Multiple vulnerabilities in Red Hat OpenShift Container Platform 3.11
| Risk | Medium |
| Patch available | YES |
| Number of vulnerabilities | 3 |
| CVE-ID | CVE-2019-11840 CVE-2020-8554 CVE-2020-26137 |
| CWE-ID | CWE-330 CWE-20 CWE-93 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software |
Red Hat OpenShift Container Platform Client/Desktop applications / Software for system administration openshift-kuryr (Red Hat package) Operating systems & Components / Operating system package or component openshift-enterprise-cluster-capacity (Red Hat package) Operating systems & Components / Operating system package or component openshift-enterprise-autoheal (Red Hat package) Operating systems & Components / Operating system package or component openshift-ansible (Red Hat package) Operating systems & Components / Operating system package or component golang-github-prometheus-prometheus (Red Hat package) Operating systems & Components / Operating system package or component golang-github-prometheus-node_exporter (Red Hat package) Operating systems & Components / Operating system package or component golang-github-prometheus-alertmanager (Red Hat package) Operating systems & Components / Operating system package or component golang-github-openshift-oauth-proxy (Red Hat package) Operating systems & Components / Operating system package or component atomic-openshift-web-console (Red Hat package) Operating systems & Components / Operating system package or component atomic-openshift-service-idler (Red Hat package) Operating systems & Components / Operating system package or component atomic-openshift-node-problem-detector (Red Hat package) Operating systems & Components / Operating system package or component atomic-openshift-metrics-server (Red Hat package) Operating systems & Components / Operating system package or component atomic-openshift-dockerregistry (Red Hat package) Operating systems & Components / Operating system package or component atomic-openshift-descheduler (Red Hat package) Operating systems & Components / Operating system package or component atomic-openshift-cluster-autoscaler (Red Hat package) Operating systems & Components / Operating system package or component atomic-openshift (Red Hat package) Operating systems & Components / Operating system package or component atomic-enterprise-service-catalog (Red Hat package) Operating systems & Components / Operating system package or component python-urllib3 (Red Hat package) Operating systems & Components / Operating system package or component |
| Vendor | Red Hat Inc. |
Security Bulletin
This security bulletin contains information about 3 vulnerabilities.
1) Use of insufficiently random values
EUVDB-ID: #VU73227
Risk: Medium
CVSSv4.0: 4.6 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2019-11840
CWE-ID:
CWE-330 - Use of Insufficiently Random Values
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain access to sensitive information.
The vulnerability exists in the amd64 implementation of golang.org/x/crypto/salsa20 and golang.org/x/crypto/salsa20/salsa. A remote unauthenticated attacker can trigger the vulnerability and gain access to sensitive information.
MitigationInstall updates from vendor's website.
Red Hat OpenShift Container Platform: before 3.11.374
openshift-kuryr (Red Hat package): before 3.11.374-1.git.1478.ef11824.el7
openshift-enterprise-cluster-capacity (Red Hat package): before 3.11.374-1.git.379.80bd08f.el7
openshift-enterprise-autoheal (Red Hat package): before 3.11.374-1.git.218.9cf7939.el7
openshift-ansible (Red Hat package): before 3.11.374-1.git.0.92f5956.el7
golang-github-prometheus-prometheus (Red Hat package): before 3.11.374-1.git.5026.29379c4.el7
