Headline

RHSA-2021:4833: Red Hat Security Advisory: OpenShift Container Platform 4.9.9 security update

Red Hat OpenShift Container Platform release 4.9.9 is now available with updates to packages and images that fix several bugs and add enhancements. This release includes a security update for Red Hat OpenShift Container Platform 4.9. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.

Related CVEs:

CVE-2021-21685: jenkins: FilePath#mkdirs does not check permission to create parent directories
CVE-2021-21686: jenkins: File path filters do not canonicalize paths, allowing operations to follow symbolic links to outside allowed directories
CVE-2021-21687: jenkins: FilePath#untar does not check permission to create symbolic links when unarchiving a symbolic link
CVE-2021-21688: jenkins: FilePath#reading(FileVisitor) does not reject any operations allowing users to have unrestricted read access
CVE-2021-21689: jenkins: FilePath#unzip and FilePath#untar were not subject to any access control
CVE-2021-21690: jenkins: Agent processes are able to completely bypass file path filtering by wrapping the file operation in an agent file path
CVE-2021-21691: jenkins: Creating symbolic links is possible without the symlink permission
CVE-2021-21692: jenkins: The operations FilePath#renameTo and FilePath#moveAllChildrenTo only check read permission on the source path
CVE-2021-21693: jenkins: When creating temporary files, permission to create files is only checked after they’ve been created.
CVE-2021-21694: jenkins: FilePath#toURI, FilePath#hasSymlink, FilePath#absolutize, FilePath#isDescendant, and FilePath#get*DiskSpace do not check any permissions
CVE-2021-21695: jenkins: FilePath#listFiles lists files outside directories with agent read access when following symbolic links.
CVE-2021-21696: jenkins: Agent-to-controller access control allowed writing to sensitive directory used by Pipeline: Shared Groovy Libraries Plugin
CVE-2021-21697: jenkins: Agent-to-controller access control allows reading/writing most content of build directories
CVE-2021-21698: jenkins-2-plugins/subversion: does not restrict the name of a file when looking up a subversion key

3 years ago

Red Hat Security Data

Open in Source

#vulnerability #linux #red_hat #git #kubernetes

Synopsis

Important: OpenShift Container Platform 4.9.9 security update

Type/Severity

Security Advisory: Important

Red Hat Insights patch analysis

Identify and remediate systems affected by this advisory.

View affected systems

Topic

Red Hat OpenShift Container Platform release 4.9.9 is now available with updates to packages and images that fix several bugs and add enhancements.

This release includes a security update for Red Hat OpenShift Container Platform 4.9.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

Red Hat OpenShift Container Platform is Red Hat’s cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments.

This advisory contains the RPM packages for Red Hat OpenShift Container Platform 4.9.9. See the following advisory for the container images for this release:

https://access.redhat.com/errata/RHSA-2021:4834

Security Fix(es):

jenkins-2-plugins/subversion: does not restrict the name of a file when looking up a subversion key (CVE-2021-21698)
jenkins: FilePath#mkdirs does not check permission to create parent directories (CVE-2021-21685)
jenkins: File path filters do not canonicalize paths, allowing operations to follow symbolic links to outside allowed directories (CVE-2021-21686)
jenkins: FilePath#untar does not check permission to create symbolic links when unarchiving a symbolic link (CVE-2021-21687)
jenkins: FilePath#reading(FileVisitor) does not reject any operations allowing users to have unrestricted read access (CVE-2021-21688)
jenkins: FilePath#unzip and FilePath#untar were not subject to any access control (CVE-2021-21689)
jenkins: Agent processes are able to completely bypass file path filtering by wrapping the file operation in an agent file path (CVE-2021-21690)
jenkins: Creating symbolic links is possible without the symlink permission (CVE-2021-21691)
jenkins: The operations FilePath#renameTo and FilePath#moveAllChildrenTo only check read permission on the source path (CVE-2021-21692)
jenkins: When creating temporary files, permission to create files is only checked after they’ve been created. (CVE-2021-21693)
jenkins: FilePath#toURI, FilePath#hasSymlink, FilePath#absolutize, FilePath#isDescendant, and FilePath#get*DiskSpace do not check any permissions (CVE-2021-21694)
jenkins: FilePath#listFiles lists files outside directories with agent read access when following symbolic links. (CVE-2021-21695)
jenkins: Agent-to-controller access control allowed writing to sensitive directory used by Pipeline: Shared Groovy Libraries Plugin (CVE-2021-21696)
jenkins: Agent-to-controller access control allows reading/writing most content of build directories (CVE-2021-21697)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Affected Products

Red Hat OpenShift Container Platform 4.9 for RHEL 8 x86_64
Red Hat OpenShift Container Platform 4.9 for RHEL 7 x86_64
Red Hat OpenShift Container Platform for Power 4.9 for RHEL 8 ppc64le
Red Hat OpenShift Container Platform for IBM Z and LinuxONE 4.9 for RHEL 8 s390x
Red Hat OpenShift Container Platform for ARM 64 4.9 aarch64

Fixes

BZ - 2020322 - CVE-2021-21685 jenkins: FilePath#mkdirs does not check permission to create parent directories
BZ - 2020323 - CVE-2021-21686 jenkins: File path filters do not canonicalize paths, allowing operations to follow symbolic links to outside allowed directories
BZ - 2020324 - CVE-2021-21687 jenkins: FilePath#untar does not check permission to create symbolic links when unarchiving a symbolic link
BZ - 2020327 - CVE-2021-21688 jenkins: FilePath#reading(FileVisitor) does not reject any operations allowing users to have unrestricted read access
BZ - 2020335 - CVE-2021-21689 jenkins: FilePath#unzip and FilePath#untar were not subject to any access control
BZ - 2020336 - CVE-2021-21690 jenkins: Agent processes are able to completely bypass file path filtering by wrapping the file operation in an agent file path
BZ - 2020338 - CVE-2021-21691 jenkins: Creating symbolic links is possible without the symlink permission
BZ - 2020339 - CVE-2021-21692 jenkins: The operations FilePath#renameTo and FilePath#moveAllChildrenTo only check read permission on the source path
BZ - 2020341 - CVE-2021-21693 jenkins: When creating temporary files, permission to create files is only checked after they’ve been created.
BZ - 2020342 - CVE-2021-21694 jenkins: FilePath#toURI, FilePath#hasSymlink, FilePath#absolutize, FilePath#isDescendant, and FilePath#get*DiskSpace do not check any permissions
BZ - 2020343 - CVE-2021-21695 jenkins: FilePath#listFiles lists files outside directories with agent read access when following symbolic links.
BZ - 2020344 - CVE-2021-21696 jenkins: Agent-to-controller access control allowed writing to sensitive directory used by Pipeline: Shared Groovy Libraries Plugin
BZ - 2020345 - CVE-2021-21697 jenkins: Agent-to-controller access control allows reading/writing most content of build directories
BZ - 2020385 - CVE-2021-21698 jenkins-2-plugins/subversion: does not restrict the name of a file when looking up a subversion key

CVEs

CVE-2021-21685
CVE-2021-21686
CVE-2021-21687
CVE-2021-21688
CVE-2021-21689
CVE-2021-21690
CVE-2021-21691
CVE-2021-21692
CVE-2021-21693
CVE-2021-21694
CVE-2021-21695
CVE-2021-21696
CVE-2021-21697
CVE-2021-21698

Red Hat OpenShift Container Platform 4.9 for RHEL 8

SRPM

container-selinux-2.170.0-2.rhaos4.9.el8.src.rpm

SHA-256: 269939cf462fe975e8cef100571ec442f11c494fca5bc72b9053e0f19a1b5db0

cri-o-1.22.1-4.rhaos4.9.gite3dfe61.el8.src.rpm

SHA-256: 77e5badbf31679dd09ed24f31f70aa5e7028d0e4b8277dcf5042ddd2ff125067

jenkins-2-plugins-4.9.1637598812-1.el8.src.rpm

SHA-256: 0a7d1840174260bae8bc08b223f9268562ba5f2a01a5ba21ba72d4c62f70cd7f

jenkins-2.303.3.1637595827-1.el8.src.rpm

SHA-256: 05c66acf974249348ffe42fd44d79df4f33cbfc1bb07815626fc3458c72c1d3b

openshift-4.9.0-202111231108.p0.g4dd1b5a.assembly.stream.el8.src.rpm

SHA-256: 466f6d6134005c82d1afe868a0aae2ce8aa02bcb8ba31df28ca9ed3dd30e41fe

openshift-kuryr-4.9.0-202111221622.p0.g473fd0c.assembly.stream.el8.src.rpm

SHA-256: cfea43d1ee4f64d2540a6422ea6e31c7f00a6d844bbd5be6b67c1e530e581034

python-sushy-3.12.1-0.20211122142104.806622c.el8.src.rpm

SHA-256: 18e6a6214045f0fff29c12f344adcbef50377b76a780e8a83c48ea50d753e3e6

x86_64

container-selinux-2.170.0-2.rhaos4.9.el8.noarch.rpm

SHA-256: 8eb817dc0a35c928d0431786b4096cada37cbeb5667980663f0c8d9569a44d83

cri-o-1.22.1-4.rhaos4.9.gite3dfe61.el8.x86_64.rpm

SHA-256: e946575e9626bf167f550aaed45a6e3fe1db60533ca8bdf2b0ca7fcb8e848de5

cri-o-debuginfo-1.22.1-4.rhaos4.9.gite3dfe61.el8.x86_64.rpm

SHA-256: 36fd7ada6d6b5e43b60732b551e6bc02d750416fb049c8043a2892bd82d7f394

cri-o-debugsource-1.22.1-4.rhaos4.9.gite3dfe61.el8.x86_64.rpm

SHA-256: 72dea60b391fc90f40efed6bbdccb737fbc5345f59206bf27934a2766a2cb5ca

jenkins-2-plugins-4.9.1637598812-1.el8.noarch.rpm

SHA-256: a727f580ca41f7b0947df6a05e33426e0febe715911b39f14f629518c26ea617

jenkins-2.303.3.1637595827-1.el8.noarch.rpm

SHA-256: 75cc0ee45a7b7ac568713e1449b4e8842ad5056a1a3bf6f614a0d4c5e02a5e02

openshift-hyperkube-4.9.0-202111231108.p0.g4dd1b5a.assembly.stream.el8.x86_64.rpm

SHA-256: 6e48ec88ccd67175463a9d6894d43f8bbab42163da09054e500df995d3538534

openshift-kuryr-cni-4.9.0-202111221622.p0.g473fd0c.assembly.stream.el8.noarch.rpm

SHA-256: 0801b8ab3caa74652882d26cbdc96ad7bb2fec4e1c8328dd7768e8c160d8eb9c

openshift-kuryr-common-4.9.0-202111221622.p0.g473fd0c.assembly.stream.el8.noarch.rpm

SHA-256: 7dead74f75254278c16310c60a6caeb63ec02d4ee11c87529a346a24b2a0398c

openshift-kuryr-controller-4.9.0-202111221622.p0.g473fd0c.assembly.stream.el8.noarch.rpm

SHA-256: 4f8ea89de0b73b56ecf252c7ecd9101d8e110a09c0b08ef5bb29d592ee18eb11

python3-kuryr-kubernetes-4.9.0-202111221622.p0.g473fd0c.assembly.stream.el8.noarch.rpm

SHA-256: 3f5d9e6c63d88b39308e43f636a0170e3acc4a42e5666d3734bf3affdd34266c

python3-sushy-3.12.1-0.20211122142104.806622c.el8.noarch.rpm

SHA-256: d3d6267d8d57105af89d1be00f5d528d6143fdf3603eeaa06595413575f55e65

python3-sushy-tests-3.12.1-0.20211122142104.806622c.el8.noarch.rpm

SHA-256: 6340e39d7cf1d8cdaa217ab7067143441536b842cc1d489365b69da5f9469438

Red Hat OpenShift Container Platform 4.9 for RHEL 7

SRPM

cri-o-1.22.1-4.rhaos4.9.gite3dfe61.el7.src.rpm

SHA-256: 20e86a354703f4b97ef759c61d0ea5d61c1c340e53e27555dac1efb3e6ac48bb

openshift-4.9.0-202111231108.p0.g4dd1b5a.assembly.stream.el7.src.rpm

SHA-256: 8f6ef44b0a0e0656a2caf491450544540bb4968180ac545a05b5fcc2cde3df77

x86_64

cri-o-1.22.1-4.rhaos4.9.gite3dfe61.el7.x86_64.rpm

SHA-256: 169f3452fcfada2c2292e915aa5fcd0c4fdc28e8e0640f5cb4fa90fd6f1f37db

cri-o-debuginfo-1.22.1-4.rhaos4.9.gite3dfe61.el7.x86_64.rpm

SHA-256: ba21a5a1e49581e06e9e690a4aad7226e46c252447e9537eb7657a1fcff5ca3c

openshift-hyperkube-4.9.0-202111231108.p0.g4dd1b5a.assembly.stream.el7.x86_64.rpm

SHA-256: 187da6f4a8b62ccd0c3354d5c236c338f979933be3021cd56155c91d586cfb9b

Red Hat OpenShift Container Platform for Power 4.9 for RHEL 8

SRPM

container-selinux-2.170.0-2.rhaos4.9.el8.src.rpm

SHA-256: 269939cf462fe975e8cef100571ec442f11c494fca5bc72b9053e0f19a1b5db0

cri-o-1.22.1-4.rhaos4.9.gite3dfe61.el8.src.rpm

SHA-256: 77e5badbf31679dd09ed24f31f70aa5e7028d0e4b8277dcf5042ddd2ff125067

jenkins-2-plugins-4.9.1637598812-1.el8.src.rpm

SHA-256: 0a7d1840174260bae8bc08b223f9268562ba5f2a01a5ba21ba72d4c62f70cd7f

jenkins-2.303.3.1637595827-1.el8.src.rpm

SHA-256: 05c66acf974249348ffe42fd44d79df4f33cbfc1bb07815626fc3458c72c1d3b

openshift-4.9.0-202111231108.p0.g4dd1b5a.assembly.stream.el8.src.rpm

SHA-256: 466f6d6134005c82d1afe868a0aae2ce8aa02bcb8ba31df28ca9ed3dd30e41fe

openshift-kuryr-4.9.0-202111221622.p0.g473fd0c.assembly.stream.el8.src.rpm

SHA-256: cfea43d1ee4f64d2540a6422ea6e31c7f00a6d844bbd5be6b67c1e530e581034

python-sushy-3.12.1-0.20211122142104.806622c.el8.src.rpm

SHA-256: 18e6a6214045f0fff29c12f344adcbef50377b76a780e8a83c48ea50d753e3e6

ppc64le

container-selinux-2.170.0-2.rhaos4.9.el8.noarch.rpm

SHA-256: 8eb817dc0a35c928d0431786b4096cada37cbeb5667980663f0c8d9569a44d83

cri-o-1.22.1-4.rhaos4.9.gite3dfe61.el8.ppc64le.rpm

SHA-256: d5c510825c3fd8c6421cc2c34b7b2bedcbdc334c4852185d37d3acbecde0c0de

cri-o-debuginfo-1.22.1-4.rhaos4.9.gite3dfe61.el8.ppc64le.rpm

SHA-256: e10edde3535d337ca7877d4a70d5394a6c105b6eb580e798ef629cfd67e0d55f

cri-o-debugsource-1.22.1-4.rhaos4.9.gite3dfe61.el8.ppc64le.rpm

SHA-256: 55b930fd411e8ba1cb89115e159833164fac6100028ae1ee4f804ed03feb0f2d

jenkins-2-plugins-4.9.1637598812-1.el8.noarch.rpm

SHA-256: a727f580ca41f7b0947df6a05e33426e0febe715911b39f14f629518c26ea617

jenkins-2.303.3.1637595827-1.el8.noarch.rpm

SHA-256: 75cc0ee45a7b7ac568713e1449b4e8842ad5056a1a3bf6f614a0d4c5e02a5e02

openshift-hyperkube-4.9.0-202111231108.p0.g4dd1b5a.assembly.stream.el8.ppc64le.rpm

SHA-256: 0dd260abc2ec617ed1573cab3a654f27f627cfd70a9410d606c58c3542188cad