Issued:
2019-07-24
Updated:
2019-07-24

RHSA-2019:1851 - Security Advisory

Synopsis

Moderate: OpenShift Container Platform 3.11 security update

Type/Severity

Security Advisory: Moderate

Topic

An update for atomic-openshift and jenkins-2-plugins is now available for
Red Hat OpenShift Container Platform 3.11.

Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.

Description

Red Hat OpenShift Container Platform is Red Hat's cloud computing
Kubernetes application platform solution designed for on-premise or private
cloud deployments.

Security Fix(es):

  • web-console: XSS in OAuth server /oauth/token/request endpoint
    (CVE-2019-3876)
  • jenkins-plugin-token-macro: XML External Entity processing the ${XML}
    macro (CVE-2019-10337)
  • kube-apiserver: DoS with crafted patch of type json-patch
    (CVE-2019-1002100)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

Solution

For OpenShift Container Platform 3.11 see the following documentation for important instructions on how to upgrade your cluster and fully apply this asynchronous errata update:

https://docs.openshift.com/container-platform/3.11/release_notes/ocp_3_11_release_notes.html

Affected Products

  • Red Hat OpenShift Container Platform 3.11 x86_64
  • Red Hat OpenShift Container Platform for Power 3.11 ppc64le

Fixes

  • BZ - 1683190 - CVE-2019-1002100 kube-apiserver: DoS with crafted patch of type json-patch
  • BZ - 1691107 - CVE-2019-3876 web-console: XSS in OAuth server /oauth/token/request endpoint
  • BZ - 1719782 - CVE-2019-10337 jenkins-plugin-token-macro: XML External Entity processing the ${XML} macro

CVEs

References

Red Hat OpenShift Container Platform 3.11

SRPM
atomic-openshift-3.11.129-1.git.0.bd4f2d5.el7.src.rpm SHA-256: 4244b38c2fc9a614ffc2e3a0be7150dc0f49bb85fc7f06c4819b6c7e52062150
jenkins-2-plugins-3.11.1560870549-1.el7.src.rpm SHA-256: bf60efb7b56c0a108f6738e5403b870d3f8169eda2d222c037cceadb9379b5bf
x86_64
atomic-openshift-3.11.129-1.git.0.bd4f2d5.el7.x86_64.rpm SHA-256: 188719691472b4d3e5387a3565f08c6098b282049602227deb0f55f15f743461
atomic-openshift-clients-3.11.129-1.git.0.bd4f2d5.el7.x86_64.rpm SHA-256: 62c6d18fee2edeb903ecbcb24ee7ac3e6d684a5e5083d5874e4422c0bef00d50
atomic-openshift-clients-redistributable-3.11.129-1.git.0.bd4f2d5.el7.x86_64.rpm SHA-256: 28b714a5225a58518a480faf4255ab4867335f2049b22f3d061d07b266277272
atomic-openshift-docker-excluder-3.11.129-1.git.0.bd4f2d5.el7.noarch.rpm SHA-256: 84305bbf4f0b3a47b018721d07cd747faaaa64340b7a38d725bdf7f9e887cae8
atomic-openshift-excluder-3.11.129-1.git.0.bd4f2d5.el7.noarch.rpm SHA-256: 61931b04d9f17285780bd73062e0b6a9c4acd73758281a5572a285a9a70e9eca
atomic-openshift-hyperkube-3.11.129-1.git.0.bd4f2d5.el7.x86_64.rpm SHA-256: 3bdb2d24f78840d1bd10f030c7d4fd0f4f3e67bbde9dd83c5fd65668cd238c4d
atomic-openshift-hypershift-3.11.129-1.git.0.bd4f2d5.el7.x86_64.rpm SHA-256: e09a72a6668209df2345e5977e08be74fb29031a5b6ec6f657acfcfb6ffd94d7
atomic-openshift-master-3.11.129-1.git.0.bd4f2d5.el7.x86_64.rpm SHA-256: b9f5d0aae0fbf6ef0f83b6574f772bf34ffc952a35b923305a2bfc04ce168b6e
atomic-openshift-node-3.11.129-1.git.0.bd4f2d5.el7.x86_64.rpm SHA-256: 6e573972a630a017f8177ea0d69680492579167e384c5970135635b3f573e121
atomic-openshift-pod-3.11.129-1.git.0.bd4f2d5.el7.x86_64.rpm SHA-256: b681edf20fff1f8a53ab38de2245c158b8e4639f24ab578e089bccc41ad8e423
atomic-openshift-sdn-ovs-3.11.129-1.git.0.bd4f2d5.el7.x86_64.rpm SHA-256: bea04ca5ac35287e9626e2258191804d03d6cc0e0691c8a73d8b7a79dcd0ea75
atomic-openshift-template-service-broker-3.11.129-1.git.0.bd4f2d5.el7.x86_64.rpm SHA-256: 59707ad35e1dc19723a96aecb0b0c222373cc316c5fa8fa1b1dbeb9fe6c5895f
atomic-openshift-tests-3.11.129-1.git.0.bd4f2d5.el7.x86_64.rpm SHA-256: 13304132121e3b58292d834387f138d9aa598aa1177547db9ba243fa1f1e6f80
jenkins-2-plugins-3.11.1560870549-1.el7.noarch.rpm SHA-256: 5d483a8c5b93f0288cd06ffe2638cd41cbd971520e15a41eb24c2f861700c40c

