- Issued:
- 2016-08-24
- Updated:
- 2016-08-24
RHSA-2016:1773 - Security Advisory
Synopsis
Important: Red Hat OpenShift Enterprise 2.2.10 security, bug fix, and enhancement update
Type/Severity
Security Advisory: Important
Red Hat Insights patch analysis
Identify and remediate systems affected by this advisory.
Topic
An update is now available for Red Hat OpenShift Enterprise 2.2.
Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.
Description
OpenShift Enterprise by Red Hat is the company's cloud computing
Platform-as-a-Service (PaaS) solution designed for on-premise or
private cloud deployments.
- The Jenkins continuous integration server has been updated to upstream
version 1.651.2 LTS that addresses a large number of security issues,
including open redirects, a potential denial of service, unsafe handling of
user provided environment variables and several instances of sensitive
information disclosure. (CVE-2014-3577, CVE-2016-0788, CVE-2016-0789,
CVE-2016-0790, CVE-2016-0791, CVE-2016-0792, CVE-2016-3721, CVE-2016-3722,
CVE-2016-3723, CVE-2016-3724, CVE-2016-3725, CVE-2016-3726, CVE-2016-3727,
CVE-2015-7501)
Space precludes documenting all of the bug fixes and enhancements in this
advisory. See the OpenShift Enterprise Technical Notes, which will be
updated shortly for release 2.2.10, for details about these changes:
All OpenShift Enterprise 2 users are advised to upgrade to these updated
packages.
Solution
Before applying this update, make sure all previously released errata
relevant to your system have been applied.
See the OpenShift Enterprise 2.2 Release Notes, which will be updated
shortly for release 2.2.10, for important instructions on how to fully
apply this asynchronous errata update:
This update is available via the Red Hat Network. Details on how to use
the Red Hat Network to apply this update are available at
https://access.redhat.com/articles/11258.
Affected Products
- Red Hat OpenShift Enterprise Infrastructure 2.2 x86_64
- Red Hat OpenShift Enterprise Application Node 2.2 x86_64
- Red Hat OpenShift Enterprise Client Tools 2.2 x86_64
- Red Hat OpenShift Enterprise JBoss EAP add-on 2.2 x86_64
Fixes
- BZ - 1129074 - CVE-2014-3577 Apache HttpComponents client / Apache CXF: SSL hostname verification bypass, incomplete CVE-2012-6153 fix
- BZ - 1196783 - OPENSHIFT_GEAR_MEMORY_MB is not updated when resource limits change
- BZ - 1217403 - [RFE] separate system-level logs of cron cartridge from gear-level logs
- BZ - 1266239 - [RFE] Make user variables maximum value configurable.
- BZ - 1274852 - Routing Daemon does not update LB when head gear is moved.
- BZ - 1279330 - CVE-2015-7501 apache-commons-collections: InvokerTransformer code execution during deserialisation
- BZ - 1282852 - Tomcat Does not properly parse spaces in JVM parameters/setttings
