Issued:
2015-09-30
Updated:
2015-09-30

RHSA-2015:1844 - Security Advisory

Synopsis

Important: Red Hat OpenShift Enterprise 2.2.7 security, bug fix and enhancement update

Type/Severity

Security Advisory: Important

Red Hat Insights patch analysis

Identify and remediate systems affected by this advisory.

View affected systems

Topic

Red Hat OpenShift Enterprise release 2.2.7 is now available with
updates to packages that fix several bugs and introduce feature
enhancements.

Red Hat Product Security has rated this update as having Important
security impact. A Common Vulnerability Scoring System (CVSS) base
score, which gives a detailed severity rating, is available from the
CVE link in the references section.

Description

OpenShift Enterprise by Red Hat is the company's cloud computing
Platform-as-a-Service (PaaS) solution designed for on-premise or
private cloud deployments.

Space precludes documenting all of the bug fixes in this advisory.
See the OpenShift Enterprise Technical Notes, which will be updated
shortly for release 2.2.7, for details about these changes. The
following security issues are addressed in this release:

A flaw was found in the Jenkins API token-issuing service. The
service was not properly protected against anonymous users,
potentially allowing remote attackers to escalate privileges.
(CVE-2015-1814)

It was found that the combination filter Groovy script could allow
a remote attacker to potentially execute arbitrary code on a
Jenkins master. (CVE-2015-1806)

It was found that when building artifacts, the Jenkins server would
follow symbolic links, potentially resulting in disclosure of
information on the server. (CVE-2015-1807)

A denial of service flaw was found in the way Jenkins handled
certain update center data. An authenticated user could provide
specially crafted update center data to Jenkins, causing plug-in
and tool installation to not work properly. (CVE-2015-1808)

It was found that Jenkins' XPath handling allowed XML External
Entity (XXE) expansion. A remote attacker with read access could
use this flaw to read arbitrary XML files on the Jenkins server.
(CVE-2015-1809)

It was discovered that the internal Jenkins user database did not
restrict access to reserved names, allowing users to escalate
privileges. (CVE-2015-1810)

It was found that Jenkins' XML handling allowed XML External Entity
(XXE) expansion. A remote attacker with the ability to pass XML
data to Jenkins could use this flaw to read arbitrary XML files on
the Jenkins server. (CVE-2015-1811)

Two cross-site scripting (XSS) flaws were found in Jenkins. A
remote attacker could use these flaws to conduct XSS attacks
against users of an application using Jenkins. (CVE-2015-1812,
CVE-2015-1813)

https://access.redhat.com/documentation/en-US/OpenShift_Enterprise/2/html-single/Technical_Notes/index.html All OpenShift Enterprise 2 users are advised to upgrade to these
updated packages.

Solution

Before applying this update, make sure all previously released
errata relevant to your system have been applied.

See the OpenShift Enterprise 2.2 Release Notes, which will be
updated shortly for release 2.2.7, for important instructions on
how to fully apply this asynchronous errata update:

https://access.redhat.com/documentation/en-US/OpenShift_Enterprise/2/html-single/2.2_Release_Notes/index.html#chap-Asynchronous_Errata_Updates

This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
https://access.redhat.com/articles/11258.

Affected Products

  • Red Hat OpenShift Enterprise Infrastructure 2.2 x86_64
  • Red Hat OpenShift Enterprise Application Node 2.2 x86_64
  • Red Hat OpenShift Enterprise Client Tools 2.2 x86_64
  • Red Hat OpenShift Enterprise JBoss EAP add-on 2.2 x86_64

