SB2020121509 - Multiple vulnerabilities in OpenShift Container Platform

Description

This security bulletin contains information about 3 secuirty vulnerabilities.

1) Inclusion of Sensitive Information in Log Files (CVE-ID: CVE-2020-8564)

The vulnerability allows a local user to gain access to sensitive information.

The vulnerability exists due to software stores sensitive information into log files. In Kubernetes clusters using a logging level of at least 4, processing a malformed docker config file will result in the contents of the docker config file being leaked, which can include pull secrets or other registry credentials. A local user can read the log files and gain access to sensitive data.

2) Buffer overflow (CVE-ID: CVE-2015-8011)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error within the lldp_decode() function in daemon/protocols/lldp.c in lldpd. A remote attacker can pass specially crafted data to the application, trigger memory corruption and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

3) Inclusion of Sensitive Information in Log Files (CVE-ID: CVE-2020-8563)

The vulnerability allows a local user to gain access to sensitive information.

The vulnerability exists due to software stores sensitive information into log files. In Kubernetes clusters using VSphere as a cloud provider, with a logging level set to 4 or above, VSphere cloud credentials will be leaked in the cloud controller manager's log. A local user can read the log files and gain access to sensitive data.

Remediation

Install update from vendor's website.

References

• https://access.redhat.com/errata/RHSA-2020:5259