Issued:: 2019-10-24
Updated:: 2019-10-24

RHSA-2019:2769 - Security Advisory

Overview
Updated Packages

Synopsis

Important: OpenShift Container Platform 3.9 security update

Type/Severity

Security Advisory: Important

Red Hat Insights patch analysis

Identify and remediate systems affected by this advisory.

View affected systems

Topic

An security update is now available for Red Hat OpenShift Container Platform 3.9.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

Red Hat OpenShift Container Platform is Red Hat's cloud computing
Kubernetes application platform solution designed for on-premise or private cloud deployments.

This advisory contains RPM packages for Red Hat OpenShift Container
Platform 3.9, which have been rebuilt with an updated version of golang.

Security Fix(es):

HTTP/2: flood using PING frames results in unbounded memory growth (CVE-2019-9512)
HTTP/2: flood using HEADERS frames results in unbounded memory growth (CVE-2019-9514)
kubernetes: API server allows access to cluster-scoped custom resources as if resources were namespaced (CVE-2019-11247)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Solution

For OpenShift Container Platform 3.9 see the following documentation, which
will be updated shortly for release 3.9.100, for important instructions on
how to upgrade your cluster and fully apply this asynchronous errata
update:

https://docs.openshift.com/container-platform/3.9/release_notes/ocp_3_9_release_notes.html

Affected Products

Red Hat OpenShift Container Platform 3.9 x86_64

Fixes

BZ - 1732192 - CVE-2019-11247 kubernetes: API server allows access to cluster-scoped custom resources as if resources were namespaced
BZ - 1735645 - CVE-2019-9512 HTTP/2: flood using PING frames results in unbounded memory growth
BZ - 1735744 - CVE-2019-9514 HTTP/2: flood using HEADERS frames results in unbounded memory growth

CVEs

References

https://access.redhat.com/security/updates/classification/#important

Note: More recent versions of these packages may be available. Click a package name for more details.

