Headline

RHSA-2021:4827: Red Hat Security Advisory: OpenShift Container Platform 3.11.569 security update

Red Hat OpenShift Container Platform release 3.11.569 is now available with updates to packages and images that fix several bugs and add enhancements. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.

Related CVEs:

CVE-2021-21685: jenkins: FilePath#mkdirs does not check permission to create parent directories
CVE-2021-21686: jenkins: File path filters do not canonicalize paths, allowing operations to follow symbolic links to outside allowed directories
CVE-2021-21687: jenkins: FilePath#untar does not check permission to create symbolic links when unarchiving a symbolic link
CVE-2021-21688: jenkins: FilePath#reading(FileVisitor) does not reject any operations allowing users to have unrestricted read access
CVE-2021-21689: jenkins: FilePath#unzip and FilePath#untar were not subject to any access control
CVE-2021-21690: jenkins: Agent processes are able to completely bypass file path filtering by wrapping the file operation in an agent file path
CVE-2021-21691: jenkins: Creating symbolic links is possible without the symlink permission
CVE-2021-21692: jenkins: The operations FilePath#renameTo and FilePath#moveAllChildrenTo only check read permission on the source path
CVE-2021-21693: jenkins: When creating temporary files, permission to create files is only checked after they’ve been created.
CVE-2021-21694: jenkins: FilePath#toURI, FilePath#hasSymlink, FilePath#absolutize, FilePath#isDescendant, and FilePath#get*DiskSpace do not check any permissions
CVE-2021-21695: jenkins: FilePath#listFiles lists files outside directories with agent read access when following symbolic links.
CVE-2021-21696: jenkins: Agent-to-controller access control allowed writing to sensitive directory used by Pipeline: Shared Groovy Libraries Plugin
CVE-2021-21697: jenkins: Agent-to-controller access control allows reading/writing most content of build directories
CVE-2021-21698: jenkins-2-plugins/subversion: does not restrict the name of a file when looking up a subversion key

3 years ago

Red Hat Security Data

Open in Source

#vulnerability #web #red_hat #redis #git #kubernetes

Synopsis

Important: OpenShift Container Platform 3.11.569 security update

Type/Severity

Security Advisory: Important

Red Hat Insights patch analysis

Identify and remediate systems affected by this advisory.

View affected systems

Topic

Red Hat OpenShift Container Platform release 3.11.569 is now available with updates to packages and images that fix several bugs and add enhancements.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

Red Hat OpenShift Container Platform is Red Hat’s cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments.

Security Fix(es):

jenkins-2-plugins/subversion: does not restrict the name of a file when looking up a subversion key (CVE-2021-21698)
jenkins: FilePath#mkdirs does not check permission to create parent directories (CVE-2021-21685)
jenkins: File path filters do not canonicalize paths, allowing operations

to follow symbolic links to outside allowed directories (CVE-2021-21686)

jenkins: FilePath#untar does not check permission to create symbolic links when unarchiving a symbolic link (CVE-2021-21687)
jenkins: FilePath#reading(FileVisitor) does not reject any operations allowing users to have unrestricted read access (CVE-2021-21688)
jenkins: FilePath#unzip and FilePath#untar were not subject to any access control (CVE-2021-21689)
jenkins: Agent processes are able to completely bypass file path filtering by wrapping the file operation in an agent file path

(CVE-2021-21690)

jenkins: Creating symbolic links is possible without the symlink permission (CVE-2021-21691)
jenkins: The operations FilePath#renameTo and FilePath#moveAllChildrenTo only check read permission on the source path (CVE-2021-21692)
jenkins: When creating temporary files, permission to create files is only checked after they’ve been created. (CVE-2021-21693)
jenkins: FilePath#toURI, FilePath#hasSymlink, FilePath#absolutize, FilePath#isDescendant, and FilePath#get*DiskSpace do not check any

permissions (CVE-2021-21694)

jenkins: FilePath#listFiles lists files outside directories with agent read access when following symbolic links. (CVE-2021-21695)
jenkins: Agent-to-controller access control allowed writing to sensitive directory used by Pipeline: Shared Groovy Libraries Plugin (CVE-2021-21696)
jenkins: Agent-to-controller access control allows reading/writing most content of build directories (CVE-2021-21697)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Affected Products

