Executive Summary
| Summary | |
|---|---|
| Title | OpenShift Container Platform 3.11 HTTP/2 security update |
| Informations | |||
|---|---|---|---|
| Name | RHSA-2019:3906 | First vendor Publication | 2019-11-18 |
| Vendor | RedHat | Last vendor Modification | 2019-11-18 |
| Severity (Vendor) | N/A | Revision | 01 |
Security-Database Scoring CVSS v3
| Cvss vector : N/A | |||
|---|---|---|---|
| Overall CVSS Score | NA | ||
| Base Score | NA | Environmental Score | NA |
| impact SubScore | NA | Temporal Score | NA |
| Exploitabality Sub Score | NA | ||
| Calculate full CVSS 3.0 Vectors scores | |||
Security-Database Scoring CVSS v2
| Cvss vector : (AV:N/AC:L/Au:N/C:N/I:N/A:C) | |||
|---|---|---|---|
| Cvss Base Score | 7.8 | Attack Range | Network |
| Cvss Impact Score | 6.9 | Attack Complexity | Low |
| Cvss Expoit Score | 10 | Authentication | None Required |
| Calculate full CVSS 2.0 Vectors scores | |||
Detail
| Problem Description: An update is now available for Red Hat OpenShift Container Platform 3.11. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat OpenShift Container Platform 3.11 - ppc64le, x86_64 3. Description: Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. The following RPM packages have been rebuilt with updated version of Go, which includes the security fixes listed further below: atomic-enterprise-service-catalog atomic-openshift-cluster-autoscaler atomic-openshift-descheduler atomic-openshift-metrics-server atomic-openshift-node-problem-detector atomic-openshift-service-idler atomic-openshift-web-console cockpit csi-attacher csi-driver-registrar csi-livenessprobe csi-provisioner golang-github-openshift-oauth-proxy golang-github-openshift-prometheus-alert-buffer golang-github-prometheus-alertmanager golang-github-prometheus-node_exporter golang-github-prometheus-prometheus hawkular-openshift-agent heapster image-inspector openshift-enterprise-autoheal openshift-enterprise-cluster-capacity openshift-eventrouter openshift-external-storage Security Fix(es): * HTTP/2: flood using PING frames results in unbounded memory growth (CVE-2019-9512) * HTTP/2: flood using HEADERS frames results in unbounded memory growth (CVE-2019-9514) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. 4. Solution: See the following documentation, which will be updated shortly for this release, for important instructions on how to upgrade your cluster and fully apply this asynchronous errata update: https://docs.openshift.com/container-platform/3.11/release_notes/ocp_3_11_r elease_notes.html 5. Bugs fixed (https://bugzilla.redhat.com/): 1735645 - CVE-2019-9512 HTTP/2: flood using PING frames results in unbounded memory growth 1735744 - CVE-2019-9514 HTTP/2: flood using HEADERS frames results in unbounded memory growth |
Original Source
| Url : https://rhn.redhat.com/errata/RHSA-2019-3906.html |
CWE : Common Weakness Enumeration
| % | Id | Name |
|---|---|---|
| 50 % | CWE-770 | Allocation of Resources Without Limits or Throttling |
| 50 % | CWE-400 | Uncontrolled Resource Consumption ('Resource Exhaustion') |
CPE : Common Platform Enumeration
Alert History
| Date | Informations |
|---|---|
| 2020-03-19 13:19:38 |
|
