SB2020061975 - Red Hat OpenShift Container Platform 3.11 update for atomic-openshift
Published: June 19, 2020
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 3 secuirty vulnerabilities.
1) Input validation error (CVE-ID: CVE-2017-18367)
The vulnerability allows a remote attacker to bypass certain security restrictions.
The vulnerability exists due to insufficient validation of user-supplied input in libseccomp-golang. The software incorrectly generates BPFs that OR multiple arguments rather than ANDing them. A process running under a restrictive seccomp filter that specified multiple syscall arguments could bypass intended access restrictions by specifying a single matching argument.
2) Resource exhaustion (CVE-ID: CVE-2019-11254)
The vulnerability allows a remote authenticated user to perform a denial of service (DoS) attack.
The Kubernetes API Server component in versions 1.1-1.14, and versions prior to 1.15.10, 1.16.7 and 1.17.3 allows an authorized user who sends malicious YAML payloads to cause the kube-apiserver to consume excessive CPU cycles while parsing YAML.
3) Server-Side Request Forgery (SSRF) (CVE-ID: CVE-2020-8555)
The vulnerability allows a remote authenticated user to gain access to sensitive information.
The Kubernetes kube-controller-manager in versions v1.0-1.14, versions prior to v1.15.12, v1.16.9, v1.17.5, and version v1.18.0 are vulnerable to a Server Side Request Forgery (SSRF) that allows certain authorized users to leak up to 500 bytes of arbitrary information from unprotected endpoints within the master's host network (such as link-local or loopback services).
Remediation
Install update from vendor's website.