Security
Headlines
HeadlinesLatestCVEs

Headline

RHSA-2021:4801: Red Hat Security Advisory: OpenShift Container Platform 4.7.38 security update

Red Hat OpenShift Container Platform release 4.7.38 is now available with updates to packages and images that fix several bugs and add enhancements. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.

Related CVEs:

  • CVE-2021-21685: jenkins: FilePath#mkdirs does not check permission to create parent directories
  • CVE-2021-21686: jenkins: File path filters do not canonicalize paths, allowing operations to follow symbolic links to outside allowed directories
  • CVE-2021-21687: jenkins: FilePath#untar does not check permission to create symbolic links when unarchiving a symbolic link
  • CVE-2021-21688: jenkins: FilePath#reading(FileVisitor) does not reject any operations allowing users to have unrestricted read access
  • CVE-2021-21689: jenkins: FilePath#unzip and FilePath#untar were not subject to any access control
  • CVE-2021-21690: jenkins: Agent processes are able to completely bypass file path filtering by wrapping the file operation in an agent file path
  • CVE-2021-21691: jenkins: Creating symbolic links is possible without the symlink permission
  • CVE-2021-21692: jenkins: The operations FilePath#renameTo and FilePath#moveAllChildrenTo only check read permission on the source path
  • CVE-2021-21693: jenkins: When creating temporary files, permission to create files is only checked after they’ve been created.
  • CVE-2021-21694: jenkins: FilePath#toURI, FilePath#hasSymlink, FilePath#absolutize, FilePath#isDescendant, and FilePath#get*DiskSpace do not check any permissions
  • CVE-2021-21695: jenkins: FilePath#listFiles lists files outside directories with agent read access when following symbolic links.
  • CVE-2021-21696: jenkins: Agent-to-controller access control allowed writing to sensitive directory used by Pipeline: Shared Groovy Libraries Plugin
  • CVE-2021-21697: jenkins: Agent-to-controller access control allows reading/writing most content of build directories
  • CVE-2021-21698: jenkins-2-plugins/subversion: does not restrict the name of a file when looking up a subversion key
Red Hat Security Data
Open in Source
#vulnerability#web#linux#red_hat#nodejs#js#git#java#kubernetes

Skip to navigation Skip to main content

Utilities

  • Subscriptions
  • Downloads
  • Containers
  • Support Cases

Red Hat Customer Portal

Infrastructure and Management

  • Red Hat Enterprise Linux
  • Red Hat Virtualization
  • Red Hat Identity Management
  • Red Hat Directory Server
  • Red Hat Certificate System
  • Red Hat Satellite
  • Red Hat Subscription Management
  • Red Hat Update Infrastructure
  • Red Hat Insights
  • Red Hat Ansible Automation Platform

Cloud Computing

  • Red Hat OpenShift
  • Red Hat CloudForms
  • Red Hat OpenStack Platform
  • Red Hat OpenShift Container Platform
  • Red Hat OpenShift Data Science
  • Red Hat OpenShift Online
  • Red Hat OpenShift Dedicated
  • Red Hat Advanced Cluster Security for Kubernetes
  • Red Hat Advanced Cluster Management for Kubernetes
  • Red Hat Quay
  • Red Hat CodeReady Workspaces
  • Red Hat OpenShift Service on AWS

Storage

  • Red Hat Gluster Storage
  • Red Hat Hyperconverged Infrastructure
  • Red Hat Ceph Storage
  • Red Hat Openshift Container Storage

Runtimes

  • Red Hat Runtimes
  • Red Hat JBoss Enterprise Application Platform
  • Red Hat Data Grid
  • Red Hat JBoss Web Server
  • Red Hat Single Sign On
  • Red Hat support for Spring Boot
  • Red Hat build of Node.js
  • Red Hat build of Thorntail
  • Red Hat build of Eclipse Vert.x
  • Red Hat build of OpenJDK
  • Red Hat build of Quarkus
  • Red Hat CodeReady Studio

Integration and Automation

  • Red Hat Process Automation
  • Red Hat Process Automation Manager
  • Red Hat Decision Manager

All Products

Issued:

2021-12-01

Updated:

2021-12-01

RHSA-2021:4801 - Security Advisory

  • Overview
  • Updated Packages

Synopsis

Important: OpenShift Container Platform 4.7.38 security update

Type/Severity

Security Advisory: Important

Red Hat Insights patch analysis

Identify and remediate systems affected by this advisory.

View affected systems

Topic

Red Hat OpenShift Container Platform release 4.7.38 is now available with updates to packages and images that fix several bugs and add enhancements.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

Red Hat OpenShift Container Platform is Red Hat’s cloud computing
Kubernetes application platform solution designed for on-premise or private
cloud deployments.

