Hash: SHA256
=====================================================================
Red Hat Security Advisory
Synopsis: Important: OpenShift Container Platform 4.6.26
security and extras update
Advisory ID: RHSA-2021:1230-01
Product: Red Hat OpenShift Enterprise
Advisory URL: https://access.redhat.com/errata/RHSA-2021:1230
Issue date: 2021-04-27
CVE Names: CVE-2018-14718 CVE-2018-14719 CVE-2018-14720
CVE-2018-14721 CVE-2018-19360 CVE-2018-19361
CVE-2018-19362 CVE-2019-14379 CVE-2020-24750
CVE-2020-35490 CVE-2020-35491 CVE-2020-35728
CVE-2020-36179 CVE-2020-36180 CVE-2020-36181
CVE-2020-36182 CVE-2020-36183 CVE-2020-36184
CVE-2020-36185 CVE-2020-36186 CVE-2020-36187
CVE-2020-36188 CVE-2020-36189 CVE-2021-3449
CVE-2021-20190
=====================================================================
1. Summary:
Red Hat OpenShift Container Platform release 4.6.26 is now
available with
updates to packages and images that fix several bugs and add
enhancements.
This release includes a security update for Red Hat OpenShift
Container
Platform 4.6.
Red Hat Product Security has rated this update as having a
security impact
of Important. A Common Vulnerability Scoring System (CVSS) base
score,
which gives a detailed severity rating, is available for each
vulnerability
from the CVE link(s) in the References section.
2. Description:
Red Hat OpenShift Container Platform is Red Hat's cloud
computing
Kubernetes application platform solution designed for on-premise or
private
cloud deployments.
Security Fix(es):
* jackson-databind: arbitrary code execution in slf4j-ext
class
(CVE-2018-14718)
* jackson-databind: arbitrary code execution in blaze-ds-opt
and
blaze-ds-core classes (CVE-2018-14719)
* jackson-databind: improper polymorphic deserialization in
axis2-transport-jms class (CVE-2018-19360)
* jackson-databind: improper polymorphic deserialization in
openjpa class
(CVE-2018-19361)
* jackson-databind: improper polymorphic deserialization in
jboss-common-core class (CVE-2018-19362)
* jackson-databind: default typing mishandling leading to remote
code
execution (CVE-2019-14379)
* jackson-databind: Serialization gadgets in
com.pastdev.httpcomponents.configuration.JndiConfiguration
(CVE-2020-24750)
* jackson-databind: mishandles the interaction between
serialization
gadgets and typing, related to
org.apache.commons.dbcp2.datasources.PerUserPoolDataSource
(CVE-2020-35490)
* jackson-databind: mishandles the interaction between
serialization
gadgets and typing, related to
org.apache.commons.dbcp2.datasources.SharedPoolDataSource
(CVE-2020-35491)
* jackson-databind: mishandles the interaction between
serialization
gadgets and typing, related to
com.oracle.wls.shaded.org.apache.xalan.lib.sql.JNDIConnectionPool
(CVE-2020-35728)
* jackson-databind: mishandles the interaction between
serialization
gadgets and typing, related to
oadd.org.apache.commons.dbcp.cpdsadapter.DriverAdapterCPDS
(CVE-2020-36179)
* jackson-databind: mishandles the interaction between
serialization
gadgets and typing, related to
org.apache.commons.dbcp2.cpdsadapter.DriverAdapterCPDS
(CVE-2020-36180)
* jackson-databind: mishandles the interaction between
serialization
gadgets and typing, related to
org.apache.tomcat.dbcp.dbcp.cpdsadapter.DriverAdapterCPDS
(CVE-2020-36181)
* jackson-databind: mishandles the interaction between
serialization
gadgets and typing, related to
org.apache.tomcat.dbcp.dbcp2.cpdsadapter.DriverAdapterCPDS
(CVE-2020-36182)
* jackson-databind: mishandles the interaction between
serialization
gadgets and typing, related to
org.docx4j.org.apache.xalan.lib.sql.JNDIConnectionPool
(CVE-2020-36183)
* jackson-databind: mishandles the interaction between
serialization
gadgets and typing, related to
org.apache.tomcat.dbcp.dbcp2.datasources.PerUserPoolDataSource
(CVE-2020-36184)
* jackson-databind: mishandles the interaction between
serialization
gadgets and typing, related to
org.apache.tomcat.dbcp.dbcp2.datasources.SharedPoolDataSource
(CVE-2020-36185)
* jackson-databind: mishandles the interaction between
serialization
gadgets and typing, related to
org.apache.tomcat.dbcp.dbcp.datasources.PerUserPoolDataSource
(CVE-2020-36186)
* jackson-databind: mishandles the interaction between
serialization
gadgets and typing, related to
org.apache.tomcat.dbcp.dbcp.datasources.SharedPoolDataSource
(CVE-2020-36187)
* jackson-databind: mishandles the interaction between
serialization
gadgets and typing, related to
com.newrelic.agent.deps.ch.qos.logback.core.db.JNDIConnectionSource
(CVE-2020-36188)
* jackson-databind: mishandles the interaction between
serialization
gadgets and typing, related to
com.newrelic.agent.deps.ch.qos.logback.core.db.DriverManagerConnectionSourc
e (CVE-2020-36189)
* jackson-databind: mishandles the interaction between
serialization
gadgets and typing, related to javax.swing (CVE-2021-20190)
* jackson-databind: exfiltration/XXE in some JDK classes (CVE-2018-14720)
* jackson-databind: server-side request forgery (SSRF) in
axis2-jaxws class
(CVE-2018-14721)
For more details about the security issue(s), including the
impact, a CVSS
score, acknowledgments, and other related information, refer to the
CVE
page(s) listed in the References section.