Red Hat OpenShift Container Platform 3.11 x86_64
Red Hat OpenShift Container Platform for Power 3.11 ppc64le

Fixes

BZ - 1920894 - python2-urllib3: update 1.24.3 -> 1.26.2 for OCP breaks cloud-init (“Unable to get API token: None/latest/api/token”)
BZ - 2002671 - [3.11 backport] Improve logging-dump.sh (backport of LOG-1733)
BZ - 2002909 - [Kuryr][3.11] dont block kuryr if one subnet runs out of IPs
BZ - 2003491 - [Kuryr][3.11] Loadbalancer listener disappearing for an OpenShift services managed by Kuryr
BZ - 2013496 - Kuryr-cni hitting >1024 pid and crashing
BZ - 2016467 - openshift-pipeline plugin gone missing in jenkins-2-rhel7:v3.11.462-3.git.10eb612 and newer
BZ - 2020322 - CVE-2021-21685 jenkins: FilePath#mkdirs does not check permission to create parent directories
BZ - 2020323 - CVE-2021-21686 jenkins: File path filters do not canonicalize paths, allowing operations to follow symbolic links to outside allowed directories
BZ - 2020324 - CVE-2021-21687 jenkins: FilePath#untar does not check permission to create symbolic links when unarchiving a symbolic link
BZ - 2020327 - CVE-2021-21688 jenkins: FilePath#reading(FileVisitor) does not reject any operations allowing users to have unrestricted read access
BZ - 2020335 - CVE-2021-21689 jenkins: FilePath#unzip and FilePath#untar were not subject to any access control
BZ - 2020336 - CVE-2021-21690 jenkins: Agent processes are able to completely bypass file path filtering by wrapping the file operation in an agent file path
BZ - 2020338 - CVE-2021-21691 jenkins: Creating symbolic links is possible without the symlink permission
BZ - 2020339 - CVE-2021-21692 jenkins: The operations FilePath#renameTo and FilePath#moveAllChildrenTo only check read permission on the source path
BZ - 2020341 - CVE-2021-21693 jenkins: When creating temporary files, permission to create files is only checked after they’ve been created.
BZ - 2020342 - CVE-2021-21694 jenkins: FilePath#toURI, FilePath#hasSymlink, FilePath#absolutize, FilePath#isDescendant, and FilePath#get*DiskSpace do not check any permissions
BZ - 2020343 - CVE-2021-21695 jenkins: FilePath#listFiles lists files outside directories with agent read access when following symbolic links.
BZ - 2020344 - CVE-2021-21696 jenkins: Agent-to-controller access control allowed writing to sensitive directory used by Pipeline: Shared Groovy Libraries Plugin
BZ - 2020345 - CVE-2021-21697 jenkins: Agent-to-controller access control allows reading/writing most content of build directories
BZ - 2020385 - CVE-2021-21698 jenkins-2-plugins/subversion: does not restrict the name of a file when looking up a subversion key
BZ - 2026193 - Placeholder bug for OCP 3.11.z image release

CVEs

CVE-2021-21685
CVE-2021-21686
CVE-2021-21687
CVE-2021-21688
CVE-2021-21689
CVE-2021-21690
CVE-2021-21691
CVE-2021-21692
CVE-2021-21693
CVE-2021-21694
CVE-2021-21695
CVE-2021-21696
CVE-2021-21697
CVE-2021-21698