golang-github-prometheus-node_exporter (Red Hat package): before 3.11.374-1.git.1062.490d6d5.el7
golang-github-prometheus-alertmanager (Red Hat package): before 3.11.374-1.git.0.3abd2a5.el7
golang-github-openshift-oauth-proxy (Red Hat package): before 3.11.374-1.git.439.966c536.el7
atomic-openshift-web-console (Red Hat package): before 3.11.374-1.git.647.9e78d83.el7
atomic-openshift-service-idler (Red Hat package): before 3.11.374-1.git.15.523a1f7.el7
atomic-openshift-node-problem-detector (Red Hat package): before 3.11.374-1.git.263.28335fb.el7
atomic-openshift-metrics-server (Red Hat package): before 3.11.374-1.git.53.9df25a9.el7
atomic-openshift-dockerregistry (Red Hat package): before 3.11.374-1.git.481.e6a880c.el7
atomic-openshift-descheduler (Red Hat package): before 3.11.374-1.git.299.f128e96.el7
atomic-openshift-cluster-autoscaler (Red Hat package): before 3.11.374-1.git.0.2996f62.el7
atomic-openshift (Red Hat package): before 3.11.374-1.git.0.ebd3ee9.el7
atomic-enterprise-service-catalog (Red Hat package): before 3.11.374-1.git.1675.738abcc.el7
python-urllib3 (Red Hat package): before 1.26.2-1.el7
CPE2.3- cpe:2.3:a:red_hat:red_hat_openshift_container_platform:*:*:*:*:*:*:*:*
- cpe:2.3:o:red_hat:openshift-kuryr_redhat_package:*:*:*:*:*:red_hat_enterprise_linux:*:*
- cpe:2.3:o:red_hat:openshift-enterprise-cluster-capacity_redhat_package:*:*:*:*:*:red_hat_enterprise_linux:*:*
- cpe:2.3:o:red_hat:openshift-enterprise-autoheal_redhat_package:*:*:*:*:*:red_hat_enterprise_linux:*:*
- cpe:2.3:o:red_hat:openshift-ansible_redhat_package:*:*:*:*:*:red_hat_enterprise_linux:*:*
- cpe:2.3:o:red_hat:golang-github-prometheus-prometheus_redhat_package:*:*:*:*:*:red_hat_enterprise_linux:*:*
- cpe:2.3:o:red_hat:golang-github-prometheus-node_exporter_redhat_package:*:*:*:*:*:red_hat_enterprise_linux:*:*
- cpe:2.3:o:red_hat:golang-github-prometheus-alertmanager_redhat_package:*:*:*:*:*:red_hat_enterprise_linux:*:*
- cpe:2.3:o:red_hat:golang-github-openshift-oauth-proxy_redhat_package:*:*:*:*:*:red_hat_enterprise_linux:*:*
- cpe:2.3:o:red_hat:atomic-openshift-web-console_redhat_package:*:*:*:*:*:red_hat_enterprise_linux:*:*
- cpe:2.3:o:red_hat:atomic-openshift-service-idler_redhat_package:*:*:*:*:*:red_hat_enterprise_linux:*:*
- cpe:2.3:o:red_hat:atomic-openshift-node-problem-detector_redhat_package:*:*:*:*:*:red_hat_enterprise_linux:*:*
- cpe:2.3:o:red_hat:atomic-openshift-metrics-server_redhat_package:*:*:*:*:*:red_hat_enterprise_linux:*:*
- cpe:2.3:o:red_hat:atomic-openshift-dockerregistry_redhat_package:*:*:*:*:*:red_hat_enterprise_linux:*:*
- cpe:2.3:o:red_hat:atomic-openshift-descheduler_redhat_package:*:*:*:*:*:red_hat_enterprise_linux:*:*
- cpe:2.3:o:red_hat:atomic-openshift-cluster-autoscaler_redhat_package:*:*:*:*:*:red_hat_enterprise_linux:*:*
- cpe:2.3:o:red_hat:atomic-openshift_redhat_package:*:*:*:*:*:red_hat_enterprise_linux:*:*
- cpe:2.3:o:red_hat:atomic-enterprise-service-catalog_redhat_package:*:*:*:*:*:red_hat_enterprise_linux:*:*
- cpe:2.3:o:red_hat:python-urllib3_redhat_package:*:*:*:*:*:red_hat_enterprise_linux:*:*
https://access.redhat.com/errata/RHSA-2021:0079
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Improper input validation
EUVDB-ID: #VU60104
Risk: Medium
CVSSv4.0: 0.6 [CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2020-8554
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote authenticated user to read and manipulate data.
The vulnerability exists due to improper input validation within the UDR (Kubernetes API) component in Oracle Communications Cloud Native Core Unified Data Repository. A remote authenticated user can exploit this vulnerability to read and manipulate data.
MitigationInstall updates from vendor's website.
