RHSA-2020:4143 - Security Advisory
Security Advisory: Moderate
Red Hat Insights patch analysis
Identify and remediate systems affected by this advisory.
Updated OpenShift Container Storage packages fixing various security issues and other bugs are now available for Red Hat OpenShift Container Storage with 3.11.z Async update.
Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Red Hat OpenShift Container Storage(OCS) is a provider of agnostic persistent storage for OpenShift Container Platform either in-house or in a hybrid cloud. As a Red Hat storage solution, OCS is completely integrated with OpenShift Container Platform for deployment, management, and monitoring.
- gluster-block: information disclosure through world-readable gluster-block log files (CVE-2020-10762)
- heketi: gluster-block volume password details available in logs (CVE-2020-10763)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
- Earlier, the tcmu-runner did not give details about the file operations stuck at the backend glusterfs block hosting volume. With this change, the tcmu-runner is now able to log details about the file operations stuck at the backend glusterfs block hosting volume and this will help identify the root cause of the input/output errors easily. (BZ#1850361)
- Earlier, there was no log rotation with gluster-block logs. With this release, log rotation is possible for gluster-block and tcmu-runner relevant logs. (BZ#1850365)
- Earlier, heketi did not track all the changes made to volumes as part of device remove operation. With this release, heketi’s device remove operation is fully tracked and is based on a series of brick evict operations making the operation more reliable. (BZ#1850072)
- An access flaw CVE-2020-13867 was found in targetcli due to which the files under ‘/etc/target’ and '/etc/target/backup' directory were widely accessible. With this release, the access flaw is fixed as a workaround in gluster-block to protect these files from any potential attacks for accessing sensitive information, until the flaw is resolved and made available in targetcli.(BZ#1850077)
All Red Hat OpenShift Container Storage users are advised to upgrade to these updated packages.
For details on how to apply this update, which includes the changes described in this advisory, refer to:
- Red Hat Enterprise Linux Server 7 x86_64
- Red Hat Gluster Storage Server for On-premise 3 for RHEL 7 x86_64
- BZ - 1845067 - CVE-2020-10762 gluster-block: information disclosure through world-readable gluster-block log files
- BZ - 1845387 - CVE-2020-10763 heketi: gluster-block volume password details available in logs
- BZ - 1850072 - Improve the reliability of device remove
- BZ - 1850077 - targetcli: weak permissions config files
- BZ - 1850361 - tcmu-runner: Log timed out commands
- BZ - 1855178 - brickEvict/deviceRemove is not working when node is unreachable
Red Hat Enterprise Linux Server 7
Red Hat Gluster Storage Server for On-premise 3 for RHEL 7