- Vulnerability/
- RHSA-2020:4143
RHSA-2020:4143: Moderate: OCS 3.11.z async security, bug fix, and enhancement update
First published: Wed Sep 30 2020(Updated: )
Red Hat OpenShift Container Storage(OCS) is a provider of agnostic persistent storage for OpenShift Container Platform either in-house or in a hybrid cloud. As a Red Hat storage solution, OCS is completely integrated with OpenShift Container Platform for deployment, management, and monitoring.<br>Security Fix(es):<br><li> gluster-block: information disclosure through world-readable gluster-block log files (CVE-2020-10762)</li> <li> heketi: gluster-block volume password details available in logs (CVE-2020-10763)</li> For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.<br>Bug Fix(es):<br><li> Earlier, the tcmu-runner did not give details about the file operations stuck at the backend glusterfs block hosting volume. With this change, the tcmu-runner is now able to log details about the file operations stuck at the backend glusterfs block hosting volume and this will help identify the root cause of the input/output errors easily. (BZ#1850361)</li> <li> Earlier, there was no log rotation with gluster-block logs. With this release, log rotation is possible for gluster-block and tcmu-runner relevant logs. (BZ#1850365)</li> <li> Earlier, heketi did not track all the changes made to volumes as part of device remove operation. With this release, heketi’s device remove operation is fully tracked and is based on a series of brick evict operations making the operation more reliable. (BZ#1850072)</li> <li> An access flaw CVE-2020-13867 was found in targetcli due to which the files under ‘/etc/target’ and '/etc/target/backup' directory were widely accessible. With this release, the access flaw is fixed as a workaround in gluster-block to protect these files from any potential attacks for accessing sensitive information, until the flaw is resolved and made available in targetcli.(BZ#1850077)</li> All Red Hat OpenShift Container Storage users are advised to upgrade to these updated packages.
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/heketi | <9.0.0-9.5.el7 | 9.0.0-9.5.el7 |
| redhat/heketi-client | <9.0.0-9.5.el7 | 9.0.0-9.5.el7 |
| redhat/gluster-block | <0.2.1-36.2.el7 | 0.2.1-36.2.el7 |
| redhat/tcmu-runner | <1.2.0-32.2.el7 | 1.2.0-32.2.el7 |
| redhat/gluster-block-debuginfo | <0.2.1-36.2.el7 | 0.2.1-36.2.el7 |
| redhat/libtcmu | <1.2.0-32.2.el7 | 1.2.0-32.2.el7 |
| redhat/libtcmu-devel | <1.2.0-32.2.el7 | 1.2.0-32.2.el7 |
| redhat/python-heketi | <9.0.0-9.5.el7 | 9.0.0-9.5.el7 |
| redhat/tcmu-runner-debuginfo | <1.2.0-32.2.el7 | 1.2.0-32.2.el7 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://bugzilla.redhat.com/show_bug.cgi?id=1845067
- https://bugzilla.redhat.com/show_bug.cgi?id=1845387
- https://bugzilla.redhat.com/show_bug.cgi?id=1850072
- https://bugzilla.redhat.com/show_bug.cgi?id=1850077
- https://bugzilla.redhat.com/show_bug.cgi?id=1850361
- https://bugzilla.redhat.com/show_bug.cgi?id=1855178
- https://access.redhat.com/security/updates/classification/#moderate
- https://access.redhat.com/errata/RHSA-2020:4143 (Advisory)
- agent/description
- agent/event
- agent/first-publish-date
- agent/last-modified-date
- agent/references
- agent/remedy
- agent/severity
- agent/softwarecombine
- agent/tags
- agent/title
- agent/type
- collector/redhat-errata
- source/Red Hat
- anchor-id/RHSA-2020:4143
- agent/software-canonical-lookup
- package-manager/redhat