- BZ - 1311722 - Deleting a multi-version cartridge on the node fails silently
- BZ - 1311946 - CVE-2016-0788 jenkins: Remote code execution vulnerability in remoting module (SECURITY-232)
- BZ - 1311947 - CVE-2016-0789 jenkins: HTTP response splitting vulnerability (SECURITY-238)
- BZ - 1311948 - CVE-2016-0790 jenkins: Non-constant time comparison of API token (SECURITY-241)
- BZ - 1311949 - CVE-2016-0791 jenkins: Non-constant time comparison of CSRF crumbs (SECURITY-245)
- BZ - 1311950 - CVE-2016-0792 jenkins: Remote code execution through remote API (SECURITY-247)
- BZ - 1335415 - CVE-2016-3721 jenkins: Arbitrary build parameters are passed to build scripts as environment variables (SECURITY-170)
- BZ - 1335416 - CVE-2016-3722 jenkins: Malicious users with multiple user accounts can prevent other users from logging in (SECURITY-243)
- BZ - 1335417 - CVE-2016-3723 jenkins: Information on installed plugins exposed via API (SECURITY-250)
- BZ - 1335418 - CVE-2016-3724 jenkins: Encrypted secrets (e.g. passwords) were leaked to users with permission to read configuration (SECURITY-266)
- BZ - 1335420 - CVE-2016-3725 jenkins: Regular users can trigger download of update site metadata (SECURITY-273)
- BZ - 1335421 - CVE-2016-3726 jenkins: Open redirect to scheme-relative URLs (SECURITY-276)
- BZ - 1335422 - CVE-2016-3727 jenkins: Granting the permission to read node configurations allows access to overall system configuration (SECURITY-281)
- BZ - 1358938 - libcgroup dependency error when installing node in ose-2.2
- BZ - 1361305 - gears exceeding quota cannot be stopped or idled
- BZ - 1361306 - Unable to obtain user-agent or client IP in websocket handshake on OpenShift hosted WildFly
- BZ - 1361307 - mysql cartridge removes logs on start
- BZ - 1362666 - oo-admin-move should move gears to nodes with enough free space + buffer space
CVEs
Red Hat OpenShift Enterprise Infrastructure 2.2
SRPM | |
---|---|
activemq-5.9.0-6.redhat.611463.el6op.src.rpm | SHA-256: 60c9763402f12f103a2191ac5b72d1c3953438a2060c6e3a2c552f7acb64be05 |
openshift-origin-broker-1.16.3.2-1.el6op.src.rpm | SHA-256: 6b4a43e4b060dba8238a3880dc3441faed6b7d5740f59eb1dc5ab7c65b67cd3f |
openshift-origin-broker-util-1.37.6.2-1.el6op.src.rpm | SHA-256: 9720a1ce31bb9369d1faf2df2b3ca38e26c02943f6bbe58811b3740936aebedc |
rubygem-openshift-origin-admin-console-1.28.2.1-1.el6op.src.rpm | SHA-256: 2447a60f7f9d5967a917a7b9deae9bdd22cb1e54ce62c7ea263917644a8a8e27 |
rubygem-openshift-origin-controller-1.38.6.4-1.el6op.src.rpm | SHA-256: 3755c6c7e077163aa3851868253a880d9adeabc06d035c72800871480fe2743c |
rubygem-openshift-origin-msg-broker-mcollective-1.36.2.4-1.el6op.src.rpm | SHA-256: 952bc3e824f79bbab7b5390d4f86bdbf89d86aa506b5bc44a6c2a49d4c3917ec |
