-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

====================================================================                   
Red Hat Security Advisory

Synopsis:          Moderate: OpenShift Container Platform 4.6.1 image security update
Advisory ID:       RHSA-2020:4298-01
Product:           Red Hat OpenShift Enterprise
Advisory URL:      https://access.redhat.com/errata/RHSA-2020:4298
Issue date:        2020-10-27
CVE Names:         CVE-2013-0169 CVE-2016-10739 CVE-2018-9251
                   CVE-2018-14404 CVE-2018-14498 CVE-2018-16890
                   CVE-2018-18074 CVE-2018-18624 CVE-2018-18751
                   CVE-2018-19519 CVE-2018-20060 CVE-2018-20337
                   CVE-2018-20483 CVE-2018-20657 CVE-2018-20852
                   CVE-2019-1547 CVE-2019-1549 CVE-2019-1563
                   CVE-2019-3822 CVE-2019-3823 CVE-2019-3825
                   CVE-2019-3843 CVE-2019-3844 CVE-2019-5094
                   CVE-2019-5436 CVE-2019-5481 CVE-2019-5482
                   CVE-2019-5953 CVE-2019-6237 CVE-2019-6251
                   CVE-2019-6454 CVE-2019-6706 CVE-2019-7146
                   CVE-2019-7149 CVE-2019-7150 CVE-2019-7664
                   CVE-2019-7665 CVE-2019-8457 CVE-2019-8506
                   CVE-2019-8518 CVE-2019-8523 CVE-2019-8524
                   CVE-2019-8535 CVE-2019-8536 CVE-2019-8544
                   CVE-2019-8558 CVE-2019-8559 CVE-2019-8563
                   CVE-2019-8571 CVE-2019-8583 CVE-2019-8584
                   CVE-2019-8586 CVE-2019-8587 CVE-2019-8594
                   CVE-2019-8595 CVE-2019-8596 CVE-2019-8597
                   CVE-2019-8601 CVE-2019-8607 CVE-2019-8608
                   CVE-2019-8609 CVE-2019-8610 CVE-2019-8611
                   CVE-2019-8615 CVE-2019-8619 CVE-2019-8622
                   CVE-2019-8623 CVE-2019-8666 CVE-2019-8671
                   CVE-2019-8672 CVE-2019-8673 CVE-2019-8675
                   CVE-2019-8676 CVE-2019-8677 CVE-2019-8679
                   CVE-2019-8681 CVE-2019-8686 CVE-2019-8687
                   CVE-2019-8689 CVE-2019-8690 CVE-2019-8696
                   CVE-2019-8726 CVE-2019-8735 CVE-2019-8768
                   CVE-2019-11070 CVE-2019-11236 CVE-2019-11324
                   CVE-2019-11358 CVE-2019-11459 CVE-2019-12447
                   CVE-2019-12448 CVE-2019-12449 CVE-2019-12450
                   CVE-2019-12795 CVE-2019-13232 CVE-2019-13636
                   CVE-2019-13752 CVE-2019-13753 CVE-2019-14822
                   CVE-2019-14973 CVE-2019-15718 CVE-2019-15847
                   CVE-2019-16056 CVE-2019-16769 CVE-2019-17451
                   CVE-2019-18408 CVE-2019-19126 CVE-2019-19923
                   CVE-2019-19924 CVE-2019-19925 CVE-2019-19959
                   CVE-2019-1010180 CVE-2019-1010204 CVE-2020-1712
                   CVE-2020-7013 CVE-2020-7598 CVE-2020-7662
                   CVE-2020-8203 CVE-2020-9283 CVE-2020-10531
                   CVE-2020-10715 CVE-2020-10743 CVE-2020-11008
                   CVE-2020-11022 CVE-2020-11023 CVE-2020-11110
                   CVE-2020-12049 CVE-2020-12052 CVE-2020-12245
                   CVE-2020-13822 CVE-2020-14040 CVE-2020-14336
                   CVE-2020-15366 CVE-2020-15719
====================================================================
1. Summary:

An update is now available for Red Hat OpenShift Container Platform 4.6.

Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.

2. Description:

Red Hat OpenShift Container Platform is Red Hat's cloud computing
Kubernetes application platform solution designed for on-premise or private
cloud deployments.

Security Fix(es):

* golang.org/x/crypto: Processing of crafted ssh-ed25519 public keys allows
for panic (CVE-2020-9283)

* SSL/TLS: CBC padding timing attack (lucky-13) (CVE-2013-0169)

* grafana: XSS vulnerability via a column style on the "Dashboard > Table
Panel" screen (CVE-2018-18624)

* js-jquery: prototype pollution in object's prototype leading to denial of
service or remote code execution or property injection (CVE-2019-11358)

* npm-serialize-javascript: XSS via unsafe characters in serialized regular
expressions (CVE-2019-16769)

* kibana: Prototype pollution in TSVB could result in arbitrary code
execution (ESA-2020-06) (CVE-2020-7013)

* nodejs-minimist: prototype pollution allows adding or modifying
properties of Object.prototype using a constructor or __proto__ payload
(CVE-2020-7598)

* npmjs-websocket-extensions: ReDoS vulnerability in
Sec-WebSocket-Extensions parser (CVE-2020-7662)

* nodejs-lodash: prototype pollution in zipObjectDeep function
(CVE-2020-8203)

* jquery: Cross-site scripting due to improper injQuery.htmlPrefilter
method (CVE-2020-11022)

* jQuery: passing HTML containing <option> elements to manipulation methods
could result in untrusted code execution (CVE-2020-11023)

* grafana: stored XSS (CVE-2020-11110)

* grafana: XSS annotation popup vulnerability (CVE-2020-12052)

* grafana: XSS via column.title or cellLinkTooltip (CVE-2020-12245)

* nodejs-elliptic: improper encoding checks allows a certain degree of
signature malleability in ECDSA signatures (CVE-2020-13822)

* golang.org/x/text: possibility to trigger an infinite loop in
encoding/unicode could lead to crash (CVE-2020-14040)

* nodejs-ajv: prototype pollution via crafted JSON schema in ajv.validate
function (CVE-2020-15366)

* openshift/console: text injection on error page via crafted url
(CVE-2020-10715)

* kibana: X-Frame-Option not set by default might lead to clickjacking
(CVE-2020-10743)

* openshift: restricted SCC allows pods to craft custom network packets
(CVE-2020-14336)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

3. Solution:

For OpenShift Container Platform 4.6 see the following documentation, which
will be updated shortly for this release, for important instructions on how
to upgrade your cluster and fully apply this asynchronous errata update:

https://docs.openshift.com/container-platform/4.6/release_notes/ocp-4-6-rel
ease-notes.html

Details on how to access this content are available at
https://docs.openshift.com/container-platform/4.6/updating/updating-cluster
- -cli.html.