Red Hat OpenShift Container Platform 3.9

SRPM
ansible-service-broker-1.1.20-2.el7.src.rpm	SHA-256: 5b0a6fee75433a30f46b71edcd26f217eaf399a1ac3f7cec1816251878a4176f
atomic-openshift-3.9.101-1.git.0.150f595.el7.src.rpm	SHA-256: ba1caab1a4432d8e7cb57c1c08fa8924bd10f4a4ba1fa48a91bca7a87b0ab35f
atomic-openshift-descheduler-3.9.13-2.git.267.bb59a3f.el7.src.rpm	SHA-256: 1d23928fb0905732851686b97f370d3b82c23485c4721ec343f728e131042af5
atomic-openshift-node-problem-detector-3.9.13-2.git.167.5d6b0d4.el7.src.rpm	SHA-256: 324d9045913870f69f1d3ee472e4f8fce379edeb2d9bc3d08cf4cb9a1df24757
atomic-openshift-web-console-3.9.101-1.git.1.601c6d2.el7.src.rpm	SHA-256: f8ccd843aba07085785368e636722770f6186e00ec7ecb3f408c1d1cc9c46615
cockpit-195-2.rhaos.el7.src.rpm	SHA-256: b0faa6a526fd2b696d5cb080f6448d0da2b5df0848ec743e179763c559252f48
containernetworking-plugins-0.5.2-6.el7.src.rpm	SHA-256: d5c121805d6be89470975b0872663172ecf8b7fdbf6dbf443f841b6a43b2f46e
cri-o-1.9.16-3.git858756d.el7.src.rpm	SHA-256: 04e62e7a899366f6e9e8a22f6af0a9d04e1edc2f515ae17c4d3739bfc9ce2733
cri-tools-1.0.0-6.rhaos3.9.git8e6013a.el7.src.rpm	SHA-256: 6de94c36693942405d0f2a9c82bd9ec36b9d6429476c8d2f6cb74d8326925bef
golang-github-openshift-oauth-proxy-2.1-3.git885c9f40.el7.src.rpm	SHA-256: a4183ed11dc9faa28486a21b88d84183dcb83804199ddb31fbc74c5a81905da8
golang-github-openshift-prometheus-alert-buffer-0-3.gitceca8c1.el7.src.rpm	SHA-256: 1f39b5641a985f835d6ad1cb62e6919ae1edfa882dc3c2f5cb00f20c8d247b5a
golang-github-prometheus-alertmanager-0.14.0-2.git30af4d0.el7.src.rpm	SHA-256: da882dc8d247ee5d09d3de7dfd55bbaa59d9b7086912dfc286076a396b3b2410
golang-github-prometheus-node_exporter-3.9.101-1.git.1.8295224.el7.src.rpm	SHA-256: 1c54f65885fda9c5ab6338f0264e278731a1b8804155e176bf9f27c0f80c1ceb
golang-github-prometheus-prometheus-2.2.1-2.gitbc6058c.el7.src.rpm	SHA-256: a981c99c74b9efb06b30d7a73f5eeb858c21b3e5291864eab2f5ea9ab5ff8835
golang-github-prometheus-promu-0-5.git85ceabc.el7.src.rpm	SHA-256: 10625fd90e813c07c5d0e6fdc82f7f875476acff9972cb635641ccd7a2a87904
hawkular-openshift-agent-1.2.2-3.el7.src.rpm	SHA-256: b74704c11e2c37fe5306b6910412015443b7be9abab75816c0f7bb13a912b4bd
heapster-1.3.0-4.el7.src.rpm	SHA-256: 42ea0fdb8fab301797f10d97ad586d044c8a558d5efdeae6bc6e99f846193650
image-inspector-2.1.3-2.el7.src.rpm	SHA-256: 4897291716613496d42802b12566f664e0c2baa4be49211ce6495454de293f57
openshift-enterprise-image-registry-3.8.0-2.git.216.b6b90bb.el7.src.rpm	SHA-256: 45173424392b155a1eaa3d0cb466e153484a2737c1d63c31656ea73050438cba
openshift-eventrouter-0.1-3.git5bd9251.el7.src.rpm	SHA-256: 68aa57dbb1d254c870e7460658f97490eeba8d0da0ffe4094866a5acf0c0f589
openshift-external-storage-0.0.1-9.git78d6339.el7.src.rpm	SHA-256: ebf4cbd83223d492b98c9a788490f6b16ef1d8fab482481b02c683208ffad653
openvswitch-ovn-kubernetes-0.1.0-3.el7.src.rpm	SHA-256: f6159d12e0da99cfa244837bfa4adba6b8233dfc907fcae1a88a9b94f6b0f3ba
x86_64
ansible-service-broker-1.1.20-2.el7.x86_64.rpm	SHA-256: f820df3cf9140a81a9ef5e46b5684c014aa372689471f3753c988fde5c4d169c
ansible-service-broker-container-scripts-1.1.20-2.el7.noarch.rpm	SHA-256: 17a6658b60dca7dbe6ea0a5274bcad5ee3aed9b1cd6051d0515571f464c79191
