[RHSA-2016:0351-01] Moderate: kubernetes security update

[news 28]

-----BEGIN PGP SIGNED MESSAGE-----

Hash: SHA1

 

=====================================================================

Red Hat Security Advisory

 

Synopsis: Moderate: kubernetes security update

Advisory ID: RHSA-2016:0351-01

Product: Red Hat OpenShift Enterprise

Advisory URL: https://access.redhat.com/errata/RHSA-2016:0351

Issue date: 2016-03-03

CVE Names: CVE-2016-1905 CVE-2016-1906

=====================================================================

 

1. Summary:

 

Updated kubernetes packages that fix two security issues are now

available for Red Hat OpenShift Enterprise 3.0.2.

 

Red Hat Product Security has rated this update as having Moderate

security impact. Common Vulnerability Scoring System (CVSS) base

scores, which give detailed severity ratings, are available for each

vulnerability from the CVE links in the References section.

 

2. Relevant releases/architectures:

 

Red Hat OpenShift Enterprise 3.0 - x86_64

 

3. Description:

 

OpenShift Enterprise by Red Hat is the company's cloud computing

Platform-as-a-Service (PaaS) solution designed for on-premise or

private cloud deployments.

 

An authorization flaw was discovered in Kubernetes; the API server did

not properly check user permissions when handling certain requests. An

authenticated remote attacker could use this flaw to gain additional

access to resources such as RAM and disk space. (CVE-2016-1905)

 

An authorization flaw was discovered in Kubernetes; the API server did

not properly check user permissions when handling certain build

configuration strategies. A remote attacker could create build

configurations with strategies that violate policy. Although the attacker

could not launch the build themselves (launch fails when the

policy is violated), if the build configuration files were later

launched by other privileged services (such as automated triggers),

user privileges could be bypassed allowing attacker escalation.

(CVE-2016-1906)

 

All OpenShift Enterprise 3.0 users are advised to upgrade to these

updated packages.

 

4. Solution:

 

Before applying this update, make sure all previously released errata

relevant to your system have been applied.

 

For details on how to apply this update, refer to:

 

https://access.redhat.com/articles/11258

 

5. Bugs fixed (https://bugzilla.redhat.com/):

 

1297910 - CVE-2016-1905 Kubernetes api server: patch operation should use patched object to check admission control

1297916 - CVE-2016-1906 Kubernetes api server: build config to a strategy that isn't allowed by policy

 

6. Package List:

 

Red Hat OpenShift Enterprise 3.0:

 

Source:

openshift-3.0.2.0-0.git.45.423f434.el7ose.src.rpm

 

x86_64:

openshift-3.0.2.0-0.git.45.423f434.el7ose.x86_64.rpm

openshift-clients-3.0.2.0-0.git.45.423f434.el7ose.x86_64.rpm

openshift-master-3.0.2.0-0.git.45.423f434.el7ose.x86_64.rpm

openshift-node-3.0.2.0-0.git.45.423f434.el7ose.x86_64.rpm

openshift-sdn-ovs-3.0.2.0-0.git.45.423f434.el7ose.x86_64.rpm

tuned-profiles-openshift-node-3.0.2.0-0.git.45.423f434.el7ose.x86_64.rpm

 

These packages are GPG signed by Red Hat for security. Our key and

details on how to verify the signature are available from

https://access.redhat.com/security/team/key/

 

7. References:

 

https://access.redhat.com/security/cve/CVE-2016-1905

https://access.redhat.com/security/cve/CVE-2016-1906

https://access.redhat.com/security/updates/classification/#moderate

 

8. Contact:

 

The Red Hat security contact is . More contact

details at https://access.redhat.com/security/team/contact/

 

Copyright 2016 Red Hat, Inc.

-----BEGIN PGP SIGNATURE-----

Version: GnuPG v1

 

iD8DBQFW2GUYXlSAg2UNWIIRAhVcAJ9pouTBC24b/B7g8UHV5NB12SR3fACeMRU4

ul3KiiKQ9EEg6WDTBWbNn0w=

=Mn5B

-----END PGP SIGNATURE-----

 

 

--