—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2021.2232
Red Hat OpenShift Jaeger 1.20.4 security update
25 June 2021
===========================================================================
AusCERT Security Bulletin Summary
———————————
Product: Red Hat OpenShift Jaeger
Publisher: Red Hat
Operating System: Red Hat
Impact/Access: Execute Arbitrary Code/Commands — Remote/Unauthenticated
Increased Privileges — Existing Account
Modify Arbitrary Files — Existing Account
Denial of Service — Remote/Unauthenticated
Access Confidential Data — Remote/Unauthenticated
Provide Misleading Information — Existing Account
Reduced Security — Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2021-27219 CVE-2021-23337 CVE-2021-23336
CVE-2021-20305 CVE-2021-3450 CVE-2021-3449
CVE-2021-3326 CVE-2021-3177 CVE-2021-3114
CVE-2020-29363 CVE-2020-29362 CVE-2020-29361
CVE-2020-28500 CVE-2020-28362 CVE-2020-28196
CVE-2020-27619 CVE-2020-27618 CVE-2020-26116
CVE-2020-24977 CVE-2020-15358 CVE-2020-13949
CVE-2020-13776 CVE-2020-13434 CVE-2020-8927
CVE-2020-8286 CVE-2020-8285 CVE-2020-8284
CVE-2020-8231 CVE-2019-25013 CVE-2019-9169
CVE-2019-3842 CVE-2019-2708 CVE-2017-14502
CVE-2016-10228
Reference: ESB-2021.2228
ESB-2021.2160
Original Bulletin:
https://access.redhat.com/errata/RHSA-2021:2543
– ————————–BEGIN INCLUDED TEXT——————–
– —–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA256
=====================================================================
Red Hat Security Advisory
Synopsis: Moderate: Red Hat OpenShift Jaeger 1.20.4 security update
Advisory ID: RHSA-2021:2543-01
Product: Red Hat OpenShift Jaeger
Advisory URL: https://access.redhat.com/errata/RHSA-2021:2543
Issue date: 2021-06-24
CVE Names: CVE-2016-10228 CVE-2017-14502 CVE-2019-2708
CVE-2019-3842 CVE-2019-9169 CVE-2019-25013
CVE-2020-8231 CVE-2020-8284 CVE-2020-8285
CVE-2020-8286 CVE-2020-8927 CVE-2020-13434
CVE-2020-13776 CVE-2020-13949 CVE-2020-15358
CVE-2020-24977 CVE-2020-26116 CVE-2020-27618
CVE-2020-27619 CVE-2020-28196 CVE-2020-28362
CVE-2020-28500 CVE-2020-29361 CVE-2020-29362
CVE-2020-29363 CVE-2021-3114 CVE-2021-3177
CVE-2021-3326 CVE-2021-3449 CVE-2021-3450
CVE-2021-20305 CVE-2021-23336 CVE-2021-23337
CVE-2021-27219
=====================================================================
1. Summary:
An update is now available for Red Hat OpenShift Jaeger 1.20.
Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.
2. Description:
Red Hat OpenShift Jaeger is Red Hat’s distribution of the Jaeger project,
tailored for installation into an on-premise OpenShift Container Platform
installation.
Security Fix(es):
* libthrift: potential DoS when processing untrusted payloads
(CVE-2020-13949)
* golang: math/big: panic during recursive division of very large numbers
(CVE-2020-28362)
* nodejs-lodash: ReDoS via the toNumber, trim and trimEnd functions
(CVE-2020-28500)
* golang: crypto/elliptic: incorrect operations on the P-224 curve
(CVE-2021-3114)
* nodejs-lodash: command injection via template (CVE-2021-23337)
For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.
3. Solution:
For details on how to apply this update, which includes the changes
described in this advisory, refer to:
https://docs.openshift.com/container-platform/4.7/jaeger/jaeger_install/rhb
jaeger-updating.html
4. Bugs fixed (https://bugzilla.redhat.com/):
1897635 – CVE-2020-28362 golang: math/big: panic during recursive division of very large numbers
1918750 – CVE-2021-3114 golang: crypto/elliptic: incorrect operations on the P-224 curve
1928172 – CVE-2020-13949 libthrift: potential DoS when processing untrusted payloads
1928937 – CVE-2021-23337 nodejs-lodash: command injection via template
1928954 – CVE-2020-28500 nodejs-lodash: ReDoS via the toNumber, trim and trimEnd functions
5. References:
https://access.redhat.com/security/cve/CVE-2016-10228
https://access.redhat.com/security/cve/CVE-2017-14502
https://access.redhat.com/security/cve/CVE-2019-2708
https://access.redhat.com/security/cve/CVE-2019-3842
https://access.redhat.com/security/cve/CVE-2019-9169
https://access.redhat.com/security/cve/CVE-2019-25013
https://access.redhat.com/security/cve/CVE-2020-8231
https://access.redhat.com/security/cve/CVE-2020-8284
https://access.redhat.com/security/cve/CVE-2020-8285
https://access.redhat.com/security/cve/CVE-2020-8286
https://access.redhat.com/security/cve/CVE-2020-8927
https://access.redhat.com/security/cve/CVE-2020-13434
https://access.redhat.com/security/cve/CVE-2020-13776
https://access.redhat.com/security/cve/CVE-2020-13949
https://access.redhat.com/security/cve/CVE-2020-15358
https://access.redhat.com/security/cve/CVE-2020-24977
https://access.redhat.com/security/cve/CVE-2020-26116
https://access.redhat.com/security/cve/CVE-2020-27618
https://access.redhat.com/security/cve/CVE-2020-27619
https://access.redhat.com/security/cve/CVE-2020-28196
https://access.redhat.com/security/cve/CVE-2020-28362
https://access.redhat.com/security/cve/CVE-2020-28500
https://access.redhat.com/security/cve/CVE-2020-29361
https://access.redhat.com/security/cve/CVE-2020-29362
https://access.redhat.com/security/cve/CVE-2020-29363
https://access.redhat.com/security/cve/CVE-2021-3114
https://access.redhat.com/security/cve/CVE-2021-3177
https://access.redhat.com/security/cve/CVE-2021-3326
https://access.redhat.com/security/cve/CVE-2021-3449
https://access.redhat.com/security/cve/CVE-2021-3450
https://access.redhat.com/security/cve/CVE-2021-20305
https://access.redhat.com/security/cve/CVE-2021-23336
https://access.redhat.com/security/cve/CVE-2021-23337
https://access.redhat.com/security/cve/CVE-2021-27219
https://access.redhat.com/security/updates/classification/#moderate
6. Contact:
The Red Hat security contact is . More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2021 Red Hat, Inc.
