RHSA-2013:0638: Moderate: Red Hat OpenShift Enterprise 1.1.2 update
First published: Tue Mar 12 2013(Updated: )
OpenShift Enterprise is a cloud computing Platform-as-a-Service (PaaS)<br>solution from Red Hat, and is designed for on-premise or private cloud<br>deployments.<br>A flaw was found in the handling of paths provided to ruby193-rubygem-rack.<br>A remote attacker could use this flaw to conduct a directory traversal<br>attack by passing malformed requests. (CVE-2013-0262)<br>A timing attack flaw was found in the way rubygem-rack and<br>ruby193-rubygem-rack processed HMAC digests in cookies. This flaw could aid<br>an attacker using forged digital signatures to bypass authentication<br>checks. (CVE-2013-0263)<br>It was found that Jenkins did not protect against Cross-Site Request<br>Forgery (CSRF) attacks. If a remote attacker could trick a user, who was<br>logged into Jenkins, into visiting a specially-crafted URL, the attacker<br>could perform operations on Jenkins. (CVE-2013-0327, CVE-2013-0329)<br>A cross-site scripting (XSS) flaw was found in Jenkins. A remote attacker<br>could use this flaw to conduct an XSS attack against users of Jenkins.<br>(CVE-2013-0328)<br>A flaw could allow a Jenkins user to build jobs they do not have access to.<br>(CVE-2013-0330)<br>A flaw could allow a Jenkins user to cause a denial of service if they<br>are able to supply a specially-crafted payload. (CVE-2013-0331)<br>Users are advised to upgrade to Red Hat OpenShift Enterprise 1.1.2. It is<br>recommended that you restart your system after applying this update.<br>
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/ruby193-rubygem-rack | <1.4.1-4.el6 | 1.4.1-4.el6 |
| redhat/rubygem-rack | <1.3.0-4.el6 | 1.3.0-4.el6 |
| redhat/ruby193-rubygem-rack | <1.4.1-4.el6 | 1.4.1-4.el6 |
| redhat/jenkins | <1.502-1.el6 | 1.502-1.el6 |
| redhat/openshift-origin-cartridge-jenkins | <1.4-1.0.3-1.el6 | 1.4-1.0.3-1.el6 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=909071
- https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=909072
- https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=914875
- https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=914876
- https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=914877
- https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=914878
- https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=914879
- https://access.redhat.com/security/updates/classification/#moderate
- https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2013-02-16
- https://access.redhat.com/errata/RHSA-2013:0638 (Advisory)
Frequently Asked Questions
What is the vulnerability identified by RHSA-2013:0638?
RHSA-2013:0638 is a security advisory addressing a flaw in how paths are handled in ruby193-rubygem-rack, which could allow a remote attacker to exploit the application.
What are the affected packages in RHSA-2013:0638?
The affected packages include ruby193-rubygem-rack and rubygem-rack versions up to 1.4.1-4.el6 and 1.3.0-4.el6 respectively.
What is the severity of RHSA-2013:0638?
The severity level of RHSA-2013:0638 is classified as important due to the potential for remote exploitation.
How do I fix RHSA-2013:0638?
To fix RHSA-2013:0638, upgrade ruby193-rubygem-rack and rubygem-rack to the remedied versions specified in the advisory.
Is there a workaround for RHSA-2013:0638?
There is no official workaround stated for RHSA-2013:0638, hence upgrading to the fixed versions is recommended.
- agent/description
- agent/event
- agent/first-publish-date
- agent/last-modified-date
- agent/references
- agent/remedy
- agent/severity
- agent/softwarecombine
- agent/tags
- agent/title
- agent/type
- agent/weakness
- collector/redhat-errata
- anchor-id/RHSA-2013:0638
- package-manager/redhat