RHSA-2020:4143 - Security Advisory

Topic

Updated OpenShift Container Storage packages fixing various security issues and other bugs are now available for Red Hat OpenShift Container Storage with 3.11.z Async update.

Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

Red Hat OpenShift Container Storage(OCS) is a provider of agnostic persistent storage for OpenShift Container Platform either in-house or in a hybrid cloud. As a Red Hat storage solution, OCS is completely integrated with OpenShift Container Platform for deployment, management, and monitoring.

Security Fix(es):

• gluster-block: information disclosure through world-readable gluster-block log files (CVE-2020-10762)
• heketi: gluster-block volume password details available in logs (CVE-2020-10763)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Bug Fix(es):

• Earlier, the tcmu-runner did not give details about the file operations stuck at the backend glusterfs block hosting volume. With this change, the tcmu-runner is now able to log details about the file operations stuck at the backend glusterfs block hosting volume and this will help identify the root cause of the input/output errors easily. (BZ#1850361)
• Earlier, there was no log rotation with gluster-block logs. With this release, log rotation is possible for gluster-block and tcmu-runner relevant logs. (BZ#1850365)
• Earlier, heketi did not track all the changes made to volumes as part of device remove operation. With this release, heketi’s device remove operation is fully tracked and is based on a series of brick evict operations making the operation more reliable. (BZ#1850072)
• An access flaw CVE-2020-13867 was found in targetcli due to which the files under ‘/etc/target’ and '/etc/target/backup' directory were widely accessible. With this release, the access flaw is fixed as a workaround in gluster-block to protect these files from any potential attacks for accessing sensitive information, until the flaw is resolved and made available in targetcli.(BZ#1850077)

All Red Hat OpenShift Container Storage users are advised to upgrade to these updated packages.

Solution

For details on how to apply this update, which includes the changes described in this advisory, refer to:

https://access.redhat.com/articles/11258

Affected Products

• Red Hat Enterprise Linux Server 7 x86_64
• Red Hat Gluster Storage Server for On-premise 3 for RHEL 7 x86_64

Fixes

• BZ - 1845067 - CVE-2020-10762 gluster-block: information disclosure through world-readable gluster-block log files
• BZ - 1845387 - CVE-2020-10763 heketi: gluster-block volume password details available in logs
• BZ - 1850072 - Improve the reliability of device remove
• BZ - 1850077 - targetcli: weak permissions config files
• BZ - 1850361 - tcmu-runner: Log timed out commands
• BZ - 1855178 - brickEvict/deviceRemove is not working when node is unreachable

CVEs

• CVE-2020-10762
• CVE-2020-10763

References

• https://access.redhat.com/security/updates/classification/#moderate