3. Solution:
This advisory contains the RPM packages for Red Hat OpenShift
Container
Platform 4.6.26. See the following advisory for the container
images for
this release:
https://access.redhat.com/errata/RHBA-2021:1232
All OpenShift Container Platform 4.6 users are advised to
upgrade to these
updated packages and images when they are available in the
appropriate
release channel. To check for available updates, use the OpenShift
Console
or the CLI oc command. Instructions for upgrading a cluster are
available
at
https://docs.openshift.com/container-platform/4.6/updating/updating-cluster
-
-between-minor.html#understanding-upgrade-channels_updating-cluster-between
- -minor
For OpenShift Container Platform 4.6 see the following
documentation, which
will be updated shortly for this release, for important
instructions on how
to upgrade your cluster and fully apply this asynchronous errata
update:
https://docs.openshift.com/container-platform/4.6/release_notes/ocp-4-6-rel
ease-notes.html
Details on how to access this content are available at
https://docs.openshift.com/container-platform/4.6/updating/updating-cluster
- -cli.html
4. Bugs fixed (https://bugzilla.redhat.com/):
1666415 - CVE-2018-14718 jackson-databind: arbitrary code
execution in slf4j-ext class
1666418 - CVE-2018-14719 jackson-databind: arbitrary code execution
in blaze-ds-opt and blaze-ds-core classes
1666423 - CVE-2018-14720 jackson-databind: exfiltration/XXE in some
JDK classes
1666428 - CVE-2018-14721 jackson-databind: server-side request
forgery (SSRF) in axis2-jaxws class
1666482 - CVE-2018-19360 jackson-databind: improper polymorphic
deserialization in axis2-transport-jms class
1666484 - CVE-2018-19361 jackson-databind: improper polymorphic
deserialization in openjpa class
1666489 - CVE-2018-19362 jackson-databind: improper polymorphic
deserialization in jboss-common-core class
1737517 - CVE-2019-14379 jackson-databind: default typing
mishandling leading to remote code execution
1859004 - Sometimes the eventrouter couldn't gather event logs.
1882310 - CVE-2020-24750 jackson-databind: Serialization gadgets in
com.pastdev.httpcomponents.configuration.JndiConfiguration
1909266 - CVE-2020-35490 jackson-databind: mishandles the
interaction between serialization gadgets and typing, related to
org.apache.commons.dbcp2.datasources.PerUserPoolDataSource
1909269 - CVE-2020-35491 jackson-databind: mishandles the
interaction between serialization gadgets and typing, related to
org.apache.commons.dbcp2.datasources.SharedPoolDataSource
1911502 - CVE-2020-35728 jackson-databind: mishandles the
interaction between serialization gadgets and typing, related to
com.oracle.wls.shaded.org.apache.xalan.lib.sql.JNDIConnectionPool
1913871 - CVE-2020-36179 jackson-databind: mishandles the
interaction between serialization gadgets and typing, related to
oadd.org.apache.commons.dbcp.cpdsadapter.DriverAdapterCPDS
1913872 - CVE-2020-36180 jackson-databind: mishandles the
interaction between serialization gadgets and typing, related to
org.apache.commons.dbcp2.cpdsadapter.DriverAdapterCPDS
1913874 - CVE-2020-36181 jackson-databind: mishandles the
interaction between serialization gadgets and typing, related to
org.apache.tomcat.dbcp.dbcp.cpdsadapter.DriverAdapterCPDS
1913926 - CVE-2020-36182 jackson-databind: mishandles the
interaction between serialization gadgets and typing, related to
org.apache.tomcat.dbcp.dbcp2.cpdsadapter.DriverAdapterCPDS
1913927 - CVE-2020-36183 jackson-databind: mishandles the
interaction between serialization gadgets and typing, related to
org.docx4j.org.apache.xalan.lib.sql.JNDIConnectionPool
1913928 - CVE-2020-36184 jackson-databind: mishandles the
interaction between serialization gadgets and typing, related to
org.apache.tomcat.dbcp.dbcp2.datasources.PerUserPoolDataSource
