Issued:
2016-03-22
Updated:
2016-03-22

RHSA-2016:0489 - Security Advisory

Synopsis

Important: Red Hat OpenShift Enterprise 2.2.9 security, bug fix, and enhancement update

Type/Severity

Security Advisory: Important

Topic

Red Hat OpenShift Enterprise release 2.2.9, which fixes several
security issues, several bugs, and introduces feature enhancements, is
now available.

Red Hat Product Security has rated this update as having Important
security impact. Common Vulnerability Scoring System (CVSS) base
scores, which give detailed severity ratings, are available for each
vulnerability from the CVE links in the References section.

Description

OpenShift Enterprise by Red Hat is the company's cloud computing
Platform-as-a-Service (PaaS) solution designed for on-premise or
private cloud deployments.

The following security issue is addressed with this release:

It was found that ActiveMQ did not safely handle user supplied data
when deserializing objects. A remote attacker could use this flaw to
execute arbitrary code with the permissions of the ActiveMQ
application. (CVE-2015-5254)

An update for Jenkins Continuous Integration Server that addresses a
large number of security issues including XSS, CSRF, information
disclosure and code execution have been addressed as well.
(CVE-2015-5317, CVE-2015-5318, CVE-2015-5319, CVE-2015-5320,
CVE-2015-5321, CVE-2015-5322, CVE-2015-5323, CVE-2015-5324,
CVE-2015-5325, CVE-2015-5326, CVE-2015-7537, CVE-2015-7538,
CVE-2015-7539, CVE-2015-8103)

Space precludes documenting all of the bug fixes in this advisory. See
the OpenShift Enterprise Technical Notes, which will be updated
shortly for release 2.2.9, for details about these changes:

https://access.redhat.com/documentation/en-US/OpenShift_Enterprise/2/html-single/Technical_Notes/index.html

All OpenShift Enterprise 2 users are advised to upgrade to these
updated packages.

Solution

Before applying this update, make sure all previously released
errata relevant to your system have been applied.

See the OpenShift Enterprise 2.2 Release Notes, which will be
updated shortly for release 2.2.9, for important instructions on how
to fully apply this asynchronous errata update:

https://access.redhat.com/documentation/en-US/OpenShift_Enterprise/2/html-single/2.2_Release_Notes/index.html#chap-Asynchronous_Errata_Updates

This update is available via the Red Hat Network. Details on how to use
the Red Hat Network to apply this update are available at:
https://access.redhat.com/articles/11258

Affected Products

  • Red Hat OpenShift Enterprise Application Node 2.2 x86_64

Fixes

  • BZ - 1111456 - jenkin app will be created as default small gear size when user create app with --enable-jenkins and non-default gear-size
  • BZ - 1140816 - oo-admin-ctl-district missing documentation for listing districts
  • BZ - 1160934 - "oo-admin-ctl-gears stopgear" failed to stop idled gear
  • BZ - 1168480 - Should prompt correct information when execute oo-admin-ctl-user --addgearsize $invalid value
  • BZ - 1169690 - Webconsole should show warning info when add cartridge as quota used up to QUOTA_WARNING_PERCENT
  • BZ - 1265423 - .gitconfig is not configurable for application create
  • BZ - 1265811 - oo-accept-node reports a quota failures when a loop device is used.
  • BZ - 1279584 - Users have nil value for resulting in failed oo-admin-repair
  • BZ - 1282359 - CVE-2015-5317 jenkins: Project name disclosure via fingerprints (SECURITY-153)
  • BZ - 1282361 - CVE-2015-5318 jenkins: Public value used for CSRF protection salt (SECURITY-169)
  • BZ - 1282362 - CVE-2015-5319 jenkins: XXE injection into job configurations via CLI (SECURITY-173)
  • BZ - 1282363 - CVE-2015-5320 jenkins: Secret key not verified when connecting a slave (SECURITY-184)
  • BZ - 1282364 - CVE-2015-5321 jenkins: Information disclosure via sidepanel (SECURITY-192)
  • BZ - 1282365 - CVE-2015-5322 jenkins: Local file inclusion vulnerability (SECURITY-195)
  • BZ - 1282366 - CVE-2015-5323 jenkins: API tokens of other users available to admins (SECURITY-200)
  • BZ - 1282367 - CVE-2015-5324 jenkins: Queue API did show items not visible to the current user (SECURITY-186)
  • BZ - 1282368 - CVE-2015-5325 jenkins: JNLP slaves not subject to slave-to-master access control (SECURITY-206)
  • BZ - 1282369 - CVE-2015-5326 jenkins: Stored XSS vulnerability in slave offline status message (SECURITY-214)
  • BZ - 1282371 - CVE-2015-8103 jenkins: Remote code execution vulnerability due to unsafe deserialization in Jenkins remoting (SECURITY-218)
  • BZ - 1283372 - oo-admin-gear man page displays wrong option
  • BZ - 1291292 - CVE-2015-5254 activemq: unsafe deserialization
  • BZ - 1291795 - CVE-2015-7537 jenkins: CSRF vulnerability in some administrative actions (SECURITY-225)
  • BZ - 1291797 - CVE-2015-7538 jenkins: CSRF protection ineffective (SECURITY-233)
  • BZ - 1291798 - CVE-2015-7539 jenkins: Jenkins plugin manager vulnerable to MITM attacks (SECURITY-234)
  • BZ - 1294513 - oo-diagnostics test_enterprise_rpms fails for nodejs010-nodejs-debug
  • BZ - 1299014 - [RFE] Configuration setting to set cipher on Openshift node web proxy
  • BZ - 1299095 - oo-diagnostic error on broker No such file or directory - /etc/openshift/env/OPENSHIFT_BROKER_HOST
  • BZ - 1302787 - Node web proxy configuration file is overwritten upon update
  • BZ - 1305688 - oo-accept-broker incorrectly parses MONGO_HOST_PORT individual host and ports
  • BZ - 1307174 - rhc ssh <appname> does not respect PATH env variable, nor the --ssh PATH option
  • BZ - 1307175 - oo-accept-node does not validate whether threads are in cgroups
  • BZ - 1308716 - rhc snapshot save different app with the same name in the same dir didn't prompt conflict information
  • BZ - 1308718 - It is better to return meaningful error message when do ssh in head gear of scalable app with incorrect user id or ssh url
  • BZ - 1308720 - Unable to deploy Drupal
  • BZ - 1308722 - Django quickstart can't bind address
  • BZ - 1308739 - It will not validate the deployment type when do app deploy via REST API
  • BZ - 1310247 - New configuration item, TRAFFIC_CONTROL_DEVS
  • BZ - 1310266 - https using letsencrypt has B rating - chain incomplete
  • BZ - 1310841 - Fix zsh autocompletion for rhc
  • BZ - 1314535 - oo-admin-repair-node,oo-admin-ctl-iptables-port-proxy and oo-admin-ctl-tc has no man page
  • BZ - 1314546 - Python cartridge doesn't stop deploy process when it failed to install packages (It is different from behavior of other cartridges)