– —–BEGIN PGP SIGNATURE—–
Version: GnuPG v1
iQIVAwUBYNSjK9zjgjWX9erEAQj02A//esq4YQivfl3D9rTqPjwyj9qod+grm3Bt
2SRzHfxy0gLFvsL79HLubB4fMU47PKMK3h4nf9a9Pb/H57AviWfPyrRXhs1PzgKs
8gsoe2JjCzAK8GTbeTR5zyu6vDFz5C5PfQXExWoe9WhRPpGKLXs8qozBprQfXowC
X1qgQEbNdDqx8OnBrqaWw4Gy8FUziWMUHwuD+/ADIybbmUq8/WW/qn7LYmfnKJHo
Syyyp8jTs5uSktRTERZh5y17a+SNJRBzMzZ+h1I3oBw7sfhzICclj6I3vq0I4MQD
5hfn4hYyBfJH2vARpaZ6g5116KrlHOkpCcWxx6wgj3jtaKROeQzY/T6wI78moNNo
d14dzT7SgXDcWBN9WsBSK/f4xtcw0tQEyFYgxlUm/LEXaVfMPeTd7Hsdw7qi5F2M
fXPGVNdUysnQqdt8CEhWWN7cKy/zRm3cJ3fHKa/7u/T8fXMEfuYd4YALCYjcylAZ
0ZjT965zB+tofKaQEjo6iP8dEHRWt1D2+vb8CnRLPiN+8PW5LGNKmtvfWwhUMxLm
jZW/+RdZ2RSNga4cHfH72DWFtM/IHbWtUa6Gyos7hJ1bGsLEoefezbmrYc8hCaJ0
8cvjxKDRYjVzGAn7ziKsqrasO+nOEzRhd+hB5KqNQ3CNl8NLQMAP1hRRbB2o/kR4
9h7Ahp/T64M=
=DJXj
– —–END PGP SIGNATURE—–
– ————————–END INCLUDED TEXT——————–
You have received this e-mail bulletin as a result of your organisation’s
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT’s members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation’s
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author’s website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
—–BEGIN PGP SIGNATURE—–
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBYNUR6uNLKJtyKPYoAQjUkQ//VeMWif8NCyRcZH00rUmtQ3KIzAhQW3S9
9ESa2EYMTInJhUjKl/DS1tHQylPePM7ZWFUNShUfsvdU16naszTNO0HEHfmufFBa
C9hVy4ozHhy0C5fhLLZBKB7EYGSZis64MZFxZcppCT8HMJFqjhAmwKqScEKhEKtt
7KtkSMEawgjj08GGFoK6ENO7Y3bmx6doOXfehenbA1jZLpbFQz1PkCEUOh4Ei/c5
YTk0vPnb3zOx7N9oeK0bkVtQDm/JCASHOSCy2chbat+ZdtpYAe6FY8nSYlmG0/G3
CD0BwQn5RdVAqzURAmJFuzYM964Su/7JDQia5z3542XiGmnoLcZLNHojjxm0A6pU
CXiTuPgRinyNNerXNhtWejL7H8tuXFw/i4OR/nkbZsxF57hnyTrv0v1vVeQLd5oB
u3O8lqbL9cVa8DOOhEfNFL/mVSi5SWoHuhJ/EsXCzFssYefT83wnGV5Ih/tCiEsx
2VWxEN2IPEvV7XY9VF7LKAeW7fZCVHAMMy2PfpI5cH0TxW1v+a1xeYbDf+2CsDt8
7++Rct9KGCp12JTzq8Qu+IP+QHn4uPkzq5Uog8fHTHmtR6DeTBiytkCdbmiP5b61
PA8rpLyrw42Vxjh2EDADJT5StYiIwooCX5IGFeMkl9Y8c2BvsWj38t6ycBc1PUmE
/pOvl5Zy9QU=
=L0UZ
—–END PGP SIGNATURE—–
The post ESB-2021.2232 – [RedHat] Red Hat OpenShift Jaeger: Multiple vulnerabilities appeared first on Malware Devil.
https://malwaredevil.com/2021/06/25/esb-2021-2232-redhat-red-hat-openshift-jaeger-multiple-vulnerabilities/?utm_source=rss&utm_medium=rss&utm_campaign=esb-2021-2232-redhat-red-hat-openshift-jaeger-multiple-vulnerabilities
No comments:
Post a Comment