4. Bugs fixed (https://bugzilla.redhat.com/):

907589 - CVE-2013-0169 SSL/TLS: CBC padding timing attack (lucky-13)
1701972 - CVE-2019-11358 jquery: Prototype pollution in object's prototype leading to denial of service, remote code execution, or property injection
1767665 - CVE-2020-10715 openshift/console: text injection on error page via crafted url
1804533 - CVE-2020-9283 golang.org/x/crypto: Processing of crafted ssh-ed25519 public keys allows for panic
1813344 - CVE-2020-7598 nodejs-minimist: prototype pollution allows adding or modifying properties of Object.prototype using a constructor or __proto__ payload
1828406 - CVE-2020-11022 jquery: Cross-site scripting due to improper injQuery.htmlPrefilter method
1834550 - CVE-2020-10743 kibana: X-Frame-Option not set by default might lead to clickjacking
1845982 - CVE-2020-7662 npmjs-websocket-extensions: ReDoS vulnerability in Sec-WebSocket-Extensions parser
1848089 - CVE-2020-12052 grafana: XSS annotation popup vulnerability
1848092 - CVE-2019-16769 npm-serialize-javascript: XSS via unsafe characters in serialized regular expressions
1848643 - CVE-2020-12245 grafana: XSS via column.title or cellLinkTooltip
1848647 - CVE-2020-13822 nodejs-elliptic: improper encoding checks allows a certain degree of signature malleability in ECDSA signatures
1849044 - CVE-2020-7013 kibana: Prototype pollution in TSVB could result in arbitrary code execution (ESA-2020-06)
1850004 - CVE-2020-11023 jquery: Passing HTML containing <option> elements to manipulation methods could result in untrusted code execution
1850572 - CVE-2018-18624 grafana: XSS vulnerability via a column style on the "Dashboard > Table Panel" screen
1853652 - CVE-2020-14040 golang.org/x/text: possibility to trigger an infinite loop in encoding/unicode could lead to crash
1857412 - CVE-2020-8203 nodejs-lodash: prototype pollution in zipObjectDeep function
1857977 - CVE-2020-15366 nodejs-ajv: prototype pollution via crafted JSON schema in ajv.validate function
1858981 - CVE-2020-14336 openshift: restricted SCC allows pods to craft custom network packets
1861044 - CVE-2020-11110 grafana: stored XSS
1874671 - CVE-2020-14336 ose-machine-config-operator-container: openshift: restricted SCC allows pods to craft custom network packets [openshift-4]