Red Hat OpenShift Container Platform: before 3.11.374
openshift-kuryr (Red Hat package): before 3.11.374-1.git.1478.ef11824.el7
openshift-enterprise-cluster-capacity (Red Hat package): before 3.11.374-1.git.379.80bd08f.el7
openshift-enterprise-autoheal (Red Hat package): before 3.11.374-1.git.218.9cf7939.el7
openshift-ansible (Red Hat package): before 3.11.374-1.git.0.92f5956.el7
golang-github-prometheus-prometheus (Red Hat package): before 3.11.374-1.git.5026.29379c4.el7
golang-github-prometheus-node_exporter (Red Hat package): before 3.11.374-1.git.1062.490d6d5.el7
golang-github-prometheus-alertmanager (Red Hat package): before 3.11.374-1.git.0.3abd2a5.el7
golang-github-openshift-oauth-proxy (Red Hat package): before 3.11.374-1.git.439.966c536.el7
atomic-openshift-web-console (Red Hat package): before 3.11.374-1.git.647.9e78d83.el7
atomic-openshift-service-idler (Red Hat package): before 3.11.374-1.git.15.523a1f7.el7
atomic-openshift-node-problem-detector (Red Hat package): before 3.11.374-1.git.263.28335fb.el7
atomic-openshift-metrics-server (Red Hat package): before 3.11.374-1.git.53.9df25a9.el7
atomic-openshift-dockerregistry (Red Hat package): before 3.11.374-1.git.481.e6a880c.el7
atomic-openshift-descheduler (Red Hat package): before 3.11.374-1.git.299.f128e96.el7
atomic-openshift-cluster-autoscaler (Red Hat package): before 3.11.374-1.git.0.2996f62.el7
atomic-openshift (Red Hat package): before 3.11.374-1.git.0.ebd3ee9.el7
atomic-enterprise-service-catalog (Red Hat package): before 3.11.374-1.git.1675.738abcc.el7
python-urllib3 (Red Hat package): before 1.26.2-1.el7
CPE2.3- cpe:2.3:o:red_hat:openshift-kuryr_redhat_package:*:*:*:*:*:red_hat_enterprise_linux:*:*
- cpe:2.3:o:red_hat:openshift-enterprise-cluster-capacity_redhat_package:*:*:*:*:*:red_hat_enterprise_linux:*:*
- cpe:2.3:o:red_hat:openshift-enterprise-autoheal_redhat_package:*:*:*:*:*:red_hat_enterprise_linux:*:*
- cpe:2.3:o:red_hat:openshift-ansible_redhat_package:*:*:*:*:*:red_hat_enterprise_linux:*:*
- cpe:2.3:o:red_hat:golang-github-prometheus-prometheus_redhat_package:*:*:*:*:*:red_hat_enterprise_linux:*:*
- cpe:2.3:o:red_hat:golang-github-prometheus-node_exporter_redhat_package:*:*:*:*:*:red_hat_enterprise_linux:*:*
- cpe:2.3:o:red_hat:golang-github-prometheus-alertmanager_redhat_package:*:*:*:*:*:red_hat_enterprise_linux:*:*
- cpe:2.3:o:red_hat:golang-github-openshift-oauth-proxy_redhat_package:*:*:*:*:*:red_hat_enterprise_linux:*:*
- cpe:2.3:o:red_hat:atomic-openshift-web-console_redhat_package:*:*:*:*:*:red_hat_enterprise_linux:*:*
- cpe:2.3:o:red_hat:atomic-openshift-service-idler_redhat_package:*:*:*:*:*:red_hat_enterprise_linux:*:*
- cpe:2.3:o:red_hat:atomic-openshift-node-problem-detector_redhat_package:*:*:*:*:*:red_hat_enterprise_linux:*:*
- cpe:2.3:o:red_hat:atomic-openshift-metrics-server_redhat_package:*:*:*:*:*:red_hat_enterprise_linux:*:*
- cpe:2.3:o:red_hat:atomic-openshift-dockerregistry_redhat_package:*:*:*:*:*:red_hat_enterprise_linux:*:*
- cpe:2.3:o:red_hat:atomic-openshift-descheduler_redhat_package:*:*:*:*:*:red_hat_enterprise_linux:*:*
- cpe:2.3:o:red_hat:atomic-openshift-cluster-autoscaler_redhat_package:*:*:*:*:*:red_hat_enterprise_linux:*:*
- cpe:2.3:o:red_hat:atomic-openshift_redhat_package:*:*:*:*:*:red_hat_enterprise_linux:*:*
- cpe:2.3:o:red_hat:atomic-enterprise-service-catalog_redhat_package:*:*:*:*:*:red_hat_enterprise_linux:*:*
- cpe:2.3:o:red_hat:python-urllib3_redhat_package:*:*:*:*:*:red_hat_enterprise_linux:*:*
https://access.redhat.com/errata/RHSA-2021:0079
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) CRLF injection
EUVDB-ID: #VU47403
Risk: Medium
CVSSv4.0: 0.6 [CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2020-26137
CWE-ID:
CWE-93 - Improper Neutralization of CRLF Sequences ('CRLF Injection')
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to inject arbitrary data in server response.
The vulnerability exists due to insufficient validation of attacker-supplied data passed via the "method" parameter. A remote authenticated attacker can pass specially crafted data to the application containing CR-LF characters and modify application behavior.
MitigationInstall updates from vendor's website.