Red Hat OpenShift Container Platform 3.11

SRPM

atomic-enterprise-service-catalog-3.11.569-1.g2e6be86.el7.src.rpm

SHA-256: ec30dccb54e9a4c33e9c27fcdb2b5aa1a57f971edc04df15656aacc4c3d5973e

atomic-openshift-3.11.569-1.git.0.9dc951a.el7.src.rpm

SHA-256: 85e941c47c8f2099054ca5058e77887dea30b5630b1121ac11bebd6bcca28a61

atomic-openshift-cluster-autoscaler-3.11.569-1.g99b2acf.el7.src.rpm

SHA-256: 90588044bbe133e4901065692abfc204abac8b7f156d226691180552ab191aad

atomic-openshift-descheduler-3.11.569-1.gd435537.el7.src.rpm

SHA-256: feaab122555edd5f771abdd94aee4656992d277383cafe123123986cc6b6b646

atomic-openshift-dockerregistry-3.11.569-1.g3571208.el7.src.rpm

SHA-256: a5df28b61f2599e6519ddbd036713ed762ad30e4b07413568915fa789fb0e7b9

atomic-openshift-metrics-server-3.11.569-1.gf8bf728.el7.src.rpm

SHA-256: a96ad58a2c91269385d41f5830e62f13eebe05c45e65603d9558c184f89b870b

atomic-openshift-node-problem-detector-3.11.569-1.gc8f26da.el7.src.rpm

SHA-256: 91b46fe78d545a4bd5fe2a79bd32ffc029618289760b885f90d21cdff49537e3

atomic-openshift-service-idler-3.11.569-1.g39cfc66.el7.src.rpm

SHA-256: e505907e0c70502b93f85beacda4a515030d3b50445c34f61c338555be562044

atomic-openshift-web-console-3.11.569-1.g3e485e6.el7.src.rpm

SHA-256: cdccc8deb086b9df848346b30f46f3b8457713b551c0f4a60b94c5df6defaa2a

golang-github-openshift-oauth-proxy-3.11.569-1.gedebe84.el7.src.rpm

SHA-256: 867a62eb8914f581ea71d114aeff3d7bd11020b5222947d732e84ff9ef1a8688

golang-github-prometheus-alertmanager-3.11.569-1.g13de638.el7.src.rpm

SHA-256: ee15b3bc4a575b3e2561bc8a08ebf6fe1ed70d06617caadf27cbcf50b847f972

golang-github-prometheus-node_exporter-3.11.569-1.g609cd20.el7.src.rpm

SHA-256: a5d9e2fb35e07156328afb0a74dc7464a1eee4370c88b9fdadc874945a2aaf6f

golang-github-prometheus-prometheus-3.11.569-1.g99aae51.el7.src.rpm

SHA-256: 08f5300b4e84fe99346bef3c6008232849c7d8596e2d2c0769c077f925cfb167

jenkins-2-plugins-3.11.1637699107-1.el7.src.rpm

SHA-256: a73b9aea160399f7f1c3f8372cb71fb487c946f9921604fc0a29e6451c2dfcec

jenkins-2.303.3.1637698110-1.el7.src.rpm

SHA-256: b4c45cd0c2b16076f54df0edb01fb208deeb81cd6d48cdc5a9deff3da0a06993

openshift-ansible-3.11.569-1.git.0.9620ba1.el7.src.rpm

SHA-256: 5d916dfbcbbaa77f8bbdb139e621e6f9ba39a73654b82e2a77b393a70cd09ec7

openshift-enterprise-autoheal-3.11.569-1.gf2f435d.el7.src.rpm

SHA-256: ca647c651b756e954d1c0a3da51cc890142b2627da754da712276dc0a068d48e

openshift-enterprise-cluster-capacity-3.11.569-1.g22be164.el7.src.rpm

SHA-256: 4f96a9b4df75a4ed16d31ff2e3448f200f4f65f407ea49c9dad3cf8bcedf8975

openshift-kuryr-3.11.569-1.g0c4bf66.el7.src.rpm

SHA-256: a40712aefa19ccf1098ce04422a76dc6f6e9a944e3178e1f51d20c9e98fc8e2a

x86_64