CVEs

References

Red Hat OpenShift Enterprise Application Node 2.2

SRPM
activemq-5.9.0-6.redhat.611454.el6op.src.rpm SHA-256: dc9c2da0163073d72e87a6ca68094d4f7a8b0ae48296ac70fc1e0585ccc49031
jenkins-1.625.3-1.el6op.src.rpm SHA-256: 8dbc6503904bd238fa22c2a2baa383fefd75572a207fefae1cd07fbe342069a5
openshift-enterprise-upgrade-2.2.9-1.el6op.src.rpm SHA-256: a983269c160048026ffc94eba00b0566a6f8b218b7525db5166ef004a8104651
openshift-origin-cartridge-cron-1.25.2.1-1.el6op.src.rpm SHA-256: 4f8bb9529f0ac4d543a3a9d52284051f9b9f7db092604358f722ca825c1f4547
openshift-origin-cartridge-haproxy-1.31.5.1-1.el6op.src.rpm SHA-256: ed378d2892379172b7c7b28f699fcfa472c95240983f5121351b5b3175ac7f1f
openshift-origin-cartridge-mysql-1.31.2.1-1.el6op.src.rpm SHA-256: 0619d6b34b9d31da70981e6fbde88cabbbf6e132476c6502f539252e98cf98d9
openshift-origin-cartridge-php-1.35.3.1-1.el6op.src.rpm SHA-256: 97c06d654a97ccf12a07a406ee16e62813da1580c0e3a3dcebc824354333b146
openshift-origin-cartridge-python-1.34.2.1-1.el6op.src.rpm SHA-256: d241cf3bfc22cf3e1cdd33d8b895845fad92287528bf23d10f8f76aada98cd35
openshift-origin-msg-node-mcollective-1.30.2.1-1.el6op.src.rpm SHA-256: d50c781f3a2172d05a39e266e673c5ebae590ea08ba444c23ef911df80ac56b7
openshift-origin-node-proxy-1.26.2.1-1.el6op.src.rpm SHA-256: 5ab462c5dae135311aed99881f7842b02db6474e72413a4abba9eabcfb912323
openshift-origin-node-util-1.38.6.2-1.el6op.src.rpm SHA-256: dfcddf9f5571c07c32bfd1bd9a5823a352c2a1e3869d738f25f6733a1f9fc034
php-5.3.3-46.el6_7.1.src.rpm SHA-256: d3d8dbeff27cb144aa852c543a1bb3134170bd7ec7d216831cb86397b5e9daa9
rubygem-openshift-origin-common-1.29.5.2-1.el6op.src.rpm SHA-256: 1f9a40b519820de75d82f087fbd2d86a0daf3b698f2c82b4ed1832a10bf745d8
rubygem-openshift-origin-frontend-apache-vhost-0.13.2.1-1.el6op.src.rpm SHA-256: 4b7d531d0c30a1aaddd8950de978cdfc698a876f9e472adc334ffcc3100ed9b0
rubygem-openshift-origin-node-1.38.5.3-1.el6op.src.rpm SHA-256: 2922f8cabf6d09998260ce1b4f911c4cef9da70cb4816f1f689409432dc39522
x86_64
activemq-client-5.9.0-6.redhat.611454.el6op.x86_64.rpm SHA-256: 7694e9c101c1f970339d06306e40b78189cf2421c5c46fbc75617709949866eb
jenkins-1.625.3-1.el6op.noarch.rpm SHA-256: ac825fa1b894f301456c98df1023902feea67da3401edca60ddd90f604d751f8
openshift-enterprise-release-2.2.9-1.el6op.noarch.rpm SHA-256: 3ee5f802a90715ae9c66c85dac1067c0fc16a92b6095e9e94be1f28d406271c5
openshift-enterprise-upgrade-node-2.2.9-1.el6op.noarch.rpm SHA-256: e71043c92c68ee0925c7554a5e593d5274710961af3d6425fcd3e6fbb862a131