Red Hat OpenShift Container Platform: before 3.11.374
openshift-kuryr (Red Hat package): before 3.11.374-1.git.1478.ef11824.el7
openshift-enterprise-cluster-capacity (Red Hat package): before 3.11.374-1.git.379.80bd08f.el7
openshift-enterprise-autoheal (Red Hat package): before 3.11.374-1.git.218.9cf7939.el7
openshift-ansible (Red Hat package): before 3.11.374-1.git.0.92f5956.el7
golang-github-prometheus-prometheus (Red Hat package): before 3.11.374-1.git.5026.29379c4.el7
golang-github-prometheus-node_exporter (Red Hat package): before 3.11.374-1.git.1062.490d6d5.el7
golang-github-prometheus-alertmanager (Red Hat package): before 3.11.374-1.git.0.3abd2a5.el7
golang-github-openshift-oauth-proxy (Red Hat package): before 3.11.374-1.git.439.966c536.el7
atomic-openshift-web-console (Red Hat package): before 3.11.374-1.git.647.9e78d83.el7
atomic-openshift-service-idler (Red Hat package): before 3.11.374-1.git.15.523a1f7.el7
atomic-openshift-node-problem-detector (Red Hat package): before 3.11.374-1.git.263.28335fb.el7
atomic-openshift-metrics-server (Red Hat package): before 3.11.374-1.git.53.9df25a9.el7
atomic-openshift-dockerregistry (Red Hat package): before 3.11.374-1.git.481.e6a880c.el7
atomic-openshift-descheduler (Red Hat package): before 3.11.374-1.git.299.f128e96.el7
atomic-openshift-cluster-autoscaler (Red Hat package): before 3.11.374-1.git.0.2996f62.el7
atomic-openshift (Red Hat package): before 3.11.374-1.git.0.ebd3ee9.el7
atomic-enterprise-service-catalog (Red Hat package): before 3.11.374-1.git.1675.738abcc.el7
python-urllib3 (Red Hat package): before 1.26.2-1.el7
CPE2.3- cpe:2.3:o:red_hat:openshift-kuryr_redhat_package:*:*:*:*:*:red_hat_enterprise_linux:*:*
- cpe:2.3:o:red_hat:openshift-enterprise-cluster-capacity_redhat_package:*:*:*:*:*:red_hat_enterprise_linux:*:*
- cpe:2.3:o:red_hat:openshift-enterprise-autoheal_redhat_package:*:*:*:*:*:red_hat_enterprise_linux:*:*
- cpe:2.3:o:red_hat:openshift-ansible_redhat_package:*:*:*:*:*:red_hat_enterprise_linux:*:*
- cpe:2.3:o:red_hat:golang-github-prometheus-prometheus_redhat_package:*:*:*:*:*:red_hat_enterprise_linux:*:*
- cpe:2.3:o:red_hat:golang-github-prometheus-node_exporter_redhat_package:*:*:*:*:*:red_hat_enterprise_linux:*:*
- cpe:2.3:o:red_hat:golang-github-prometheus-alertmanager_redhat_package:*:*:*:*:*:red_hat_enterprise_linux:*:*
- cpe:2.3:o:red_hat:golang-github-openshift-oauth-proxy_redhat_package:*:*:*:*:*:red_hat_enterprise_linux:*:*
- cpe:2.3:o:red_hat:atomic-openshift-web-console_redhat_package:*:*:*:*:*:red_hat_enterprise_linux:*:*
- cpe:2.3:o:red_hat:atomic-openshift-service-idler_redhat_package:*:*:*:*:*:red_hat_enterprise_linux:*:*
- cpe:2.3:o:red_hat:atomic-openshift-node-problem-detector_redhat_package:*:*:*:*:*:red_hat_enterprise_linux:*:*
- cpe:2.3:o:red_hat:atomic-openshift-metrics-server_redhat_package:*:*:*:*:*:red_hat_enterprise_linux:*:*
- cpe:2.3:o:red_hat:atomic-openshift-dockerregistry_redhat_package:*:*:*:*:*:red_hat_enterprise_linux:*:*
- cpe:2.3:o:red_hat:atomic-openshift-descheduler_redhat_package:*:*:*:*:*:red_hat_enterprise_linux:*:*
- cpe:2.3:o:red_hat:atomic-openshift-cluster-autoscaler_redhat_package:*:*:*:*:*:red_hat_enterprise_linux:*:*
- cpe:2.3:o:red_hat:atomic-openshift_redhat_package:*:*:*:*:*:red_hat_enterprise_linux:*:*
- cpe:2.3:o:red_hat:atomic-enterprise-service-catalog_redhat_package:*:*:*:*:*:red_hat_enterprise_linux:*:*
- cpe:2.3:o:red_hat:python-urllib3_redhat_package:*:*:*:*:*:red_hat_enterprise_linux:*:*
https://access.redhat.com/errata/RHSA-2021:0079
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
