- Issued:
- 2016-03-03
- Updated:
- 2016-03-03
RHSA-2016:0351 - Security Advisory
Synopsis
Moderate: kubernetes security update
Type/Severity
Security Advisory: Moderate
Topic
Updated kubernetes packages that fix two security issues are now
available for Red Hat OpenShift Enterprise 3.0.2.
Red Hat Product Security has rated this update as having Moderate
security impact. Common Vulnerability Scoring System (CVSS) base
scores, which give detailed severity ratings, are available for each
vulnerability from the CVE links in the References section.
Description
OpenShift Enterprise by Red Hat is the company's cloud computing
Platform-as-a-Service (PaaS) solution designed for on-premise or
private cloud deployments.
An authorization flaw was discovered in Kubernetes; the API server did
not properly check user permissions when handling certain requests. An
authenticated remote attacker could use this flaw to gain additional
access to resources such as RAM and disk space. (CVE-2016-1905)
An authorization flaw was discovered in Kubernetes; the API server did
not properly check user permissions when handling certain build
configuration strategies. A remote attacker could create build
configurations with strategies that violate policy. Although the attacker could not launch the build themselves (launch fails when the
policy is violated), if the build configuration files were later
launched by other privileged services (such as automated triggers),
user privileges could be bypassed allowing attacker escalation.
(CVE-2016-1906)
All OpenShift Enterprise 3.0 users are advised to upgrade to these
updated packages.
Solution
Before applying this update, make sure all previously released errata
relevant to your system have been applied.
For details on how to apply this update, refer to:
https://access.redhat.com/articles/11258
Affected Products
- Red Hat OpenShift Container Platform 3.0.0.0 x86_64
Fixes
- BZ - 1297910 - CVE-2016-1905 Kubernetes api server: patch operation should use patched object to check admission control
- BZ - 1297916 - CVE-2016-1906 Kubernetes api server: build config to a strategy that isn't allowed by policy
CVEs
References
Red Hat OpenShift Container Platform 3.0.0.0
| SRPM | |
|---|---|
| openshift-3.0.2.0-0.git.45.423f434.el7ose.src.rpm | SHA-256: ac7f66d1c0eaf2d42dd7d02b3805b35d899d3f57fb5016cc4da62f416e9a886b |
| x86_64 | |
| openshift-3.0.2.0-0.git.45.423f434.el7ose.x86_64.rpm | SHA-256: b0c10389c2532d822f89f54078e0f7b87279405dbad4659b67ec514955d7aaac |
| openshift-clients-3.0.2.0-0.git.45.423f434.el7ose.x86_64.rpm | SHA-256: 07ded855d0e8c12aedf2a3a8aca937f62d13529e489da0465d75027c57a2a490 |
| openshift-master-3.0.2.0-0.git.45.423f434.el7ose.x86_64.rpm | SHA-256: 900455cec949309f84572652801f06b2e31f17c0fc134332320094d0d0de907b |
| openshift-node-3.0.2.0-0.git.45.423f434.el7ose.x86_64.rpm | SHA-256: b4710ca48926c5566ed583a725eca9a5d682b483216d3c4c263f306334edff5d |
| openshift-sdn-ovs-3.0.2.0-0.git.45.423f434.el7ose.x86_64.rpm | SHA-256: 28b2fb63322e02c31f4c7e62d0a1d35d29ab559a5e3fd96ef7ee473ec28c1dd7 |
| tuned-profiles-openshift-node-3.0.2.0-0.git.45.423f434.el7ose.x86_64.rpm | SHA-256: 0e784bba2c2a39bbaa4b9c5024b7bbc628e4fcebb24e11be5f87b3340eee5adb |
The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.