rubygem-openshift-origin-routing-daemon-0.26.6.1-1.el6op.src.rpm | SHA-256: f826ef7a32da7b2d106830a6de1c551ebbf31da7102b45f35b08637798b55595 |
x86_64 | |
activemq-5.9.0-6.redhat.611463.el6op.x86_64.rpm | SHA-256: f1ac9abfc729cc1171cfa4022f7250a8fce435d4a36b4ad030c96791dad97c61 |
activemq-client-5.9.0-6.redhat.611463.el6op.x86_64.rpm | SHA-256: 29a4456749dbcd32224b08ea28936c0259310d5a821dc5bfbaaf1cb66d08dff8 |
openshift-origin-broker-1.16.3.2-1.el6op.noarch.rpm | SHA-256: 0c54aaddc247efa5a4fb6dc2c35d4618d2c28fe43f1af8e3440d196142b82149 |
openshift-origin-broker-util-1.37.6.2-1.el6op.noarch.rpm | SHA-256: 1b508786abc2a769a2f67481245188955220ec6e8fa4582fcfc0c4f15693f3cd |
rubygem-openshift-origin-admin-console-1.28.2.1-1.el6op.noarch.rpm | SHA-256: e3f25c12624b44f21300d05088f7e1efe190ad6c109f2c3c9166b802352d8991 |
rubygem-openshift-origin-controller-1.38.6.4-1.el6op.noarch.rpm | SHA-256: 31dc34f788d32dc9acc768693f9a960b1ca823e471efdb16546287f9c13b2e22 |
rubygem-openshift-origin-msg-broker-mcollective-1.36.2.4-1.el6op.noarch.rpm | SHA-256: a7805ad8a0861f45b71dc307fed9675566d2e15951a930dbfd09d31d167b8aca |
rubygem-openshift-origin-routing-daemon-0.26.6.1-1.el6op.noarch.rpm | SHA-256: 9e31058106907a8f0c3b531dbabaa2d1609e739fb476ae622a573343e3a91492 |
Red Hat OpenShift Enterprise Application Node 2.2
SRPM | |
---|---|
ImageMagick-6.7.2.7-5.el6_8.src.rpm | SHA-256: f3e3fb9f7f8ff0e6853c012a41a3b05c9a1010048dc727c723e6f754f1d14aa0 |
activemq-5.9.0-6.redhat.611463.el6op.src.rpm | SHA-256: 60c9763402f12f103a2191ac5b72d1c3953438a2060c6e3a2c552f7acb64be05 |
jenkins-1.651.2-1.el6op.src.rpm | SHA-256: 46d3a8fc2e363326868968b21030323da18996e6c478078329199df159766730 |
libcgroup-0.40.rc1-18.el6_8.src.rpm | SHA-256: a456fdc767afc6e1ce8c2d0b3b0ab2497a489363e1c028924611b9a3547b0080 |
openshift-origin-cartridge-cron-1.25.4.2-1.el6op.src.rpm | SHA-256: 6f1f151b71dd38105e69801f261ad5c6d412dbd088297cfcb30efe438ef2811a |
openshift-origin-cartridge-diy-1.26.2.2-1.el6op.src.rpm | SHA-256: 41fff61012535bfb26de96bdf055d84a22a8f10011f6e58649b5e22f0fec6561 |
openshift-origin-cartridge-haproxy-1.31.6.2-1.el6op.src.rpm | SHA-256: 397854ccee6a8c89a65de52b9409bd70c6e17cc984e8b849cd39fb0f64c9d18b |
openshift-origin-cartridge-jbossews-1.35.5.2-1.el6op.src.rpm | SHA-256: 34ad77c6784e38102630d3da3fbdf449f8971316a79af7017ee545ba70ac98d1 |
openshift-origin-cartridge-jenkins-1.29.2.2-1.el6op.src.rpm | SHA-256: 22c03747858016584ab1e0b269f000515a3fe4fad4513baec2fb1aba73b92427 |
openshift-origin-cartridge-jenkins-client-1.26.1.1-1.el6op.src.rpm | SHA-256: c2aebe8de623707ce0a1f70b0647cd64bf48dd14b40a17f8f2a9674be1774004 |
openshift-origin-cartridge-mongodb-1.26.2.2-1.el6op.src.rpm | SHA-256: 9bf2f7c543c13c18cfd212f20b8e54437f5a8f889686b223bfe4362dac23d977 |
openshift-origin-cartridge-mysql-1.31.3.3-1.el6op.src.rpm | SHA-256: 79da37f5b3ac28db4a7176275d94bac098dacedb01823dbc21f70ff4958505b9 |
