RHBA-2019:1141 - Bug Fix Advisory

Topic

This is an updated release of the AMQ Broker container image based on the standalone 7.3.0 release, for deployment on OpenShift Container Platform.

Description

Red Hat Middleware for OpenShift provides images for many of the Red Hat Middleware products for use within the OpenShift Container Platform cloud computing Platform-as-a-Service (PaaS) for on-premise or private cloud deployments.

This image can be used with OpenShift Container Platform 3.9, 3.10, or 3.11.

This image also addresses the following CVEs, which are rated Important:
CVE-2019-9636
CVE-2019-3855
CVE-2019-3856
CVE-2019-3857
CVE-2019-3863

Solution

To update to the latest image, perform the following steps:

1. On your master host(s), ensure you are logged into the CLI as a cluster
administrator or user that has project administrator access to the global
"openshift" project. For example:

$ oc login -u system:admin

2. Run the following commands to update the core set of OpenShift image streams in the "openshift" project:

$ oc create -n openshift -f \
https://raw.githubusercontent.com/jboss-container-images/jboss-amq-7-broker-openshift-image/73-7.3.0.GA/amq-broker-7-image-streams.yaml $ oc replace -n openshift -f \
https://raw.githubusercontent.com/jboss-container-images/jboss-amq-7-broker-openshift-image/73-7.3.0.GA/amq-broker-7-image-streams.yaml

Note that you will receive warnings about items that already exist when issuing the first command; this is expected.

3. Run the following commands to update / import the AMQ Broker templates, for OpenShift in the "openshift" project:

for resource in amq-broker-73-basic.yaml \
amq-broker-73-ssl.yaml \
amq-broker-73-custom.yaml \
amq-broker-73-persistence.yaml \
amq-broker-73-persistence-ssl.yaml \
amq-broker-73-persistence-clustered.yaml \
amq-broker-73-persistence-clustered-ssl.yaml;
do
oc replace -n openshift --force -f https://raw.githubusercontent.com/jboss-container-images/jboss-amq-7-broker-openshift-image/73-7.3.0.GA/templates/${resource}
done

4. Run the following command to install the AMQ Broker 7.3 OpenShift image streams in the "openshift" project:

$ oc -n openshift import-image amq-broker-73-openshift:7.3

Affected Products

• Red Hat OpenShift Container Platform 3.11 x86_64

Fixes

• BZ - 1687303 - CVE-2019-3855 libssh2: Integer overflow in transport read resulting in out of bounds write
• BZ - 1687304 - CVE-2019-3856 libssh2: Integer overflow in keyboard interactive handling resulting in out of bounds write
• BZ - 1687305 - CVE-2019-3857 libssh2: Integer overflow in SSH packet processing channel resulting in out of bounds write
• BZ - 1687313 - CVE-2019-3863 libssh2: Integer overflow in user authenticate keyboard interactive allows out-of-bounds writes
• BZ - 1688543 - CVE-2019-9636 python: Information Disclosure due to urlsplit improper NFKC normalization

CVEs

(none)

References

• https://access.redhat.com/documentation/en-us/red_hat_amq/