Lucene search

K
redhatRedHatRHSA-2021:4801
HistoryDec 01, 2021 - 12:16 p.m.

(RHSA-2021:4801) Important: OpenShift Container Platform 4.7.38 security update

2021-12-0112:16:32
access.redhat.com
11

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

7.5 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

Red Hat OpenShift Container Platform is Red Hat’s cloud computing
Kubernetes application platform solution designed for on-premise or private
cloud deployments.

This advisory contains the RPM packages for Red Hat OpenShift Container
Platform 4.7.38. See the following advisory for the container images for
this release:

https://access.redhat.com/errata/RHBA-2021:4802

All OpenShift Container Platform 4.7 users are advised to upgrade to these
updated packages and images when they are available in the appropriate
release channel. To check for available updates, use the OpenShift Console
or the CLI oc command. Instructions for upgrading a cluster are available
at
https://docs.openshift.com/container-platform/4.7/updating/updating-cluster-between-minor.html#understanding-upgrade-channels_updating-cluster-between-minor
Security Fix(es):

  • jenkins-2-plugins/subversion: does not restrict the name of a file when
    looking up a subversion key (CVE-2021-21698)
  • jenkins: FilePath#mkdirs does not check permission to create parent
    directories (CVE-2021-21685)
  • jenkins: File path filters do not canonicalize paths, allowing operations
    to follow symbolic links to outside allowed directories (CVE-2021-21686)
  • jenkins: FilePath#untar does not check permission to create symbolic
    links when unarchiving a symbolic link (CVE-2021-21687)
  • jenkins: FilePath#reading(FileVisitor) does not reject any operations
    allowing users to have unrestricted read access (CVE-2021-21688)
  • jenkins: FilePath#unzip and FilePath#untar were not subject to any access
    control (CVE-2021-21689)
  • jenkins: Agent processes are able to completely bypass file path
    filtering by wrapping the file operation in an agent file path
    (CVE-2021-21690)
  • jenkins: Creating symbolic links is possible without the symlink
    permission (CVE-2021-21691)
  • jenkins: The operations FilePath#renameTo and FilePath#moveAllChildrenTo
    only check read permission on the source path (CVE-2021-21692)
  • jenkins: When creating temporary files, permission to create files is
    only checked after they’ve been created. (CVE-2021-21693)
  • jenkins: FilePath#toURI, FilePath#hasSymlink, FilePath#absolutize,
    FilePath#isDescendant, and FilePath#get*DiskSpace do not check any
    permissions (CVE-2021-21694)
  • jenkins: FilePath#listFiles lists files outside directories with agent
    read access when following symbolic links. (CVE-2021-21695)
  • jenkins: Agent-to-controller access control allowed writing to sensitive
    directory used by Pipeline: Shared Groovy Libraries Plugin (CVE-2021-21696)
  • jenkins: Agent-to-controller access control allows reading/writing most
    content of build directories (CVE-2021-21697)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s)
listed in the References section.

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

7.5 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P