Fixes

  • BZ - 1062253 - JBoss Cartridge needs to have dependency on both JDK 1.6 and JDK 1.7 packages.
  • BZ - 1128567 - Cron/Jenkins-client cartridge can't be shown on scalable app when using "rhc app show $app -g" command
  • BZ - 1130028 - 'rhc app-show --gears' lists jbossas and jbosseap cartridges four times for scalable apps
  • BZ - 1138522 - Values of MaxClients/ServerLimit in performance.conf is overidden by httpd_nolog.conf
  • BZ - 1152524 - [RFE] Dns timeout setting for oo-accept-broker
  • BZ - 1160699 - App didn't inherit HA when created from another HA app.
  • BZ - 1171815 - Cannot create Jenkins cartridge
  • BZ - 1191283 - Duplicate cartridges are seen when importing active cartridges
  • BZ - 1197123 - Error reported while adding storage to gear should be informative to the user
  • BZ - 1197576 - Upgrade Jenkins from jenkins-1.565.3-1 to jenkins-1.580.3-1
  • BZ - 1205615 - CVE-2015-1812 CVE-2015-1813 jenkins: Reflective XSS vulnerability (SECURITY-171, SECURITY-177)
  • BZ - 1205616 - CVE-2015-1814 jenkins: forced API token change (SECURITY-180)
  • BZ - 1205620 - CVE-2015-1806 jenkins: Combination filter Groovy script unsecured (SECURITY-125)
  • BZ - 1205622 - CVE-2015-1807 jenkins: directory traversal from artifacts via symlink (SECURITY-162)
  • BZ - 1205623 - CVE-2015-1808 jenkins: update center metadata retrieval DoS attack (SECURITY-163)
  • BZ - 1205625 - CVE-2015-1809 jenkins: external entity injection via XPath (SECURITY-165)
  • BZ - 1205627 - CVE-2015-1810 jenkins: HudsonPrivateSecurityRealm allows creation of reserved names (SECURITY-166)
  • BZ - 1205632 - CVE-2015-1811 jenkins: External entity processing in XML can reveal sensitive local files (SECURITY-167)
  • BZ - 1216206 - [RFE] --always-auth should be an allowed option for rhc setup
  • BZ - 1217572 - [RFE] routing daemon should have a sync option for F5
  • BZ - 1221931 - Move scale app to different profile district node should return 1
  • BZ - 1225943 - oo-init-quota function get_filesystem_type pulls in commented lines in fstab if same mount point
  • BZ - 1226061 - Lack of raising exception and error logging for the ssh and scp commands while copying keys and certs from broker to F5 LTM
  • BZ - 1227501 - routing-daemon not removing var/tmp/*.key and var/tmp/*.crt
  • BZ - 1228373 - Gears from a scaled application are not evenly distributed across nodes in the district or zone
  • BZ - 1229300 - oo-admin-move across node profiles should update quota limits appropriately
  • BZ - 1232827 - [RFE] Provide java 8 in OpenShift Enterprise
  • BZ - 1232921 - No error reported when app-create environment variables cannot be parsed
  • BZ - 1241750 - SLOW_HOST should be SLOW_HOSTS in openshift-origin-gear-placement.conf.pin-user-to-host-example
  • BZ - 1257757 - Scaled application takes 4+mins to unidle
  • BZ - 1264039 - logshifter does not parse config properly if there's no newline at the end
  • BZ - 1264210 - nodejs control script should wait for http to be available
  • BZ - 1264216 - "service openshift-gears start" should not be calling unidle

Red Hat OpenShift Enterprise Infrastructure 2.2

SRPM
openshift-origin-broker-1.16.2.10-1.el6op.src.rpm SHA-256: 83108b3c1ea108e76e53efc0cf8e28363cce9fab7c082983f14130b9a1e8514d
openshift-origin-broker-util-1.36.2.2-1.el6op.src.rpm SHA-256: 70639629feaaabcd30a4e36c72dd52a698fd3f5393ffbc211b648d54dafc66f2
openshift-origin-logshifter-1.10.1.2-1.el6op.src.rpm SHA-256: 6df8b8d83e3ae27296d68c2611cc1de8ca181f86de9375e9cde8015f66bfe3ab
rubygem-openshift-origin-console-1.35.2.1-1.el6op.src.rpm SHA-256: 0c36f1c322df359476b1a46237195573cf188850eefad8df189830df97e5316e
rubygem-openshift-origin-controller-1.37.3.1-1.el6op.src.rpm SHA-256: 8db49c2121fb0e33ba811a93f41688bd29be13d96b5338ca7237d35b21ac00f5
rubygem-openshift-origin-gear-placement-0.0.2.1-1.el6op.src.rpm SHA-256: c7dae258b3b696ec318cf8710f40278adbee46a79d50468ab897cd03f3a7cd59
rubygem-openshift-origin-msg-broker-mcollective-1.35.3.1-1.el6op.src.rpm SHA-256: 30e302c44de1e3035a45290c646e09fe6ec08d425179f2530eb6429e5ded5188
rubygem-openshift-origin-routing-daemon-0.25.1.2-1.el6op.src.rpm SHA-256: 72667fa1aede965108c0e2b7332ab140a86aff261d9f5a71ea68858adf0aff37
x86_64
openshift-origin-broker-1.16.2.10-1.el6op.noarch.rpm SHA-256: c9e6bb317185ea091f3859e3a9315a48f86503b1d1ba004c574dd9a073472438
openshift-origin-broker-util-1.36.2.2-1.el6op.noarch.rpm SHA-256: e67deeb7dadb997cf14dff009f59ce25bb2880861d1eb924ead3a7671ae9e8b7
openshift-origin-logshifter-1.10.1.2-1.el6op.x86_64.rpm SHA-256: 5d3395f8d3b00285f0c42bb9ab0b120652541c072ef0cb2a398c7da689e9442c
rubygem-openshift-origin-console-1.35.2.1-1.el6op.noarch.rpm SHA-256: d49fdb97543d076064e363770d12705dd509a063668d0a117a3b4169bfaf381a
rubygem-openshift-origin-controller-1.37.3.1-1.el6op.noarch.rpm SHA-256: 277a577a8e82f883c17e226e0cf773beebff3cd7c0da77076ddf6d7463958666
rubygem-openshift-origin-gear-placement-0.0.2.1-1.el6op.noarch.rpm SHA-256: db639089975f101dac578038ee6f4de8e0766be16fdd52c3b031d49a8b5de991
rubygem-openshift-origin-msg-broker-mcollective-1.35.3.1-1.el6op.noarch.rpm SHA-256: 0482e10cec1529ce823df8a7fb09c6a665bb0b7148246e787437e3898e8bd027
rubygem-openshift-origin-routing-daemon-0.25.1.2-1.el6op.noarch.rpm SHA-256: 5310b3d85e9a3d2b2f00525491eb05bc7f41c5645cf67ec2c86c36cfa88d6d81