ansible-service-broker-selinux-1.1.20-2.el7.noarch.rpm	SHA-256: 8654232bbb333b9d9b8b73a1a21323915ab7aeab2b8c22851baf4d46c50f75ce
atomic-openshift-3.9.101-1.git.0.150f595.el7.x86_64.rpm	SHA-256: 52cb90d243035b1a34487f9830af5753957614f348f822979ef301e72d5fe7fd
atomic-openshift-clients-3.9.101-1.git.0.150f595.el7.x86_64.rpm	SHA-256: d8914e06033922e6e50cf8b156ddca9ee2b12f48d202a575b8d6afa8c5a18663
atomic-openshift-clients-redistributable-3.9.101-1.git.0.150f595.el7.x86_64.rpm	SHA-256: c202c2b36233b63e2a1821b007b7da6bccc534f5a563982472f56900deb84cb8
atomic-openshift-cluster-capacity-3.9.101-1.git.0.150f595.el7.x86_64.rpm	SHA-256: 0beeb1a8bc20a2a7f120cca6bce6711babceea803f290703d2090d58464fd30d
atomic-openshift-descheduler-3.9.13-2.git.267.bb59a3f.el7.x86_64.rpm	SHA-256: 8c5b0f3aca576a210b598dedf269396f5231e434cce15d7df2a81144c4da1c12
atomic-openshift-docker-excluder-3.9.101-1.git.0.150f595.el7.noarch.rpm	SHA-256: 33d86bc3efca955a20ba98e615d66463c8558644d55b49c186b68946909891bd
atomic-openshift-dockerregistry-3.9.101-1.git.1.13625cf.el7.x86_64.rpm	SHA-256: 9204eebde6cbebe6af90a8ec3f7c250466f483e29c985cd82d782205a7d1788f
atomic-openshift-excluder-3.9.101-1.git.0.150f595.el7.noarch.rpm	SHA-256: 520c1e605be486429d1586cf13c5daac3c9ecc4c68bcdbb834a006548fe8e5cb
atomic-openshift-federation-services-3.9.101-1.git.0.150f595.el7.x86_64.rpm	SHA-256: 4ea7248671ca94f6c1a26f82918d55976192ce939dcba6697a90777c7004aa8e
atomic-openshift-master-3.9.101-1.git.0.150f595.el7.x86_64.rpm	SHA-256: ab0f3a167de8741688dda0d49dac1a8540879077efd00b3d79e13ef58694a78c
atomic-openshift-node-3.9.101-1.git.0.150f595.el7.x86_64.rpm	SHA-256: 853a02bbeb3199acdbec2bb76be5edc943428c14d9043463a263a4407f52f9ff
atomic-openshift-node-problem-detector-3.9.13-2.git.167.5d6b0d4.el7.x86_64.rpm	SHA-256: e1a8a7567b1a08a5a74b9960d537679216e8835580bb684b91e405b889a42e56
atomic-openshift-pod-3.9.101-1.git.0.150f595.el7.x86_64.rpm	SHA-256: a5a370f554b28314666f854f98ae90be9d937fcc2a823972506a43797d6ce30c
atomic-openshift-sdn-ovs-3.9.101-1.git.0.150f595.el7.x86_64.rpm	SHA-256: 9dbc9152bf0f7a13508f7c5437eaf519a840f4d074300588922e03f5a58ee900
atomic-openshift-service-catalog-3.9.101-1.git.0.150f595.el7.x86_64.rpm	SHA-256: 34b40d755faaca69e56891f10217bd8577c7df8931d1419491094d27ca6485a0
atomic-openshift-template-service-broker-3.9.101-1.git.0.150f595.el7.x86_64.rpm	SHA-256: d0bd053724c2f639774e3d3ecc8f22aa6cae8b6ac2b4795adc72ebc045abd916
atomic-openshift-tests-3.9.101-1.git.0.150f595.el7.x86_64.rpm	SHA-256: 21fa6d95115585ebc31fb0d16de48ef6d846a1dff08a567053ebce39aafd8b88
atomic-openshift-web-console-3.9.101-1.git.1.601c6d2.el7.x86_64.rpm	SHA-256: a6a6f75a958a586d94e598d05ba37586ac63328c89212a59c36f83952ca04fa9
cockpit-debuginfo-195-2.rhaos.el7.x86_64.rpm	SHA-256: 60b1941e8151ce1b4492695bf427187014492a8c5e9b04f6f4399063d30bf373
cockpit-kubernetes-195-2.rhaos.el7.x86_64.rpm	SHA-256: ed044fd7373953c6d5457417c44e1cdf6c652b803bc7c8242e5168ed138a6680
containernetworking-plugins-0.5.2-6.el7.x86_64.rpm	SHA-256: 5db904b1acf1bc0df025351476c2729487c93dbaf4bd4e6d1de66e67a37725e8
containernetworking-plugins-debuginfo-0.5.2-6.el7.x86_64.rpm	SHA-256: 820a68cf56181495e5abf2eb054b009c88002e4b2d9669ddaf25ebaf00620772