Red Hat OpenShift Container Platform for Power 3.11

SRPM
atomic-openshift-3.11.129-1.git.0.bd4f2d5.el7.src.rpm SHA-256: 4244b38c2fc9a614ffc2e3a0be7150dc0f49bb85fc7f06c4819b6c7e52062150
jenkins-2-plugins-3.11.1560870549-1.el7.src.rpm SHA-256: bf60efb7b56c0a108f6738e5403b870d3f8169eda2d222c037cceadb9379b5bf
ppc64le
atomic-openshift-3.11.129-1.git.0.bd4f2d5.el7.ppc64le.rpm SHA-256: ed4ede83cfefee0b864414696ba254ed1be6cd19cf333f3ab8636809dcaa17f6
atomic-openshift-3.11.129-1.git.0.bd4f2d5.el7.ppc64le.rpm SHA-256: ed4ede83cfefee0b864414696ba254ed1be6cd19cf333f3ab8636809dcaa17f6
atomic-openshift-clients-3.11.129-1.git.0.bd4f2d5.el7.ppc64le.rpm SHA-256: 5641fc57930941fd0877677e02874528621ab240ee86ad059d006019f3e0613e
atomic-openshift-clients-3.11.129-1.git.0.bd4f2d5.el7.ppc64le.rpm SHA-256: 5641fc57930941fd0877677e02874528621ab240ee86ad059d006019f3e0613e
atomic-openshift-docker-excluder-3.11.129-1.git.0.bd4f2d5.el7.noarch.rpm SHA-256: 84305bbf4f0b3a47b018721d07cd747faaaa64340b7a38d725bdf7f9e887cae8
atomic-openshift-docker-excluder-3.11.129-1.git.0.bd4f2d5.el7.noarch.rpm SHA-256: 84305bbf4f0b3a47b018721d07cd747faaaa64340b7a38d725bdf7f9e887cae8
atomic-openshift-excluder-3.11.129-1.git.0.bd4f2d5.el7.noarch.rpm SHA-256: 61931b04d9f17285780bd73062e0b6a9c4acd73758281a5572a285a9a70e9eca
atomic-openshift-excluder-3.11.129-1.git.0.bd4f2d5.el7.noarch.rpm SHA-256: 61931b04d9f17285780bd73062e0b6a9c4acd73758281a5572a285a9a70e9eca
atomic-openshift-hyperkube-3.11.129-1.git.0.bd4f2d5.el7.ppc64le.rpm SHA-256: 17586f62ae3f83f117881c186c59f25d57ba4e91ba915d3f5d4de7afd29febe8
atomic-openshift-hyperkube-3.11.129-1.git.0.bd4f2d5.el7.ppc64le.rpm SHA-256: 17586f62ae3f83f117881c186c59f25d57ba4e91ba915d3f5d4de7afd29febe8
atomic-openshift-hypershift-3.11.129-1.git.0.bd4f2d5.el7.ppc64le.rpm SHA-256: 84f648bcd424bdddf9a4d61ef299aef4b54a1797b86e33d06b72022e761b6308
atomic-openshift-hypershift-3.11.129-1.git.0.bd4f2d5.el7.ppc64le.rpm SHA-256: 84f648bcd424bdddf9a4d61ef299aef4b54a1797b86e33d06b72022e761b6308