openshift-origin-cartridge-nodejs-1.33.1.2-1.el6op.src.rpm | SHA-256: 3dac74b1dee744e9f920085793d2eb91563164f15ed8056837a4dd3a12e79fe9 |
openshift-origin-cartridge-perl-1.30.2.2-1.el6op.src.rpm | SHA-256: 8bbfc6e23d79a747440bc182b8272b3d9da55fc3f5a82d2c8f1b61efe3767634 |
openshift-origin-cartridge-php-1.35.4.2-1.el6op.src.rpm | SHA-256: 2e7282ba5c2c3d99ad7ecc68c018eac7f17ddd4ed044b840f8b32c384b85bc8a |
openshift-origin-cartridge-python-1.34.3.2-1.el6op.src.rpm | SHA-256: 4748a0f35160b135a5b40d83c64f9ebfa345649ae088bc8554b1335f91a1c28a |
openshift-origin-cartridge-ruby-1.32.2.2-1.el6op.src.rpm | SHA-256: 68780d8d1db6acff4a0dece9746b7b3b95c7b2b54c77d2b541cf44e66fa19a46 |
openshift-origin-msg-node-mcollective-1.30.2.2-1.el6op.src.rpm | SHA-256: b8f1d2f373d8163feacc00097e6615feb80b7bc025027fecfdba482a1fe4a36c |
openshift-origin-node-proxy-1.26.3.1-1.el6op.src.rpm | SHA-256: 406d4fc84b76e3ecb8806b18ed7de54fcb7b5ff13e4aca5b08528778fab83820 |
openshift-origin-node-util-1.38.7.1-1.el6op.src.rpm | SHA-256: 614c79c38a03517b52740f9be0c943b645891ced897dea74632bbe348043764c |
rubygem-openshift-origin-frontend-haproxy-sni-proxy-0.5.2.1-1.el6op.src.rpm | SHA-256: b32b1fe80b6ddffd06a3789328be0f611c2a3c5897e271d17de535fb2ada0fbb |
rubygem-openshift-origin-node-1.38.6.4-1.el6op.src.rpm | SHA-256: 213d9259ac0c79d3d34d48a04e72ce77a94613792f22586c43f5e9dc6c0aef92 |
x86_64 | |
ImageMagick-debuginfo-6.7.2.7-5.el6_8.x86_64.rpm | SHA-256: 93c860976df5876e22baa47483e4c8813b408d275e733ce6c343c39690f2062a |
ImageMagick-devel-6.7.2.7-5.el6_8.x86_64.rpm | SHA-256: 2c12c94e3491bfad4dc9e55a095d520f890b84f22748f2855ac7750cda975d6e |
ImageMagick-doc-6.7.2.7-5.el6_8.x86_64.rpm | SHA-256: 366710de3d2ad751a5c0094b2dfde761caa2e0a8e733cbe64f7503d3093fab31 |
ImageMagick-perl-6.7.2.7-5.el6_8.x86_64.rpm | SHA-256: 40bec4e65f91941d1546ac4631395b584e6d77506fddd267832526b5133e2017 |
activemq-client-5.9.0-6.redhat.611463.el6op.x86_64.rpm | SHA-256: 29a4456749dbcd32224b08ea28936c0259310d5a821dc5bfbaaf1cb66d08dff8 |
jenkins-1.651.2-1.el6op.noarch.rpm | SHA-256: 94ec57740a3c67ca1745bdec463b14bffe111a529eb6dcee9a022986c053e26c |
libcgroup-debuginfo-0.40.rc1-18.el6_8.x86_64.rpm | SHA-256: 900fd3d845e03edf899daacde470e7d7675250eb2711e14ac1ba84fdf0e047d9 |
libcgroup-pam-0.40.rc1-18.el6_8.x86_64.rpm | SHA-256: f34d526ca909c7fee7ddf127be8a59c5781d6d84bd0467841148da4302d9aa57 |
openshift-origin-cartridge-cron-1.25.4.2-1.el6op.noarch.rpm | SHA-256: d4d30d0c85c20371ac645e977c6af4c37ee6eb86b36bfdd24281e01649253f00 |
openshift-origin-cartridge-diy-1.26.2.2-1.el6op.noarch.rpm | SHA-256: e3a0c93708b1b84e8e85f8328491a8186cb5f090d02bc0ced4f87e5fd4fee215 |
openshift-origin-cartridge-haproxy-1.31.6.2-1.el6op.noarch.rpm | SHA-256: fe763873c2408a093058a4548f5a1e80efc9106c42fc7b4792c648101bf8c287 |
