Jump to content
Compatible Support Forums
Sign in to follow this  
news

[RHSA-2014:0423-01] Critical: openshift-origin-broker security update

Recommended Posts

-----BEGIN PGP SIGNED MESSAGE-----

Hash: SHA1

 

=====================================================================

Red Hat Security Advisory

 

Synopsis: Critical: openshift-origin-broker security update

Advisory ID: RHSA-2014:0423-01

Product: Red Hat OpenShift Enterprise

Advisory URL: https://rhn.redhat.com/errata/RHSA-2014-0423.html

Issue date: 2014-04-23

CVE Names: CVE-2014-0188

=====================================================================

 

1. Summary:

 

Updated openshift-origin-broker and

rubygem-openshift-origin-auth-remote-user packages that fix one security

issue are now available for Red Hat OpenShift Enterprise 2.0.5.

 

The Red Hat Security Response Team has rated this update as having Critical

security impact. A Common Vulnerability Scoring System (CVSS) base score,

which gives a detailed severity rating, is available from the CVE link in

the References section.

 

2. Relevant releases/architectures:

 

RHOSE Infrastructure 2.0 - noarch

 

3. Description:

 

The openshift-origin-broker package provides the OpenShift Broker service

that manages all user logins, DNS name resolution, application states, and

general orchestration of the applications.

 

The rubygem-openshift-origin-auth-remote-user package provides the remote

user authentication plug-in.

 

A flaw was found in the way openshift-origin-broker handled authentication

requests via the remote user authentication plug-in. A remote attacker able

to submit a request to openshift-origin-broker could set the X-Remote-User

header, and send the request to a passthrough trigger, resulting in a

bypass of the authentication checks to gain access to any OpenShift user

account on the system. (CVE-2014-0188)

 

All users of Red Hat OpenShift Enterprise 2.0.5 are advised to upgrade to

these updated packages, which contain a backported patch to correct this

issue. After installing the updated packages, restart the httpd daemon for

this update to take effect.

 

4. Solution:

 

Before applying this update, make sure all previously released errata

relevant to your system have been applied.

 

This update is available via the Red Hat Network. Details on how to

use the Red Hat Network to apply this update are available at

https://access.redhat.com/site/articles/11258

 

5. Bugs fixed (https://bugzilla.redhat.com/):

 

1090120 - CVE-2014-0188 OpenShift: openshift-origin-broker plugin allows impersonation

 

6. Package List:

 

RHOSE Infrastructure 2.0:

 

Source:

ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/RHOSE/SRPMS/openshift-origin-broker-1.15.3.5-1.el6op.src.rpm

ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/RHOSE/SRPMS/rubygem-openshift-origin-auth-remote-user-1.17.4-1.el6op.src.rpm

 

noarch:

openshift-origin-broker-1.15.3.5-1.el6op.noarch.rpm

rubygem-openshift-origin-auth-remote-user-1.17.4-1.el6op.noarch.rpm

 

These packages are GPG signed by Red Hat for security. Our key and

details on how to verify the signature are available from

https://access.redhat.com/security/team/key/#package

 

7. References:

 

https://www.redhat.com/security/data/cve/CVE-2014-0188.html

https://access.redhat.com/security/updates/classification/#critical

 

8. Contact:

 

The Red Hat security contact is . More contact

details at https://access.redhat.com/security/team/contact/

 

Copyright 2014 Red Hat, Inc.

-----BEGIN PGP SIGNATURE-----

Version: GnuPG v1.4.4 (GNU/Linux)

 

iD8DBQFTV2KIXlSAg2UNWIIRAi1ZAKDDA0gc1LrSNOLX5kDP86UVDxDRpwCglnXK

zwN7TGkU4qCRCXEFfclaxG4=

=kKJV

-----END PGP SIGNATURE-----

 

 

--

 

Share this post


Link to post

Please sign in to comment

You will be able to leave a comment after signing in



Sign In Now
Sign in to follow this  

×