1913929 - CVE-2020-36185 jackson-databind: mishandles the
interaction between serialization gadgets and typing, related to
org.apache.tomcat.dbcp.dbcp2.datasources.SharedPoolDataSource
1913931 - CVE-2020-36186 jackson-databind: mishandles the
interaction between serialization gadgets and typing, related to
org.apache.tomcat.dbcp.dbcp.datasources.PerUserPoolDataSource
1913933 - CVE-2020-36187 jackson-databind: mishandles the
interaction between serialization gadgets and typing, related to
org.apache.tomcat.dbcp.dbcp.datasources.SharedPoolDataSource
1913934 - CVE-2020-36188 jackson-databind: mishandles the
interaction between serialization gadgets and typing, related to
com.newrelic.agent.deps.ch.qos.logback.core.db.JNDIConnectionSource
1913937 - CVE-2020-36189 jackson-databind: mishandles the
interaction between serialization gadgets and typing, related to
com.newrelic.agent.deps.ch.qos.logback.core.db.DriverManagerConnectionSource
1916633 - CVE-2021-20190 jackson-databind: mishandles the
interaction between serialization gadgets and typing, related to
javax.swing
1925361 - [4.6] ClusterLogForwarder namespace-specific log
forwarding does not work as expected
1950894 - Placeholder bug for OCP 4.6.0 extras release
5. References:
https://access.redhat.com/security/cve/CVE-2018-14718
https://access.redhat.com/security/cve/CVE-2018-14719
https://access.redhat.com/security/cve/CVE-2018-14720
https://access.redhat.com/security/cve/CVE-2018-14721
https://access.redhat.com/security/cve/CVE-2018-19360
https://access.redhat.com/security/cve/CVE-2018-19361
https://access.redhat.com/security/cve/CVE-2018-19362
https://access.redhat.com/security/cve/CVE-2019-14379
https://access.redhat.com/security/cve/CVE-2020-24750
https://access.redhat.com/security/cve/CVE-2020-35490
https://access.redhat.com/security/cve/CVE-2020-35491
https://access.redhat.com/security/cve/CVE-2020-35728
https://access.redhat.com/security/cve/CVE-2020-36179
https://access.redhat.com/security/cve/CVE-2020-36180
https://access.redhat.com/security/cve/CVE-2020-36181
https://access.redhat.com/security/cve/CVE-2020-36182
https://access.redhat.com/security/cve/CVE-2020-36183
https://access.redhat.com/security/cve/CVE-2020-36184
https://access.redhat.com/security/cve/CVE-2020-36185
https://access.redhat.com/security/cve/CVE-2020-36186
https://access.redhat.com/security/cve/CVE-2020-36187
https://access.redhat.com/security/cve/CVE-2020-36188
https://access.redhat.com/security/cve/CVE-2020-36189
https://access.redhat.com/security/cve/CVE-2021-3449
https://access.redhat.com/security/cve/CVE-2021-20190
https://access.redhat.com/security/updates/classification/#important
6. Contact:
The Red Hat security contact is <
details at https://access.redhat.com/security/team/contact/
Copyright 2021 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIVAwUBYIfTktzjgjWX9erEAQg+8A//QGo1YBtlmSC7RqagNERfByPYx5YNGlfi
2RIAMqi0QrGUVuvnQxQUs5Zm9sLF559qyH56geUi2q4ICVr+rgAeUhLtsx6GLuJC
xe9w4Gz8ozN6jIvTGKPx9lnTafIvR+ddgUPk389Eqo6PDPWlw7PHvaBlNHa8hGF7
6rUnTdED/G+JnXANJnAkvc+gW0BLeAYaOI+1wTOx1neicwfa+POqC8rCzYl8ESjD
8NlVG3+wu0pZK9zRTBg67TcPi+bsdyh4R6w4Uxg0w1vJkN6IdUHd+CDhqJzNDpNe
pDHqPm5zAwe4iTDrV1+FJQYpx6iy9oeSPiAD/+L/JRGZ51ij5eLHpxbeL8SzpcH6
JtOpYrxVktvihnVydP1ALYlQpQvAUkmY3EcE7flNujebJNlG1MFwctaxHtDarXTL
2m4mlI4ccX2kHPYt/t0GYchRf2e7kA6Ph12SpV3tNC3zCn9JGZva4OXpyyQmvmHi
9PMifX/XTU5k4k6xXZE5ljo0YOnnKlM/4mDGBxGFiNGcsQSZhnhCALI1W6U6oGK0
uef8BrOrEFx9UHENIEqoRYp2T7d6EO3oA/mTfl3H8Ddi1qyg/U1mwJw2aE5hOTVO
xkXaBb1nCb2SxcW6kMbcCeSJX9qSclcNetQI9/HrF3lxC/eCpNk5B4F6Q2AztXbL
zm97KOYD3LQ=
=CKcx
-----END PGP SIGNATURE-----
--
RHSA-announce mailing list
https://listman.redhat.com/mailman/listinfo/rhsa-announce
Read more https://packetstormsecurity.com/files/162350/RHSA-2021-1230-01.txt