openshift-enterprise-yum-validator-2.2.9-1.el6op.noarch.rpm SHA-256: 1a2066e4690af15ebd4deb6f353bd8bf46232a53f4d309af2129dcdf767cda45
openshift-origin-cartridge-cron-1.25.2.1-1.el6op.noarch.rpm SHA-256: 8d3c6105ab13966d428848ab9f95ff2f7819fc299072fbddaddf445726d18ad0
openshift-origin-cartridge-haproxy-1.31.5.1-1.el6op.noarch.rpm SHA-256: c68663dbbc7bf6ea7e90dd254af35881813138bf04244f03ab76e04e7e5e2932
openshift-origin-cartridge-mysql-1.31.2.1-1.el6op.noarch.rpm SHA-256: 70aa5bdeb9b205a53367bbc3b1bae56d68bb0598b255c994621dc78eedd10ffc
openshift-origin-cartridge-php-1.35.3.1-1.el6op.noarch.rpm SHA-256: be21ced5ec69aacb015843b3af732781acade1f3ae337825ef7cec6a94dbee19
openshift-origin-cartridge-python-1.34.2.1-1.el6op.noarch.rpm SHA-256: 3cd3ca506a9d9b4d01d8d357bc694b8bcfda0d06778436e289793a5303902958
openshift-origin-msg-node-mcollective-1.30.2.1-1.el6op.noarch.rpm SHA-256: fb9b696a2a615a04d9f80e579bd2ca34182478857f7d1a60f56b6de9ead75d66
openshift-origin-node-proxy-1.26.2.1-1.el6op.noarch.rpm SHA-256: b597148a04f5358f6534c39811bcff40636d94fd40ebd8c0254e967660db89c1
openshift-origin-node-util-1.38.6.2-1.el6op.noarch.rpm SHA-256: 798843f8104908d82957c1eefa0a1f36c563ddf2ef8b78276a114f3aa117a3f0
php-bcmath-5.3.3-46.el6_7.1.x86_64.rpm SHA-256: 9003f3dd31ae6da68b252eba237af5bff3c972cc22e1273abfc8cff1947b9f23
php-debuginfo-5.3.3-46.el6_7.1.x86_64.rpm SHA-256: fcdadd597690ca04aebc003dcf06cd3954e639eb357e2d8d72803c57c49b371d
php-devel-5.3.3-46.el6_7.1.x86_64.rpm SHA-256: b8f6db4ce22a46e62975d4890645f8ee1ff2b93eb1a95b2d24b94a0533ccb354
php-fpm-5.3.3-46.el6_7.1.x86_64.rpm SHA-256: e26940c8acc51f7f87470fa64319c0f53fd1f6b36d3d77f334414fd27207a385
php-imap-5.3.3-46.el6_7.1.x86_64.rpm SHA-256: cdac3c3ac72a486098de71a4a905318a380f7f4d0b01030fe7a4f7b0d3e4f8d4
php-intl-5.3.3-46.el6_7.1.x86_64.rpm SHA-256: 3851084b3726a811e622355ee7bb9cafeca1c39af9364a735efa91c44872852d
php-mbstring-5.3.3-46.el6_7.1.x86_64.rpm SHA-256: 289233dab4d5694b8fceab04955085f17a47d45efa7533c9320e6e62a847fcbe
php-process-5.3.3-46.el6_7.1.x86_64.rpm SHA-256: 03602b07ffbf033a3ce0d72918e4957e7785c2b893277138d9fb6d537b5273cc
rubygem-openshift-origin-common-1.29.5.2-1.el6op.noarch.rpm SHA-256: 55dd22e8098a3675e2157a9ed8a3fb97e8aadc43f8c18bca2009ecee4632dfce
rubygem-openshift-origin-frontend-apache-vhost-0.13.2.1-1.el6op.noarch.rpm SHA-256: 45a300497fdc94a9b5edfe0e29b8eb2e366cba23174d6803ffca403d51c01bd0
rubygem-openshift-origin-node-1.38.5.3-1.el6op.noarch.rpm SHA-256: dc8cf345296b7455bbc532d53ebab698a5f90addf4cf8b9e73506f6d0eb8a7ac

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.