Red Hat OpenShift Enterprise Application Node 2.2

SRPM
jenkins-1.609.1-1.el6op.src.rpm SHA-256: aa9a6af6e1307470c301c964025993d954428cb7dce3912104032cd5229bf52f
openshift-origin-cartridge-diy-1.26.1.1-1.el6op.src.rpm SHA-256: d905c9a83d5ab7b6aa76874cfef70e1b60e95a2a1753aa3c096f11a37171752f
openshift-origin-cartridge-haproxy-1.30.1.1-1.el6op.src.rpm SHA-256: ed7ed132a448f67e80370f47d512893d1d5e2318c42479fa666acdc08b75509e
openshift-origin-cartridge-jbossews-1.34.3.1-1.el6op.src.rpm SHA-256: 758b081a634ce86ca3fde5e826012a3de90060a43bd1a04c66993027e106535f
openshift-origin-cartridge-jenkins-1.28.2.1-1.el6op.src.rpm SHA-256: 045ca28bdd68d120ff8401f50fabc51c4c771f882268e7cd004aecfe05f3afa6
openshift-origin-cartridge-mock-1.22.1.1-1.el6op.src.rpm SHA-256: 0db299d8f4a0fac22c2cf8e89be180de52eae6490123c2027448ec00174392de
openshift-origin-cartridge-nodejs-1.33.1.1-1.el6op.src.rpm SHA-256: bc4b7d8391028e70163c00f15a21248800b2b417dd498aa7450c58c4a72d63f0
openshift-origin-cartridge-perl-1.30.1.1-1.el6op.src.rpm SHA-256: e33bf3d335e0d0d66df1c265f10052fa6f19bea294e39f6a18c3558ed4c3bfa1
openshift-origin-cartridge-php-1.34.1.1-1.el6op.src.rpm SHA-256: 6180e12d47bfa0b64519b12e86ad83038207ed0f3d4e6c9e9d3135b0e3261dae
openshift-origin-cartridge-python-1.33.3.1-1.el6op.src.rpm SHA-256: 31b1c76e280c395fc5abecbbee56032f8afdebcb6b8c3d920fa15d0f838bfed2
openshift-origin-cartridge-ruby-1.32.1.1-1.el6op.src.rpm SHA-256: 22e72fd7e7d674e054a7427db48f1ba31173c884dcbd93a13b3dfdffd4d875a8
openshift-origin-logshifter-1.10.1.2-1.el6op.src.rpm SHA-256: 6df8b8d83e3ae27296d68c2611cc1de8ca181f86de9375e9cde8015f66bfe3ab
openshift-origin-node-util-1.37.2.1-1.el6op.src.rpm SHA-256: a19275b166f9d34e332de4477705fbe681b2b3172520194e40bea44d1045c458
rubygem-openshift-origin-frontend-apache-vhost-0.12.4.2-1.el6op.src.rpm SHA-256: d6757b3fefad3730c5618efa13e3ff4b44ef6034d7b1eee49a8423dba1f0e894
rubygem-openshift-origin-node-1.37.1.1-1.el6op.src.rpm SHA-256: 74c6064b7c21dc22c96719b9c8aa805d04f719e2bf41c565407bd34f5da7d102
x86_64
jenkins-1.609.1-1.el6op.noarch.rpm SHA-256: aa63f9d5891454fbe6e2674e8bbf2990c985918be351f8c0e5e344d5222e8ab8
openshift-origin-cartridge-diy-1.26.1.1-1.el6op.noarch.rpm SHA-256: b8fb8f5e932381888077cc5d2169a660036f5ac337813f69f174d7735771bf80
openshift-origin-cartridge-haproxy-1.30.1.1-1.el6op.noarch.rpm SHA-256: 0930a05e94b87ca24081d57633c752b8b99304b668bc0db836a8ffd3ac1b66c3
