a security update

Summary

Openshift Logging Bug Fix Release (5.0.3)
Security Fix(es):
* jackson-databind: arbitrary code execution in slf4j-ext class (CVE-2018-14718)
* jackson-databind: arbitrary code execution in blaze-ds-opt and blaze-ds-core classes (CVE-2018-14719)
* jackson-databind: improper polymorphic deserialization in axis2-transport-jms class (CVE-2018-19360)
* jackson-databind: improper polymorphic deserialization in openjpa class (CVE-2018-19361)
* jackson-databind: improper polymorphic deserialization in jboss-common-core class (CVE-2018-19362)
* jackson-databind: default typing mishandling leading to remote code execution (CVE-2019-14379)
* jackson-databind: Serialization gadgets in com.pastdev.httpcomponents.configuration.JndiConfiguration (CVE-2020-24750)
* jackson-databind: mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.dbcp2.datasources.PerUserPoolDataSource (CVE-2020-35490)
* jackson-databind: mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.dbcp2.datasources.SharedPoolDataSource (CVE-2020-35491)
* jackson-databind: mishandles the interaction between serialization gadgets and typing, related to com.oracle.wls.shaded.org.apache.xalan.lib.sql.JNDIConnectionPool (CVE-2020-35728)
* jackson-databind: mishandles the interaction between serialization gadgets and typing, related to oadd.org.apache.commons.dbcp.cpdsadapter.DriverAdapterCPDS (CVE-2020-36179)
* jackson-databind: mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.dbcp2.cpdsadapter.DriverAdapterCPDS (CVE-2020-36180)
* jackson-databind: mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp.cpdsadapter.DriverAdapterCPDS (CVE-2020-36181)
* jackson-databind: mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp2.cpdsadapter.DriverAdapterCPDS (CVE-2020-36182)
* jackson-databind: mishandles the interaction between serialization gadgets and typing, related to org.docx4j.org.apache.xalan.lib.sql.JNDIConnectionPool (CVE-2020-36183)
* jackson-databind: mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp2.datasources.PerUserPoolDataSource (CVE-2020-36184)
* jackson-databind: mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp2.datasources.SharedPoolDataSource (CVE-2020-36185)
* jackson-databind: mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp.datasources.PerUserPoolDataSource (CVE-2020-36186)
* jackson-databind: mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp.datasources.SharedPoolDataSource (CVE-2020-36187)
* jackson-databind: mishandles the interaction between serialization gadgets and typing, related to com.newrelic.agent.deps.ch.qos.logback.core.db.JNDIConnectionSource (CVE-2020-36188)
* jackson-databind: mishandles the interaction between serialization gadgets and typing, related to com.newrelic.agent.deps.ch.qos.logback.core.db.DriverManagerConnectionSourc e (CVE-2020-36189)
* jackson-databind: mishandles the interaction between serialization gadgets and typing, related to javax.swing (CVE-2021-20190)
* jackson-databind: exfiltration/XXE in some JDK classes (CVE-2018-14720)
* jackson-databind: server-side request forgery (SSRF) in axis2-jaxws class (CVE-2018-14721)
* golang: data race in certain net/http servers including ReverseProxy can lead to DoS (CVE-2020-15586)
* golang: ReadUvarint and ReadVarint can read an unlimited number of bytes from invalid inputs (CVE-2020-16845)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Solution

For OpenShift Container Platform 4.7 see the following documentation, whichwill be updated shortly for this release, for important instructions on howto upgrade your cluster and fully apply this errata update:https://docs.openshift.com/container-platform/4.7/release_notes/ocp-4-7-release-notes.htmlFor Red Hat OpenShift Logging 5.0, see the following instructions to applythis update:https://docs.openshift.com/container-platform/4.7/logging/cluster-logging-upgrading.html4. JIRA issues fixed (https://issues.jboss.org/):LOG-1224 - Release 5.0 - ClusterLogForwarder namespace-specific log forwarding does not work as expectedLOG-1232 - 5.0 - Bug 1859004 - Sometimes the eventrouter couldn't gather event logs.LOG-1234 - CVE-2020-15586 CVE-2020-16845 openshift-eventrouter: various flaws [openshift-4]LOG-1299 - Release 5.0 Forwarding logs to Kafka using Chained certificates fails with error "state=error: certificate verify failed (unable to get local issuer certificate)"

References

https://access.redhat.com/security/cve/CVE-2018-14718 https://access.redhat.com/security/cve/CVE-2018-14719 https://access.redhat.com/security/cve/CVE-2018-14720 https://access.redhat.com/security/cve/CVE-2018-14721 https://access.redhat.com/security/cve/CVE-2018-19360 https://access.redhat.com/security/cve/CVE-2018-19361 https://access.redhat.com/security/cve/CVE-2018-19362 https://access.redhat.com/security/cve/CVE-2019-14379 https://access.redhat.com/security/cve/CVE-2020-15586 https://access.redhat.com/security/cve/CVE-2020-16845 https://access.redhat.com/security/cve/CVE-2020-24750 https://access.redhat.com/security/cve/CVE-2020-35490 https://access.redhat.com/security/cve/CVE-2020-35491 https://access.redhat.com/security/cve/CVE-2020-35728 https://access.redhat.com/security/cve/CVE-2020-36179 https://access.redhat.com/security/cve/CVE-2020-36180 https://access.redhat.com/security/cve/CVE-2020-36181 https://access.redhat.com/security/cve/CVE-2020-36182 https://access.redhat.com/security/cve/CVE-2020-36183 https://access.redhat.com/security/cve/CVE-2020-36184 https://access.redhat.com/security/cve/CVE-2020-36185 https://access.redhat.com/security/cve/CVE-2020-36186 https://access.redhat.com/security/cve/CVE-2020-36187 https://access.redhat.com/security/cve/CVE-2020-36188 https://access.redhat.com/security/cve/CVE-2020-36189 https://access.redhat.com/security/cve/CVE-2021-2163 https://access.redhat.com/security/cve/CVE-2021-20190 https://access.redhat.com/security/updates/classification/#important null

Package List

Severity
Advisory ID: RHSA-2021:1515-01
Product: Red Hat OpenShift Enterprise
Advisory URL: https://access.redhat.com/errata/RHSA-2021:1515
Issued Date: : 2021-05-06
CVE Names: CVE-2018-14718 CVE-2018-14719 CVE-2018-14720 CVE-2018-14721 CVE-2018-19360 CVE-2018-19361 CVE-2018-19362 CVE-2019-14379 CVE-2020-15586 CVE-2020-16845 CVE-2020-24750 CVE-2020-35490 CVE-2020-35491 CVE-2020-35728 CVE-2020-36179 CVE-2020-36180 CVE-2020-36181 CVE-2020-36182 CVE-2020-36183 CVE-2020-36184 CVE-2020-36185 CVE-2020-36186 CVE-2020-36187 CVE-2020-36188 CVE-2020-36189 CVE-2021-2163 CVE-2021-20190

Topic

Openshift Logging Bug Fix Release (5.0.3)This release includes a security update.Red Hat Product Security has rated this update as having a security impactof Important. A Common Vulnerability Scoring System (CVSS) base score,which gives a detailed severity rating, is available for each vulnerabilityfrom the CVE link(s) in the References section.

Relevant Releases Architectures

Bugs Fixed

We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.