RHSA-2020:4298: Moderate: OpenShift Container Platform 4.6.1 image security update
First published: Tue Oct 27 2020(Updated: )
Red Hat OpenShift Container Platform is Red Hat's cloud computing<br>Kubernetes application platform solution designed for on-premise or private<br>cloud deployments.<br>Security Fix(es):<br><li> golang.org/x/crypto: Processing of crafted ssh-ed25519 public keys allows for panic (CVE-2020-9283)</li> <li> SSL/TLS: CBC padding timing attack (lucky-13) (CVE-2013-0169)</li> <li> grafana: XSS vulnerability via a column style on the "Dashboard > Table Panel" screen (CVE-2018-18624)</li> <li> js-jquery: prototype pollution in object's prototype leading to denial of service or remote code execution or property injection (CVE-2019-11358)</li> <li> npm-serialize-javascript: XSS via unsafe characters in serialized regular expressions (CVE-2019-16769)</li> <li> kibana: Prototype pollution in TSVB could result in arbitrary code execution (ESA-2020-06) (CVE-2020-7013)</li> <li> nodejs-minimist: prototype pollution allows adding or modifying properties of Object.prototype using a constructor or __proto__ payload (CVE-2020-7598)</li> <li> npmjs-websocket-extensions: ReDoS vulnerability in Sec-WebSocket-Extensions parser (CVE-2020-7662)</li> <li> nodejs-lodash: prototype pollution in zipObjectDeep function (CVE-2020-8203)</li> <li> jquery: Cross-site scripting due to improper injQuery.htmlPrefilter method (CVE-2020-11022)</li> <li> jQuery: passing HTML containing <option> elements to manipulation methods could result in untrusted code execution (CVE-2020-11023)</li> <li> grafana: stored XSS (CVE-2020-11110)</li> <li> grafana: XSS annotation popup vulnerability (CVE-2020-12052)</li> <li> grafana: XSS via column.title or cellLinkTooltip (CVE-2020-12245)</li> <li> nodejs-elliptic: improper encoding checks allows a certain degree of signature malleability in ECDSA signatures (CVE-2020-13822)</li> <li> golang.org/x/text: possibility to trigger an infinite loop in encoding/unicode could lead to crash (CVE-2020-14040)</li> <li> nodejs-ajv: prototype pollution via crafted JSON schema in ajv.validate function (CVE-2020-15366)</li> <li> openshift/console: text injection on error page via crafted url (CVE-2020-10715)</li> <li> kibana: X-Frame-Option not set by default might lead to clickjacking (CVE-2020-10743)</li> <li> openshift: restricted SCC allows pods to craft custom network packets (CVE-2020-14336)</li> For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Red Hat OpenShift Container Platform for IBM LinuxONE |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://bugzilla.redhat.com/show_bug.cgi?id=907589
- https://bugzilla.redhat.com/show_bug.cgi?id=1701972
- https://bugzilla.redhat.com/show_bug.cgi?id=1767665
- https://bugzilla.redhat.com/show_bug.cgi?id=1804533
- https://bugzilla.redhat.com/show_bug.cgi?id=1813344
- https://bugzilla.redhat.com/show_bug.cgi?id=1828406
- https://bugzilla.redhat.com/show_bug.cgi?id=1834550
- https://bugzilla.redhat.com/show_bug.cgi?id=1845982
- https://bugzilla.redhat.com/show_bug.cgi?id=1848089
- https://bugzilla.redhat.com/show_bug.cgi?id=1848092
- https://bugzilla.redhat.com/show_bug.cgi?id=1848643
- https://bugzilla.redhat.com/show_bug.cgi?id=1848647
- https://bugzilla.redhat.com/show_bug.cgi?id=1849044
- https://bugzilla.redhat.com/show_bug.cgi?id=1850004
- https://bugzilla.redhat.com/show_bug.cgi?id=1850572
- https://bugzilla.redhat.com/show_bug.cgi?id=1853652
- https://bugzilla.redhat.com/show_bug.cgi?id=1857412
- https://bugzilla.redhat.com/show_bug.cgi?id=1857977
- https://bugzilla.redhat.com/show_bug.cgi?id=1858981
- https://bugzilla.redhat.com/show_bug.cgi?id=1861044
- https://bugzilla.redhat.com/show_bug.cgi?id=1874671
- https://access.redhat.com/security/updates/classification/#moderate
- https://access.redhat.com/errata/RHSA-2020:4298 (Advisory)
Frequently Asked Questions
What is the severity of RHSA-2020:4298?
The severity of RHSA-2020:4298 is categorized as moderate due to the potential for panic in processing crafted ssh-ed25519 public keys.
How do I fix RHSA-2020:4298?
To fix RHSA-2020:4298, you should update the Red Hat OpenShift Container Platform to the latest available version that addresses the vulnerability.
What does RHSA-2020:4298 affect?
RHSA-2020:4298 affects the Red Hat OpenShift Container Platform by addressing a specific vulnerability in the crypto library.
What type of vulnerability is reported in RHSA-2020:4298?
RHSA-2020:4298 reports a vulnerability related to the processing of crafted ssh-ed25519 public keys which can lead to panic.
Is RHSA-2020:4298 applicable to cloud deployments?
Yes, RHSA-2020:4298 is applicable to both on-premise and private cloud deployments of Red Hat OpenShift Container Platform.
- agent/severity
- agent/type
- agent/event
- agent/first-publish-date
- agent/last-modified-date
- collector/redhat-errata
- source/Red Hat
- anchor-id/RHSA-2020:4298
- agent/trending
- agent/title
- agent/weakness
- agent/references
- agent/remedy
- agent/description
- agent/source
- agent/softwarecombine
- agent/tags
- agent/guess-ai
- agent/software-canonical-lookup
- agent/software-canonical-lookup-request
- vendor/red hat
- canonical/red hat openshift container platform for ibm linuxone