openshift-origin-cartridge-jbossews-1.34.3.1-1.el6op.noarch.rpm SHA-256: 16ba6819be669f0269bab53932af8c81ad21e9b23d5b9547cefdd4d4f92c6b66
openshift-origin-cartridge-jenkins-1.28.2.1-1.el6op.noarch.rpm SHA-256: 83da394b4a06bd48bf4dc7f393285e94e6f7171b062396dce235004020e30565
openshift-origin-cartridge-mock-1.22.1.1-1.el6op.noarch.rpm SHA-256: 4b05df757e0811eb797b0fb62ad26d53dad8dcedf40ba6d70952f9c8e7b592f4
openshift-origin-cartridge-nodejs-1.33.1.1-1.el6op.noarch.rpm SHA-256: 0cc6d0904d9b8ef40c12067b7d3f9b0e9f994ee286dd0c0d17799843f807eb33
openshift-origin-cartridge-perl-1.30.1.1-1.el6op.noarch.rpm SHA-256: fb8496c97c1b330c081dd507d97e926501669d45f69e292468be309d2bdd3217
openshift-origin-cartridge-php-1.34.1.1-1.el6op.noarch.rpm SHA-256: cbb8f6c5dd9fb815753cc92e827e265d9863685b458532308ebd0ee9cda2f870
openshift-origin-cartridge-python-1.33.3.1-1.el6op.noarch.rpm SHA-256: dd29485bd995b4da2ce4eaa757ae09f7ed69a3c8a1c042fca21730f7b61dea67
openshift-origin-cartridge-ruby-1.32.1.1-1.el6op.noarch.rpm SHA-256: b306d09983a2c5c9d2b28424b2941d50ce9e8691a63876f69177a37269449eb4
openshift-origin-logshifter-1.10.1.2-1.el6op.x86_64.rpm SHA-256: 5d3395f8d3b00285f0c42bb9ab0b120652541c072ef0cb2a398c7da689e9442c
openshift-origin-node-util-1.37.2.1-1.el6op.noarch.rpm SHA-256: a5b3063f5c70bf3e6003d978abe71506a74089bb191a66b1c17590e7131d9b08
rubygem-openshift-origin-frontend-apache-vhost-0.12.4.2-1.el6op.noarch.rpm SHA-256: 87078053869828972310d2248e87e7a84c1f38c8008eeabc1e78bd04104efe5b
rubygem-openshift-origin-node-1.37.1.1-1.el6op.noarch.rpm SHA-256: cde568157ff14a5c7f50f5b2bf0d02577a75a882e7b83d7382284331d01f5b80

Red Hat OpenShift Enterprise Client Tools 2.2

SRPM
rhc-1.37.1.2-1.el6op.src.rpm SHA-256: c0d2a2010a6fa85a3377ddd2e5d04f749a5c15b6bdea9acd937e0af6817bd127
x86_64
rhc-1.37.1.2-1.el6op.noarch.rpm SHA-256: 11d08050020d6bff325a12628934d36cdb3202ca5178542fe537184d979c0ffd

Red Hat OpenShift Enterprise JBoss EAP add-on 2.2

SRPM
openshift-origin-cartridge-jbosseap-2.26.3.1-1.el6op.src.rpm SHA-256: 392cd44b9ba0180fd2e9456f5539b3efe43e4be3d2de5d81d90eb6a5eb9f5ca0
x86_64
openshift-origin-cartridge-jbosseap-2.26.3.1-1.el6op.noarch.rpm SHA-256: 395dbddf87ebd8e1378e01837f5652b3889286479d8684994d0567ae24663ac8

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.