atomic-openshift-master-3.11.129-1.git.0.bd4f2d5.el7.ppc64le.rpm SHA-256: f5a134d889a3af73f246ceb9c906c84da0ead235241b64396e045471bec62218
atomic-openshift-master-3.11.129-1.git.0.bd4f2d5.el7.ppc64le.rpm SHA-256: f5a134d889a3af73f246ceb9c906c84da0ead235241b64396e045471bec62218
atomic-openshift-node-3.11.129-1.git.0.bd4f2d5.el7.ppc64le.rpm SHA-256: 094b53cc8bd976d1ac3c804e6ac271005b013921de53078857bc1eff906bc377
atomic-openshift-node-3.11.129-1.git.0.bd4f2d5.el7.ppc64le.rpm SHA-256: 094b53cc8bd976d1ac3c804e6ac271005b013921de53078857bc1eff906bc377
atomic-openshift-pod-3.11.129-1.git.0.bd4f2d5.el7.ppc64le.rpm SHA-256: e84debcc4cfe29dd1acd80c003ddd131d0e38d3016b36033423c4284c476b1eb
atomic-openshift-pod-3.11.129-1.git.0.bd4f2d5.el7.ppc64le.rpm SHA-256: e84debcc4cfe29dd1acd80c003ddd131d0e38d3016b36033423c4284c476b1eb
atomic-openshift-sdn-ovs-3.11.129-1.git.0.bd4f2d5.el7.ppc64le.rpm SHA-256: 4b01fabd6cf1dadcd441df2bacbce1539ad56c86cdd1875bca01fafe55e8a42f
atomic-openshift-sdn-ovs-3.11.129-1.git.0.bd4f2d5.el7.ppc64le.rpm SHA-256: 4b01fabd6cf1dadcd441df2bacbce1539ad56c86cdd1875bca01fafe55e8a42f
atomic-openshift-template-service-broker-3.11.129-1.git.0.bd4f2d5.el7.ppc64le.rpm SHA-256: ffa0d5b74468e973825ee64d2acca6888a586d7f58d64236c20f4434059018ef
atomic-openshift-template-service-broker-3.11.129-1.git.0.bd4f2d5.el7.ppc64le.rpm SHA-256: ffa0d5b74468e973825ee64d2acca6888a586d7f58d64236c20f4434059018ef
atomic-openshift-tests-3.11.129-1.git.0.bd4f2d5.el7.ppc64le.rpm SHA-256: fd67d23fdb7ecbf0ce347cbb5788dab912dfa72629fa9ed1d41cde34a9b2ef3a
atomic-openshift-tests-3.11.129-1.git.0.bd4f2d5.el7.ppc64le.rpm SHA-256: fd67d23fdb7ecbf0ce347cbb5788dab912dfa72629fa9ed1d41cde34a9b2ef3a
jenkins-2-plugins-3.11.1560870549-1.el7.noarch.rpm SHA-256: 5d483a8c5b93f0288cd06ffe2638cd41cbd971520e15a41eb24c2f861700c40c
jenkins-2-plugins-3.11.1560870549-1.el7.noarch.rpm SHA-256: 5d483a8c5b93f0288cd06ffe2638cd41cbd971520e15a41eb24c2f861700c40c

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.