openshift-origin-cartridge-jbossews-1.35.5.2-1.el6op.noarch.rpm | SHA-256: 2fa603e9fd05b0f514c8dc6608fe9c83fa0cc4ced9fda0c7428f5405344d3b4a |
openshift-origin-cartridge-jenkins-1.29.2.2-1.el6op.noarch.rpm | SHA-256: 9079f08bd63915391361fec69d6e6f65ff1425b90a3ab3552e1f0d39fd3a6b8a |
openshift-origin-cartridge-jenkins-client-1.26.1.1-1.el6op.noarch.rpm | SHA-256: 23a4bf4f49900ef8415edb3f21da57840787170862ca341e1eecfc37edb46e15 |
openshift-origin-cartridge-mongodb-1.26.2.2-1.el6op.noarch.rpm | SHA-256: 15e36bc4820113e18221378c83c706c6885977a3dd5dd8d4c6e95d911b9fd77e |
openshift-origin-cartridge-mysql-1.31.3.3-1.el6op.noarch.rpm | SHA-256: 174b97ebc2af6efc4ed7e7103ee3ad2d24a3f01529b6aa060afb7583adb8c898 |
openshift-origin-cartridge-nodejs-1.33.1.2-1.el6op.noarch.rpm | SHA-256: c2f0371ac8e4abf203fa19473c31104d2d9c5583176db3e5893e461ca4e0fdb6 |
openshift-origin-cartridge-perl-1.30.2.2-1.el6op.noarch.rpm | SHA-256: 68df38eba13503198075cc741ca8f78837a384c1bf0f3e7c2a5205f83253c563 |
openshift-origin-cartridge-php-1.35.4.2-1.el6op.noarch.rpm | SHA-256: 076f511ebbcf7e360533d8321f04c3f4a07853290f722bc5688c76176cdae5af |
openshift-origin-cartridge-python-1.34.3.2-1.el6op.noarch.rpm | SHA-256: 59f35b742070064c46a54f6d6404367d1b1bcfaa1561b8cb21faa384cbb9fe60 |
openshift-origin-cartridge-ruby-1.32.2.2-1.el6op.noarch.rpm | SHA-256: 7d03e03fd926c28dd87e7c73aa1025eabe44b79bf13e1e09f685a62b9282d61f |
openshift-origin-msg-node-mcollective-1.30.2.2-1.el6op.noarch.rpm | SHA-256: c6797482137439165dcc50e676a3bc69f75d4f9568e1f916c88d119d82d5c4d6 |
openshift-origin-node-proxy-1.26.3.1-1.el6op.noarch.rpm | SHA-256: 2d6db5d3a62af1dc234346177d2aea36fafe4ebb81ba30c2ea7aa38677e53f82 |
openshift-origin-node-util-1.38.7.1-1.el6op.noarch.rpm | SHA-256: def4ddd015f8dc762749ee0bb35166703fe41797fe462e01999e17f593a8c805 |
rubygem-openshift-origin-frontend-haproxy-sni-proxy-0.5.2.1-1.el6op.noarch.rpm | SHA-256: 26b3a35bd376a8795568775c40b5276b9d54c6a3b2f80ad876e1ac8bbba9ed92 |
rubygem-openshift-origin-node-1.38.6.4-1.el6op.noarch.rpm | SHA-256: 7058f00b9f2eedda42d3703ef3977deb73b3371cb473d8d3b3679f74496d0147 |
Red Hat OpenShift Enterprise Client Tools 2.2
SRPM | |
---|---|
rhc-1.38.7.1-1.el6op.src.rpm | SHA-256: dbf6ba241c9c49719bec44e0bc223ab908267cc3cffd71b729a0a27835fbdadc |
x86_64 | |
rhc-1.38.7.1-1.el6op.noarch.rpm | SHA-256: 30473a9c436e16023da0b804e179c97ba40f2b7bc71eb2045a85071160958ec0 |
Red Hat OpenShift Enterprise JBoss EAP add-on 2.2
SRPM | |
---|---|
openshift-origin-cartridge-jbosseap-2.27.4.2-1.el6op.src.rpm | SHA-256: c76dfbe2fd6076e5d85d5616bf79db035c13102b9c401c318367b67246f090dc |
x86_64 | |
openshift-origin-cartridge-jbosseap-2.27.4.2-1.el6op.noarch.rpm | SHA-256: 616b4c7fc9eae814844bc39df0abd55898d47a9fdb8a172bbbfc631f658e7550 |
The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.