This advisory contains the RPM packages for Red Hat OpenShift Container
Platform 4.7.38. See the following advisory for the container images for
this release:

https://access.redhat.com/errata/RHBA-2021:4802

All OpenShift Container Platform 4.7 users are advised to upgrade to these
updated packages and images when they are available in the appropriate
release channel. To check for available updates, use the OpenShift Console
or the CLI oc command. Instructions for upgrading a cluster are available
at
https://docs.openshift.com/container-platform/4.7/updating/updating-cluster-between-minor.html#understanding-upgrade-channels_updating-cluster-between-minor Security Fix(es):

  • jenkins-2-plugins/subversion: does not restrict the name of a file when

looking up a subversion key (CVE-2021-21698)

  • jenkins: FilePath#mkdirs does not check permission to create parent

directories (CVE-2021-21685)

  • jenkins: File path filters do not canonicalize paths, allowing operations

to follow symbolic links to outside allowed directories (CVE-2021-21686)

  • jenkins: FilePath#untar does not check permission to create symbolic

links when unarchiving a symbolic link (CVE-2021-21687)

  • jenkins: FilePath#reading(FileVisitor) does not reject any operations

allowing users to have unrestricted read access (CVE-2021-21688)

  • jenkins: FilePath#unzip and FilePath#untar were not subject to any access

control (CVE-2021-21689)

  • jenkins: Agent processes are able to completely bypass file path

filtering by wrapping the file operation in an agent file path
(CVE-2021-21690)

  • jenkins: Creating symbolic links is possible without the symlink

permission (CVE-2021-21691)

  • jenkins: The operations FilePath#renameTo and FilePath#moveAllChildrenTo

only check read permission on the source path (CVE-2021-21692)

  • jenkins: When creating temporary files, permission to create files is

only checked after they’ve been created. (CVE-2021-21693)

  • jenkins: FilePath#toURI, FilePath#hasSymlink, FilePath#absolutize,

FilePath#isDescendant, and FilePath#get*DiskSpace do not check any
permissions (CVE-2021-21694)

  • jenkins: FilePath#listFiles lists files outside directories with agent

read access when following symbolic links. (CVE-2021-21695)

  • jenkins: Agent-to-controller access control allowed writing to sensitive

directory used by Pipeline: Shared Groovy Libraries Plugin (CVE-2021-21696)

  • jenkins: Agent-to-controller access control allows reading/writing most

content of build directories (CVE-2021-21697)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s)
listed in the References section.

Affected Products

  • Red Hat OpenShift Container Platform 4.7 for RHEL 8 x86_64
  • Red Hat OpenShift Container Platform 4.7 for RHEL 7 x86_64
  • Red Hat OpenShift Container Platform for Power 4.7 for RHEL 8 ppc64le
  • Red Hat OpenShift Container Platform for IBM Z and LinuxONE 4.7 for RHEL 8 s390x

Fixes

  • BZ - 2020322 - CVE-2021-21685 jenkins: FilePath#mkdirs does not check permission to create parent directories
  • BZ - 2020323 - CVE-2021-21686 jenkins: File path filters do not canonicalize paths, allowing operations to follow symbolic links to outside allowed directories
  • BZ - 2020324 - CVE-2021-21687 jenkins: FilePath#untar does not check permission to create symbolic links when unarchiving a symbolic link
  • BZ - 2020327 - CVE-2021-21688 jenkins: FilePath#reading(FileVisitor) does not reject any operations allowing users to have unrestricted read access
  • BZ - 2020335 - CVE-2021-21689 jenkins: FilePath#unzip and FilePath#untar were not subject to any access control
  • BZ - 2020336 - CVE-2021-21690 jenkins: Agent processes are able to completely bypass file path filtering by wrapping the file operation in an agent file path
  • BZ - 2020338 - CVE-2021-21691 jenkins: Creating symbolic links is possible without the symlink permission
  • BZ - 2020339 - CVE-2021-21692 jenkins: The operations FilePath#renameTo and FilePath#moveAllChildrenTo only check read permission on the source path
  • BZ - 2020341 - CVE-2021-21693 jenkins: When creating temporary files, permission to create files is only checked after they’ve been created.
  • BZ - 2020342 - CVE-2021-21694 jenkins: FilePath#toURI, FilePath#hasSymlink, FilePath#absolutize, FilePath#isDescendant, and FilePath#get*DiskSpace do not check any permissions
  • BZ - 2020343 - CVE-2021-21695 jenkins: FilePath#listFiles lists files outside directories with agent read access when following symbolic links.
  • BZ - 2020344 - CVE-2021-21696 jenkins: Agent-to-controller access control allowed writing to sensitive directory used by Pipeline: Shared Groovy Libraries Plugin
  • BZ - 2020345 - CVE-2021-21697 jenkins: Agent-to-controller access control allows reading/writing most content of build directories
  • BZ - 2020385 - CVE-2021-21698 jenkins-2-plugins/subversion: does not restrict the name of a file when looking up a subversion key