cri-o-1.9.16-3.git858756d.el7.x86_64.rpm	SHA-256: 8c4dabe6df905910c127dc3679a4f4be632604d77609e5bcca28629dda8761dc
cri-o-debuginfo-1.9.16-3.git858756d.el7.x86_64.rpm	SHA-256: d891eea80f4d30832c403f6b5f54b299a671a476858c493045bc5b1f99c7fdd5
cri-tools-1.0.0-6.rhaos3.9.git8e6013a.el7.x86_64.rpm	SHA-256: dd633a26334c39b3e9ce7fef9d21e45294fce1defd0696ad6848e9f505dbc1c3
cri-tools-debuginfo-1.0.0-6.rhaos3.9.git8e6013a.el7.x86_64.rpm	SHA-256: 20bc9ae93cbc134841c138066486b708e6c79fb03286929abee124bafa37d46e
golang-github-openshift-oauth-proxy-2.1-3.git885c9f40.el7.x86_64.rpm	SHA-256: 72ae296005dc5691166c5872e05e3d98e624f0ddbbe2d844920d83cf815241c1
golang-github-openshift-prometheus-alert-buffer-0-3.gitceca8c1.el7.x86_64.rpm	SHA-256: da8997ad505eaeae28083d1f27ceecb033d341ea62b55cff4540acb0499f5b19
golang-github-prometheus-promu-0-5.git85ceabc.el7.x86_64.rpm	SHA-256: d7507eafcae8c7194c17a1883ed969f77518f26f0c378a0324496799b56fc693
hawkular-openshift-agent-1.2.2-3.el7.x86_64.rpm	SHA-256: 0c600a7f5087c41340c192e87105695c60c102ae95e1bf646da373b9f9419977
heapster-1.3.0-4.el7.x86_64.rpm	SHA-256: d92413580781c9fb8b040b4aa896adc6e85e02dc28eab3314f0da19acdf11011
image-inspector-2.1.3-2.el7.x86_64.rpm	SHA-256: 6e1795bfcc28ce73a291da8198efd8a91e244f79572348bff393e3dfa0434715
openshift-enterprise-image-registry-3.8.0-2.git.216.b6b90bb.el7.x86_64.rpm	SHA-256: be2701f716a7d71fe60850135fe2be18d562408c29f70eb1d3010f49e1cba722
openshift-eventrouter-0.1-3.git5bd9251.el7.x86_64.rpm	SHA-256: bd8913fd37018556dd5bb5315fd4a1a93d33658c6e701a6418a544245733b77e
openshift-eventrouter-debuginfo-0.1-3.git5bd9251.el7.x86_64.rpm	SHA-256: d57e52da48ca823d8ac5a4fa5ec94fa3afa0cde7b6ae12771d183b54bc356ad6
openshift-external-storage-debuginfo-0.0.1-9.git78d6339.el7.x86_64.rpm	SHA-256: 25160c9e0ac4866c844a53e5180c662bd1dad9fc32a1f4c798dccc7d84a1a36a
openshift-external-storage-efs-provisioner-0.0.1-9.git78d6339.el7.x86_64.rpm	SHA-256: 6362fb5e949cd7a3683fb3cc2ccc35d02acd0ccd1897647af915352cb3683c17
openshift-external-storage-local-provisioner-0.0.1-9.git78d6339.el7.x86_64.rpm	SHA-256: 4ef304ba621ce9b45418c5a92b3e2c55a0be90c0d91f640736405818bf4bbdc2
openshift-external-storage-snapshot-controller-0.0.1-9.git78d6339.el7.x86_64.rpm	SHA-256: bd1d0c408e339a0e56a347a0d1d390076955a1eee8fff2ff32bc35c95869dec2
openshift-external-storage-snapshot-provisioner-0.0.1-9.git78d6339.el7.x86_64.rpm	SHA-256: bc216a0bad422f8ba73b699889fb940e0f8dceb924eeb32a03f00d4ee045da6d
openvswitch-ovn-kubernetes-0.1.0-3.el7.x86_64.rpm	SHA-256: c7470a11ea10c640d305f15fcea21993cfa6cdcfc401dbaab9cb937f5a6f7494
prometheus-2.2.1-2.gitbc6058c.el7.x86_64.rpm	SHA-256: 13843ddf5f27bff3c961e8cf53facea7dc59b3668c4586d0ab421b00f89edde1
prometheus-alertmanager-0.14.0-2.git30af4d0.el7.x86_64.rpm	SHA-256: eafb9e867564b413a4f43a8a4b37cfad1ddb25e2d1d276befd1d501f63ab169f
prometheus-node-exporter-3.9.101-1.git.1.8295224.el7.x86_64.rpm	SHA-256: 338c9dfa9257d24535f8d7b970c367b94fe818b24623631580c3fbb13465a1ba
prometheus-promu-0-5.git85ceabc.el7.x86_64.rpm	SHA-256: 9be8ee087c39ac9655b60b212ecf0e432bd3a9d68bfe2a210dfab8ce49e99b67

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.

Select Your Language

Infrastructure and Management

Cloud Computing

Storage

Runtimes

Integration and Automation