atomic-enterprise-service-catalog-3.11.569-1.g2e6be86.el7.x86_64.rpm

SHA-256: 459e8d65fd96034f7b1edd9a6a2b6a9dabe58d3cdd6e37e26b5b009f69047b6c

atomic-enterprise-service-catalog-svcat-3.11.569-1.g2e6be86.el7.x86_64.rpm

SHA-256: 2f241fac672dd67ba6af7ad9e84cf3ea65b90d37546ac5e6ea0c761caee5f270

atomic-openshift-3.11.569-1.git.0.9dc951a.el7.x86_64.rpm

SHA-256: c1c50bc84c472544efbdaf9adb071f1265f26e7edec138f76176dcc032c2e841

atomic-openshift-clients-3.11.569-1.git.0.9dc951a.el7.x86_64.rpm

SHA-256: f8f0a395339847bcfe5d47cb338054c365b6b1aab168bcbba55d8ef700e444ff

atomic-openshift-clients-redistributable-3.11.569-1.git.0.9dc951a.el7.x86_64.rpm

SHA-256: 6bcc11ab4f62d31060dd3523435274f60470f2dc1a009ae226370e8d0713519d

atomic-openshift-cluster-autoscaler-3.11.569-1.g99b2acf.el7.x86_64.rpm

SHA-256: 905ed5cbab0c7d5c9a75ed3d7494239438bbc0dc5fc4eb27c863e35b998ecd77

atomic-openshift-descheduler-3.11.569-1.gd435537.el7.x86_64.rpm

SHA-256: 571a82de2c1edc6456df1dc2478c612f8c27860bb1fb6efa6eb310ff6fd605cf

atomic-openshift-docker-excluder-3.11.569-1.git.0.9dc951a.el7.noarch.rpm

SHA-256: d86f6a7163f3eab2e6df9ae5d407551e21448e68c33117f477d5faafa5fdd5f5

atomic-openshift-dockerregistry-3.11.569-1.g3571208.el7.x86_64.rpm

SHA-256: 755281807fd478c3452776cf7fdb97c419b9be9565a380c3d1fb7c1abccc0cd2

atomic-openshift-excluder-3.11.569-1.git.0.9dc951a.el7.noarch.rpm

SHA-256: 3b03478aa3a336192b006d64b72ae9604c5908e005023f46e74cc63737ec59fa

atomic-openshift-hyperkube-3.11.569-1.git.0.9dc951a.el7.x86_64.rpm

SHA-256: d9ac7ea3cbf87830e8c87ddae7e4da98e105dce2726f2e8b02a8678036ab11de

atomic-openshift-hypershift-3.11.569-1.git.0.9dc951a.el7.x86_64.rpm

SHA-256: 8ecba71829fb34355a054faea6d9b6767680f2a9dca76c2aeb37cca1f8b1cd51

atomic-openshift-master-3.11.569-1.git.0.9dc951a.el7.x86_64.rpm

SHA-256: edcfdcbb2491cc44d841bc8a79632151ecb19239333c0805d1f8fdd224711bd4

atomic-openshift-metrics-server-3.11.569-1.gf8bf728.el7.x86_64.rpm

SHA-256: 0e42bb075fb68b10d93beca158cfe27a31a30cb5b2e17a53478c940ffdd5391f

atomic-openshift-node-3.11.569-1.git.0.9dc951a.el7.x86_64.rpm

SHA-256: dc682904be6696707135d444d96ae3cffcce9b7d64088d4407db259ff3afe771

atomic-openshift-node-problem-detector-3.11.569-1.gc8f26da.el7.x86_64.rpm

SHA-256: b7ffa56289cb62ab7fc3b8bdbcdb62d7a03c88b80f2f3fd56160eb805d53f336

atomic-openshift-pod-3.11.569-1.git.0.9dc951a.el7.x86_64.rpm

SHA-256: 2b0e8275d818f841a5ccb2ee8abc6320002a82bda60e4a9f38e316034fe20478

atomic-openshift-sdn-ovs-3.11.569-1.git.0.9dc951a.el7.x86_64.rpm

SHA-256: 4dbb405527360efac8c47d2a8d720a07e63efe1e36baf3e8ba88c49872a00a23

atomic-openshift-service-idler-3.11.569-1.g39cfc66.el7.x86_64.rpm

SHA-256: 6c42cd68c15c9afbcebd142c5011e0539a29ea6b7bcf59a21ffedf286e9d3fc3

