N/A - RHSA-2016:1836

Problem Description:

An update for Red Hat OpenShift Enterprise Kibana images is now available.

Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat OpenShift Enterprise 3.1 - noarch, x86_64 Red Hat OpenShift Enterprise 3.2 - noarch, x86_64

3. Description:

OpenShift Enterprise by Red Hat is the company's cloud computing Platform- as-a-Service (PaaS) solution designed for on-premise or private cloud deployments.

Security Fix(es):

* A flaw was found in Kibana's logging functionality. If custom logging output was configured in Kibana, private user data could be written to the Kibana log files. A system attacker could use this data to hijack sessions of other users when using Kibana behind some form of authentication such as Shield.

* A cross-site scripting (XSS) flaw was found in Kibana. A remote attacker could use this flaw to inject arbitrary web script into pages served to other users.

4. Solution:

Before applying this update, make sure all previously released errata relevant to your system have been applied.

For details on how to apply this update, refer to:

https://access.redhat.com/articles/11258

The following images are included in this errata:

openshift3/logging-kibana:3.1.1-10 openshift3/logging-elasticsearch:3.1.1-14 openshift3/logging-kibana:3.2.1-5 openshift3/logging-elasticsearch:3.2.1-7

5. Bugs fixed (https://bugzilla.redhat.com/):

1364389 - kibana: XSS vulnerability 1364394 - kibana: Session hijack via stealing cookies and auth headers from log