Issued:: 2019-11-07
Updated:: 2019-11-07

RHSA-2019:3811 - Security Advisory

Overview
Updated Packages

Synopsis

Important: OpenShift Container Platform 3.9 atomic-openshift security update

Type/Severity

Security Advisory: Important

Red Hat Lightspeed patch analysis

Identify and remediate systems affected by this advisory.

View affected systems

Topic

An update for atomic-openshift is now available for Red Hat OpenShift
Container Platform 3.9.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

Red Hat OpenShift Container Platform is Red Hat's cloud computing
Kubernetes application platform solution designed for on-premise or private
cloud deployments.

This advisory contains the atomic-openshift RPM package for Red Hat OpenShift Container Platform 3.9.102.

Security Fix(es):

kubernetes: YAML parsing vulnerable to "Billion Laughs" attack, allowing for remote denial of service (CVE-2019-11253)
atomic-openshift: OpenShift builds don't verify SSH Host Keys for the Git repository (CVE-2019-10150)
kubernetes: Incomplete fixes for CVE-2019-1002101 and CVE-2019-11246, kubectl cp potential directory traversal (CVE-2019-11249)
kubernetes: `kubectl cp` allows for arbitrary file write via double symlinks (CVE-2019-11251)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Solution

For OpenShift Container Platform 3.9 see the following documentation, which
will be updated shortly for release 3.9.102, for important instructions on
how to upgrade your cluster and fully apply this asynchronous errata
update:

https://docs.openshift.com/container-platform/3.9/release_notes/ocp_3_9_release_notes.html

Affected Products

Red Hat OpenShift Container Platform 3.9 x86_64

Fixes

BZ - 1713433 - CVE-2019-10150 atomic-openshift: OpenShift builds don't verify SSH Host Keys for the git repository
BZ - 1737651 - CVE-2019-11249 kubernetes: Incomplete fixes for CVE-2019-1002101 and CVE-2019-11246, kubectl cp potential directory traversal
BZ - 1753495 - CVE-2019-11251 kubernetes: `kubectl cp` allows for arbitrary file write via double symlinks
BZ - 1757701 - CVE-2019-11253 kubernetes: YAML parsing vulnerable to "Billion Laughs" attack, allowing for remote denial of service

CVEs

References

https://access.redhat.com/security/updates/classification/#important

Note: More recent versions of these packages may be available. Click a package name for more details.

Red Hat OpenShift Container Platform 3.9

SRPM
atomic-openshift-3.9.102-1.git.0.6411f52.el7.src.rpm	SHA-256: a9f96ef1c386bc0738592f2f928c100cb732e6fb38ef88e515efa8b346bf4705
x86_64
atomic-openshift-3.9.102-1.git.0.6411f52.el7.x86_64.rpm	SHA-256: fed40b10d04cc3271b2c350cc3a40c17e6ddc2dd4dc33fc349174b41b4f2d04b
atomic-openshift-clients-3.9.102-1.git.0.6411f52.el7.x86_64.rpm	SHA-256: 716d4bb7d5f0bda106ef3cb1944e311aa15d9ff71025a1cee0e713c37b372271
atomic-openshift-clients-redistributable-3.9.102-1.git.0.6411f52.el7.x86_64.rpm	SHA-256: 53961907ff086d3f5b3ab63df60a0fffd57d64e4ae8a6e033c940f1253d5c7fd
atomic-openshift-cluster-capacity-3.9.102-1.git.0.6411f52.el7.x86_64.rpm	SHA-256: 3589b2ac5db70ebbc3489a4b5f0f4c79ea91222d1004edce1523bdbf952f854a
atomic-openshift-docker-excluder-3.9.102-1.git.0.6411f52.el7.noarch.rpm	SHA-256: b7298c16eba70f76d8e39e79a548e712a6fc0b4b3f60924d1e69d5a96aee53ec
atomic-openshift-excluder-3.9.102-1.git.0.6411f52.el7.noarch.rpm	SHA-256: 2a18a3b4b24f03a2adc53c1cd8018a837f72bfe8b59a078a1c5cbb25a1d867dd
atomic-openshift-federation-services-3.9.102-1.git.0.6411f52.el7.x86_64.rpm	SHA-256: a88c606247c2aef9af486492869522f6c48a7a22d0a011304a5b94c29e175c66
atomic-openshift-master-3.9.102-1.git.0.6411f52.el7.x86_64.rpm	SHA-256: aa651e06795ed1e22b56567fbd16a62d5843e3568a68404e577ac76b5161c28f
atomic-openshift-node-3.9.102-1.git.0.6411f52.el7.x86_64.rpm	SHA-256: 29d46eb3223b6133927a3031de55df045ad89628bfc90df48c38afe0e6255ebd
atomic-openshift-pod-3.9.102-1.git.0.6411f52.el7.x86_64.rpm	SHA-256: 05d6ae14d928caef1fa6b37c931a3cc35a829f06e88191a2300a0623ee19af7c
atomic-openshift-sdn-ovs-3.9.102-1.git.0.6411f52.el7.x86_64.rpm	SHA-256: c7bcd7becfaf1e06b689600bb783f28b3eeed2f7b8fc152e2b2c59c0bb273ea5
atomic-openshift-service-catalog-3.9.102-1.git.0.6411f52.el7.x86_64.rpm	SHA-256: c224be573f1a94eb5dbaf38e419fb3b5f9d82047b33c36108108170f9e11448e
atomic-openshift-template-service-broker-3.9.102-1.git.0.6411f52.el7.x86_64.rpm	SHA-256: 6d2da9ca79061d06495d871426c36f6e82cec8a59ee4aed958337d3143cbcdcb
atomic-openshift-tests-3.9.102-1.git.0.6411f52.el7.x86_64.rpm	SHA-256: 64dc6f0c585e652adcc5cc99bd13514633808b41b0c15b7cd022d44453cf03e9

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.

Select Your Language

Infrastructure and Management

Cloud Computing

Storage

Runtimes

Integration and Automation