CVEs

  • CVE-2021-21685
  • CVE-2021-21686
  • CVE-2021-21687
  • CVE-2021-21688
  • CVE-2021-21689
  • CVE-2021-21690
  • CVE-2021-21691
  • CVE-2021-21692
  • CVE-2021-21693
  • CVE-2021-21694
  • CVE-2021-21695
  • CVE-2021-21696
  • CVE-2021-21697
  • CVE-2021-21698

Red Hat OpenShift Container Platform 4.7 for RHEL 8

SRPM

cri-o-1.20.6-3.rhaos4.7.git4603183.el8.src.rpm

SHA-256: c1d1293c47731a298e110edb28a72e07800d1156514e45ff7d1d9b342d975f76

jenkins-2-plugins-4.7.1637600997-1.el8.src.rpm

SHA-256: 7e80b123752e2b07d34003d5a80ee6548b853c8b17d4104253b99bc94c81220e

jenkins-2.303.3.1637597018-1.el8.src.rpm

SHA-256: ddd0603f4b381e096231f9a8e462f11c87573d3a5576c6537e98996d2aab0e44

openshift-4.7.0-202111192046.p0.gaa025a0.assembly.stream.el8.src.rpm

SHA-256: 5dd55765b1c2810e3a1477032ba52e7604be2e5cd51c858cb978c7bef3b63377

x86_64

cri-o-1.20.6-3.rhaos4.7.git4603183.el8.x86_64.rpm

SHA-256: 1497b4635a9cddec4b07e1578d115a68a382ac50b91f2bf92330f2af7ab978e1

cri-o-debuginfo-1.20.6-3.rhaos4.7.git4603183.el8.x86_64.rpm

SHA-256: b4afc0b140f885568221d68e83f32d708b68d52aa21d3735bb691b45809b9756

cri-o-debugsource-1.20.6-3.rhaos4.7.git4603183.el8.x86_64.rpm

SHA-256: da98d51a26392625fce3f6b76d25a76ec40a028c3317ef7fdc69702a0a34adb9

jenkins-2-plugins-4.7.1637600997-1.el8.noarch.rpm

SHA-256: 505545ca69ab7d8ab38150b788bc0968842ce43c4f31b3d8b57cba9922369538

jenkins-2.303.3.1637597018-1.el8.noarch.rpm

SHA-256: 92df366670ded31115b0dd800627e3cfa27b8716256e1b51741b0bc9ae616c0f

openshift-hyperkube-4.7.0-202111192046.p0.gaa025a0.assembly.stream.el8.x86_64.rpm

SHA-256: 18ca3eca61760d38c9f2b47fc799c94c813d6b741ac78ec72f0e0d07c16ad6a2

Red Hat OpenShift Container Platform 4.7 for RHEL 7

SRPM

cri-o-1.20.6-3.rhaos4.7.git4603183.el7.src.rpm

SHA-256: 6c645171e68571f1394edf48b73aa6d8c307ecc7795836df66afeea8677a1251

openshift-4.7.0-202111192046.p0.gaa025a0.assembly.stream.el7.src.rpm

SHA-256: 373d057b309aac91d35b0d8af30b43cf4224a76db75392de977c4161fa6f7749

x86_64

cri-o-1.20.6-3.rhaos4.7.git4603183.el7.x86_64.rpm

SHA-256: a2e77d402bf6313b60ae6bd751dfdc4650508aae49be1bea86a527ea4597e0eb

cri-o-debuginfo-1.20.6-3.rhaos4.7.git4603183.el7.x86_64.rpm

SHA-256: c44f76a8c325593c1053b30af467d59f1ee5fa20e94851ac7632319a25e4fb0f

openshift-hyperkube-4.7.0-202111192046.p0.gaa025a0.assembly.stream.el7.x86_64.rpm