atomic-openshift-template-service-broker-3.11.569-1.git.0.9dc951a.el7.x86_64.rpm

SHA-256: aa0470699c6c4b1e6ebc92d4708f911d39a8513672df28a3461390d3bc7d9ef9

atomic-openshift-tests-3.11.569-1.git.0.9dc951a.el7.x86_64.rpm

SHA-256: d1788afa22488309fbce69b926f3bb8e874b7b73fb1426efddd8b63220e2e7c0

atomic-openshift-web-console-3.11.569-1.g3e485e6.el7.x86_64.rpm

SHA-256: dfc26e05a51dc77feca0b8090ae28a0000f4e7e76e87c9daa84361103d953644

golang-github-openshift-oauth-proxy-3.11.569-1.gedebe84.el7.x86_64.rpm

SHA-256: fa070e6aa56bb3cc4af5bba822453f405d0ccfd54b87aa4e9cf8c72f625fd6f1

jenkins-2-plugins-3.11.1637699107-1.el7.noarch.rpm

SHA-256: ad3313bfa2cad4357a48be72dc0286efce6eeb761452cf4d0ff851d42ee499aa

jenkins-2.303.3.1637698110-1.el7.noarch.rpm

SHA-256: b3312234116453d20c529fd358b59cd2f875c1bad0eb2f636bb5488b7cf4be4c

openshift-ansible-3.11.569-1.git.0.9620ba1.el7.noarch.rpm

SHA-256: 9b3be76fd3c86768d63e1f742e95c46cbc9631afa280b8b6b48da9c6806ddcd8

openshift-ansible-docs-3.11.569-1.git.0.9620ba1.el7.noarch.rpm

SHA-256: ac047799c7b917041568803cc2825c509859a161729148e3bbbaf1b231d80daf

openshift-ansible-playbooks-3.11.569-1.git.0.9620ba1.el7.noarch.rpm

SHA-256: 02440553687426be52f5262dd4b6472b77d5ed9ac13829e25df45a1f5f5184e8

openshift-ansible-roles-3.11.569-1.git.0.9620ba1.el7.noarch.rpm

SHA-256: 586b8488063002e3e73fe73db13b488914f034f2c51a1c757d6e2bfa0f28376a

openshift-enterprise-autoheal-3.11.569-1.gf2f435d.el7.x86_64.rpm

SHA-256: caa76377f82330df227f4e4c5471c822a0f810df681b83716d9925ed81088bf2

openshift-enterprise-cluster-capacity-3.11.569-1.g22be164.el7.x86_64.rpm

SHA-256: b8f4e8fe3436b989a36b05e2468cb7e678947e6bb653fdb26841a3f0ddccae06

openshift-kuryr-cni-3.11.569-1.g0c4bf66.el7.noarch.rpm

SHA-256: 3f3b7cd15774155b0ed4a639646845169cdaecb976bc87e56de6d5368394707f

openshift-kuryr-common-3.11.569-1.g0c4bf66.el7.noarch.rpm

SHA-256: fa9a883af956272d051ed4683c83c3eb1e94b5c4d0f067623d32a034819f6a32

openshift-kuryr-controller-3.11.569-1.g0c4bf66.el7.noarch.rpm

SHA-256: 1b40515e31c12904d55a24151f697320d7df70d1702fa8a8ca1bcc3c717c386c

prometheus-3.11.569-1.g99aae51.el7.x86_64.rpm

SHA-256: d18d07e6b3b67a07f1bb5289d57585c436d0f1feffe49a3224b85cb002a8a7de

prometheus-alertmanager-3.11.569-1.g13de638.el7.x86_64.rpm

SHA-256: 3e131c6759aec90275a472226f6403ee0f44394dd78ae1202b13260b76576df9

prometheus-node-exporter-3.11.569-1.g609cd20.el7.x86_64.rpm

SHA-256: 15640c2ce601960d421b47cfbf6a247ca9d688c57f5f97627d66f88def6ec65e

python2-kuryr-kubernetes-3.11.569-1.g0c4bf66.el7.noarch.rpm

SHA-256: cf70bd5ef9545069a46d9e1734ad213d706148eb8c865c0be8f115852d0a72ac

Red Hat OpenShift Container Platform for Power 3.11