5. References:

https://access.redhat.com/security/cve/CVE-2013-0169
https://access.redhat.com/security/cve/CVE-2016-10739
https://access.redhat.com/security/cve/CVE-2018-9251
https://access.redhat.com/security/cve/CVE-2018-14404
https://access.redhat.com/security/cve/CVE-2018-14498
https://access.redhat.com/security/cve/CVE-2018-16890
https://access.redhat.com/security/cve/CVE-2018-18074
https://access.redhat.com/security/cve/CVE-2018-18624
https://access.redhat.com/security/cve/CVE-2018-18751
https://access.redhat.com/security/cve/CVE-2018-19519
https://access.redhat.com/security/cve/CVE-2018-20060
https://access.redhat.com/security/cve/CVE-2018-20337
https://access.redhat.com/security/cve/CVE-2018-20483
https://access.redhat.com/security/cve/CVE-2018-20657
https://access.redhat.com/security/cve/CVE-2018-20852
https://access.redhat.com/security/cve/CVE-2019-1547
https://access.redhat.com/security/cve/CVE-2019-1549
https://access.redhat.com/security/cve/CVE-2019-1563
https://access.redhat.com/security/cve/CVE-2019-3822
https://access.redhat.com/security/cve/CVE-2019-3823
https://access.redhat.com/security/cve/CVE-2019-3825
https://access.redhat.com/security/cve/CVE-2019-3843
https://access.redhat.com/security/cve/CVE-2019-3844
https://access.redhat.com/security/cve/CVE-2019-5094
https://access.redhat.com/security/cve/CVE-2019-5436
https://access.redhat.com/security/cve/CVE-2019-5481
https://access.redhat.com/security/cve/CVE-2019-5482
https://access.redhat.com/security/cve/CVE-2019-5953
https://access.redhat.com/security/cve/CVE-2019-6237
https://access.redhat.com/security/cve/CVE-2019-6251
https://access.redhat.com/security/cve/CVE-2019-6454
https://access.redhat.com/security/cve/CVE-2019-6706
https://access.redhat.com/security/cve/CVE-2019-7146
https://access.redhat.com/security/cve/CVE-2019-7149
https://access.redhat.com/security/cve/CVE-2019-7150
https://access.redhat.com/security/cve/CVE-2019-7664
https://access.redhat.com/security/cve/CVE-2019-7665
https://access.redhat.com/security/cve/CVE-2019-8457
https://access.redhat.com/security/cve/CVE-2019-8506
https://access.redhat.com/security/cve/CVE-2019-8518
https://access.redhat.com/security/cve/CVE-2019-8523
https://access.redhat.com/security/cve/CVE-2019-8524
https://access.redhat.com/security/cve/CVE-2019-8535
https://access.redhat.com/security/cve/CVE-2019-8536
https://access.redhat.com/security/cve/CVE-2019-8544
https://access.redhat.com/security/cve/CVE-2019-8558
https://access.redhat.com/security/cve/CVE-2019-8559
https://access.redhat.com/security/cve/CVE-2019-8563
https://access.redhat.com/security/cve/CVE-2019-8571
https://access.redhat.com/security/cve/CVE-2019-8583
https://access.redhat.com/security/cve/CVE-2019-8584
https://access.redhat.com/security/cve/CVE-2019-8586
https://access.redhat.com/security/cve/CVE-2019-8587
https://access.redhat.com/security/cve/CVE-2019-8594
https://access.redhat.com/security/cve/CVE-2019-8595
https://access.redhat.com/security/cve/CVE-2019-8596
https://access.redhat.com/security/cve/CVE-2019-8597
https://access.redhat.com/security/cve/CVE-2019-8601
https://access.redhat.com/security/cve/CVE-2019-8607
https://access.redhat.com/security/cve/CVE-2019-8608
https://access.redhat.com/security/cve/CVE-2019-8609
https://access.redhat.com/security/cve/CVE-2019-8610
https://access.redhat.com/security/cve/CVE-2019-8611
https://access.redhat.com/security/cve/CVE-2019-8615
https://access.redhat.com/security/cve/CVE-2019-8619
https://access.redhat.com/security/cve/CVE-2019-8622
https://access.redhat.com/security/cve/CVE-2019-8623
https://access.redhat.com/security/cve/CVE-2019-8666
https://access.redhat.com/security/cve/CVE-2019-8671
https://access.redhat.com/security/cve/CVE-2019-8672
https://access.redhat.com/security/cve/CVE-2019-8673
https://access.redhat.com/security/cve/CVE-2019-8675
https://access.redhat.com/security/cve/CVE-2019-8676
https://access.redhat.com/security/cve/CVE-2019-8677
https://access.redhat.com/security/cve/CVE-2019-8679
https://access.redhat.com/security/cve/CVE-2019-8681
https://access.redhat.com/security/cve/CVE-2019-8686
https://access.redhat.com/security/cve/CVE-2019-8687
https://access.redhat.com/security/cve/CVE-2019-8689
https://access.redhat.com/security/cve/CVE-2019-8690
https://access.redhat.com/security/cve/CVE-2019-8696
https://access.redhat.com/security/cve/CVE-2019-8726
https://access.redhat.com/security/cve/CVE-2019-8735
https://access.redhat.com/security/cve/CVE-2019-8768
https://access.redhat.com/security/cve/CVE-2019-11070
https://access.redhat.com/security/cve/CVE-2019-11236
https://access.redhat.com/security/cve/CVE-2019-11324
https://access.redhat.com/security/cve/CVE-2019-11358
https://access.redhat.com/security/cve/CVE-2019-11459
https://access.redhat.com/security/cve/CVE-2019-12447
https://access.redhat.com/security/cve/CVE-2019-12448
https://access.redhat.com/security/cve/CVE-2019-12449
https://access.redhat.com/security/cve/CVE-2019-12450
https://access.redhat.com/security/cve/CVE-2019-12795
https://access.redhat.com/security/cve/CVE-2019-13232
https://access.redhat.com/security/cve/CVE-2019-13636
https://access.redhat.com/security/cve/CVE-2019-13752
https://access.redhat.com/security/cve/CVE-2019-13753
https://access.redhat.com/security/cve/CVE-2019-14822
https://access.redhat.com/security/cve/CVE-2019-14973
https://access.redhat.com/security/cve/CVE-2019-15718
https://access.redhat.com/security/cve/CVE-2019-15847
https://access.redhat.com/security/cve/CVE-2019-16056
https://access.redhat.com/security/cve/CVE-2019-16769
https://access.redhat.com/security/cve/CVE-2019-17451
https://access.redhat.com/security/cve/CVE-2019-18408
https://access.redhat.com/security/cve/CVE-2019-19126
https://access.redhat.com/security/cve/CVE-2019-19923
https://access.redhat.com/security/cve/CVE-2019-19924
https://access.redhat.com/security/cve/CVE-2019-19925
https://access.redhat.com/security/cve/CVE-2019-19959
https://access.redhat.com/security/cve/CVE-2019-1010180
https://access.redhat.com/security/cve/CVE-2019-1010204
https://access.redhat.com/security/cve/CVE-2020-1712
https://access.redhat.com/security/cve/CVE-2020-7013
https://access.redhat.com/security/cve/CVE-2020-7598
https://access.redhat.com/security/cve/CVE-2020-7662
https://access.redhat.com/security/cve/CVE-2020-8203
https://access.redhat.com/security/cve/CVE-2020-9283
https://access.redhat.com/security/cve/CVE-2020-10531
https://access.redhat.com/security/cve/CVE-2020-10715
https://access.redhat.com/security/cve/CVE-2020-10743
https://access.redhat.com/security/cve/CVE-2020-11008
https://access.redhat.com/security/cve/CVE-2020-11022
https://access.redhat.com/security/cve/CVE-2020-11023
https://access.redhat.com/security/cve/CVE-2020-11110
https://access.redhat.com/security/cve/CVE-2020-12049
https://access.redhat.com/security/cve/CVE-2020-12052
https://access.redhat.com/security/cve/CVE-2020-12245
https://access.redhat.com/security/cve/CVE-2020-13822
https://access.redhat.com/security/cve/CVE-2020-14040
https://access.redhat.com/security/cve/CVE-2020-14336
https://access.redhat.com/security/cve/CVE-2020-15366
https://access.redhat.com/security/cve/CVE-2020-15719
https://access.redhat.com/security/updates/classification/#moderate

6. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2020 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBX5hNRdzjgjWX9erEAQjWHw//Vb+pq3h/VBFJSPE25X1FEd1tnEGewpXd
1l3ZHxzr40FNlnC/k7dlJr4Fo6QOTY4FqS7Ln3xzjHKWsCj/eV+3MjHI0jBmrMyq
ppRDgNiExWqpfF2/docyjHOkQYDnoeAAzl8m6cAOIsmy12O3AlwH2eLQYUHLsbqg
fvewGC0Xn1w8FfrAdrcLq5eTzBST/v/tLXetKNxO5l3YD2sBQyiYe6ECrkZaVaWZ
OStJb6QOZ4vraibjXvHGx/JJr8F9h+7lYEA1QXU5sWOISGnF0VKEa0sH1/GzQ1HI
7Zau1Pajm1wNmLS8kkIgcmufij63YO22DscW5pndUJEnGIc6ZkbS/Ck9gKZCDEVn
3xqa69DivlpUeIdCmnxgBMNX1RL2jKWKT8JgpmTH8eu8ZE1ALY/sEbk4irueRzox
MHowSLTHr4vqk+5aDL+obkTw/ZonokKqbkVjuzcZcN6cLSBHRo5LoQ3Sohy/RKhC
CU2nBfbCQjaCKhN/zW5m7jJLAlD4gLXeBB98m4CTg270ZSt9Oew0Y/a7itjSJUv+
69uv2J88uMrnF4gwNolVn4Ekes/XxxlPzGm7Crw33n7mIneOISmIvOJ3DVuuoFwf
lOgL4ZaIquTxcVdTCsZl5CaOqDKrCmBJc+e12ZUol8V0jkrUaR6ChSXK6W4sEuYa
zXRPCSPuxw0=vK2F
-----END PGP SIGNATURE-----

--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce