Lucene search

RedHatRHSA-2020:4298

HistoryOct 27, 2020 - 2:57 p.m.

(RHSA-2020:4298) Moderate: OpenShift Container Platform 4.6.1 image security update

2020-10-2714:57:54

access.redhat.com

openshift

container platform

security update

4.6.1

kubernetes

cloud computing

ssl/tls

xss vulnerability

prototype pollution

denial of service

remote code execution

clickjacking

cve-2020-9283

cve-2013-0169

cve-2018-18624

cve-2019-11358

cve-2019-16769

esa-2020-06

cve-2020-7013

cve-2020-7598

cve-2020-7662

cve-2020-8203

cve-2020-11022

cve-2020-11023

cve-2020-11110

cve-2020-12052

cve-2020-12245

cve-2020-13822

cve-2020-14040

cve-2020-15366

cve-2020-10715

cve-2020-10743

cve-2020-14336

CVSS2

9.3

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:M/Au:N/C:C/I:C/A:C

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS

0.959

Percentile

99.5%

JSON

Red Hat OpenShift Container Platform is Red Hat’s cloud computing
Kubernetes application platform solution designed for on-premise or private
cloud deployments.

Security Fix(es):

golang.org/x/crypto: Processing of crafted ssh-ed25519 public keys allows for panic (CVE-2020-9283)
SSL/TLS: CBC padding timing attack (lucky-13) (CVE-2013-0169)
grafana: XSS vulnerability via a column style on the “Dashboard > Table Panel” screen (CVE-2018-18624)
js-jquery: prototype pollution in object’s prototype leading to denial of service or remote code execution or property injection (CVE-2019-11358)
npm-serialize-javascript: XSS via unsafe characters in serialized regular expressions (CVE-2019-16769)
kibana: Prototype pollution in TSVB could result in arbitrary code execution (ESA-2020-06) (CVE-2020-7013)
nodejs-minimist: prototype pollution allows adding or modifying properties of Object.prototype using a constructor or proto payload (CVE-2020-7598)
npmjs-websocket-extensions: ReDoS vulnerability in Sec-WebSocket-Extensions parser (CVE-2020-7662)
nodejs-lodash: prototype pollution in zipObjectDeep function (CVE-2020-8203)
jquery: Cross-site scripting due to improper injQuery.htmlPrefilter method (CVE-2020-11022)
jQuery: passing HTML containing <option> elements to manipulation methods could result in untrusted code execution (CVE-2020-11023)
grafana: stored XSS (CVE-2020-11110)
grafana: XSS annotation popup vulnerability (CVE-2020-12052)
grafana: XSS via column.title or cellLinkTooltip (CVE-2020-12245)
nodejs-elliptic: improper encoding checks allows a certain degree of signature malleability in ECDSA signatures (CVE-2020-13822)
golang.org/x/text: possibility to trigger an infinite loop in encoding/unicode could lead to crash (CVE-2020-14040)
nodejs-ajv: prototype pollution via crafted JSON schema in ajv.validate function (CVE-2020-15366)
openshift/console: text injection on error page via crafted url (CVE-2020-10715)
kibana: X-Frame-Option not set by default might lead to clickjacking (CVE-2020-10743)
openshift: restricted SCC allows pods to craft custom network packets (CVE-2020-14336)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.