SHA-256: 12396c6d0e47d833da1cbb12e06dca62b1ed987dc616d15ddf80c83e75197902

Red Hat OpenShift Container Platform for Power 4.7 for RHEL 8

SRPM

cri-o-1.20.6-3.rhaos4.7.git4603183.el8.src.rpm

SHA-256: c1d1293c47731a298e110edb28a72e07800d1156514e45ff7d1d9b342d975f76

jenkins-2-plugins-4.7.1637600997-1.el8.src.rpm

SHA-256: 7e80b123752e2b07d34003d5a80ee6548b853c8b17d4104253b99bc94c81220e

jenkins-2.303.3.1637597018-1.el8.src.rpm

SHA-256: ddd0603f4b381e096231f9a8e462f11c87573d3a5576c6537e98996d2aab0e44

openshift-4.7.0-202111192046.p0.gaa025a0.assembly.stream.el8.src.rpm

SHA-256: 5dd55765b1c2810e3a1477032ba52e7604be2e5cd51c858cb978c7bef3b63377

ppc64le

cri-o-1.20.6-3.rhaos4.7.git4603183.el8.ppc64le.rpm

SHA-256: a62768089af41ec0389c9fc7a25e59fc77aba099feb7d9d6dc7a0c37ca90c5b0

cri-o-debuginfo-1.20.6-3.rhaos4.7.git4603183.el8.ppc64le.rpm

SHA-256: 83e8f763400f9b150d60bfc31491ee1d89781f133354a906b1e5a3cbf3f2ef64

cri-o-debugsource-1.20.6-3.rhaos4.7.git4603183.el8.ppc64le.rpm

SHA-256: 7141dee52eeba9abc04d49f861d5bebf3122a5c6e352e1d9f229e6a1f69169b9

jenkins-2-plugins-4.7.1637600997-1.el8.noarch.rpm

SHA-256: 505545ca69ab7d8ab38150b788bc0968842ce43c4f31b3d8b57cba9922369538

jenkins-2.303.3.1637597018-1.el8.noarch.rpm

SHA-256: 92df366670ded31115b0dd800627e3cfa27b8716256e1b51741b0bc9ae616c0f

openshift-hyperkube-4.7.0-202111192046.p0.gaa025a0.assembly.stream.el8.ppc64le.rpm

SHA-256: 3c98987a9605f75f2c9ef46fd512336c17f8de4b9017c15252082f0b716d5bdb

Red Hat OpenShift Container Platform for IBM Z and LinuxONE 4.7 for RHEL 8

SRPM

cri-o-1.20.6-3.rhaos4.7.git4603183.el8.src.rpm

SHA-256: c1d1293c47731a298e110edb28a72e07800d1156514e45ff7d1d9b342d975f76

jenkins-2-plugins-4.7.1637600997-1.el8.src.rpm

SHA-256: 7e80b123752e2b07d34003d5a80ee6548b853c8b17d4104253b99bc94c81220e

jenkins-2.303.3.1637597018-1.el8.src.rpm

SHA-256: ddd0603f4b381e096231f9a8e462f11c87573d3a5576c6537e98996d2aab0e44

openshift-4.7.0-202111192046.p0.gaa025a0.assembly.stream.el8.src.rpm

SHA-256: 5dd55765b1c2810e3a1477032ba52e7604be2e5cd51c858cb978c7bef3b63377

s390x

cri-o-1.20.6-3.rhaos4.7.git4603183.el8.s390x.rpm

SHA-256: 924ecec211f201178f462257a6a3b84f5075155189dd6827bc5cf3321f4462bc

cri-o-debuginfo-1.20.6-3.rhaos4.7.git4603183.el8.s390x.rpm

SHA-256: 245b4daf5cb1a89a3570b6ae9ea910766b630c57058c4b62914d80240a675038

cri-o-debugsource-1.20.6-3.rhaos4.7.git4603183.el8.s390x.rpm

SHA-256: 552a32a7af957d8731b602d75f81c7a52f612ca506ed9784a2a09a0a90a28680

jenkins-2-plugins-4.7.1637600997-1.el8.noarch.rpm

SHA-256: 505545ca69ab7d8ab38150b788bc0968842ce43c4f31b3d8b57cba9922369538

jenkins-2.303.3.1637597018-1.el8.noarch.rpm

SHA-256: 92df366670ded31115b0dd800627e3cfa27b8716256e1b51741b0bc9ae616c0f

openshift-hyperkube-4.7.0-202111192046.p0.gaa025a0.assembly.stream.el8.s390x.rpm

SHA-256: 7d42409b17b34e9d9205820d2a88b74482d384fdfbeba6c3c1260baf86211361

The Red Hat security contact is [email protected]. More contact details at https://access.redhat.com/security/team/contact/.

Red Hat Security Data: Latest News

RHSA-2023:5627: Red Hat Security Advisory: kernel security, bug fix, and enhancement update
Red Hat Security Data