Executive Summary
Summary | |
---|---|
Title | Red Hat OpenShift Enterprise 2.2.10 security, bug fix, and enhancement update |
Informations | |||
---|---|---|---|
Name | RHSA-2016:1773 | First vendor Publication | 2016-08-24 |
Vendor | RedHat | Last vendor Modification | 2016-08-24 |
Severity (Vendor) | N/A | Revision | 01 |
Security-Database Scoring CVSS v3
Cvss vector : N/A | |||
---|---|---|---|
Overall CVSS Score | NA | ||
Base Score | NA | Environmental Score | NA |
impact SubScore | NA | Temporal Score | NA |
Exploitabality Sub Score | NA | ||
Calculate full CVSS 3.0 Vectors scores |
Security-Database Scoring CVSS v2
Cvss vector : (AV:N/AC:L/Au:N/C:C/I:C/A:C) | |||
---|---|---|---|
Cvss Base Score | 10 | Attack Range | Network |
Cvss Impact Score | 10 | Attack Complexity | Low |
Cvss Expoit Score | 10 | Authentication | None Required |
Calculate full CVSS 2.0 Vectors scores |
Detail
Problem Description: An update is now available for Red Hat OpenShift Enterprise 2.2. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat OpenShift Enterprise Client 2.2 - noarch Red Hat OpenShift Enterprise Infrastructure 2.2 - noarch, x86_64 Red Hat OpenShift Enterprise JBoss EAP add-on 2.2 - noarch Red Hat OpenShift Enterprise Node 2.2 - noarch, x86_64 3. Description: OpenShift Enterprise by Red Hat is the company's cloud computing Platform-as-a-Service (PaaS) solution designed for on-premise or private cloud deployments. * The Jenkins continuous integration server has been updated to upstream version 1.651.2 LTS that addresses a large number of security issues, including open redirects, a potential denial of service, unsafe handling of user provided environment variables and several instances of sensitive information disclosure. (CVE-2014-3577, CVE-2016-0788, CVE-2016-0789, CVE-2016-0790, CVE-2016-0791, CVE-2016-0792, CVE-2016-3721, CVE-2016-3722, CVE-2016-3723, CVE-2016-3724, CVE-2016-3725, CVE-2016-3726, CVE-2016-3727, CVE-2015-7501) Space precludes documenting all of the bug fixes and enhancements in this advisory. See the OpenShift Enterprise Technical Notes, which will be updated shortly for release 2.2.10, for details about these changes: https://access.redhat.com/documentation/en-US/OpenShift_Enterprise/2/html-s ingle/Technical_Notes/index.html All OpenShift Enterprise 2 users are advised to upgrade to these updated packages. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. See the OpenShift Enterprise 2.2 Release Notes, which will be updated shortly for release 2.2.10, for important instructions on how to fully apply this asynchronous errata update: https://access.redhat.com/documentation/en-US/OpenShift_Enterprise/2/html-s ingle/2.2_Release_Notes/index.html#chap-Asynchronous_Errata_Updates This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/articles/11258. 5. Bugs fixed (https://bugzilla.redhat.com/): 1129074 - CVE-2014-3577 Apache HttpComponents client / Apache CXF: SSL hostname verification bypass, incomplete CVE-2012-6153 fix 1196783 - OPENSHIFT_GEAR_MEMORY_MB is not updated when resource limits change 1217403 - [RFE] separate system-level logs of cron cartridge from gear-level logs 1266239 - [RFE] Make user variables maximum value configurable. 1274852 - Routing Daemon does not update LB when head gear is moved. 1279330 - CVE-2015-7501 apache-commons-collections: InvokerTransformer code execution during deserialisation 1282852 - Tomcat Does not properly parse spaces in JVM parameters/setttings 1311722 - Deleting a multi-version cartridge on the node fails silently 1311946 - CVE-2016-0788 jenkins: Remote code execution vulnerability in remoting module (SECURITY-232) 1311947 - CVE-2016-0789 jenkins: HTTP response splitting vulnerability (SECURITY-238) 1311948 - CVE-2016-0790 jenkins: Non-constant time comparison of API token (SECURITY-241) 1311949 - CVE-2016-0791 jenkins: Non-constant time comparison of CSRF crumbs (SECURITY-245) 1311950 - CVE-2016-0792 jenkins: Remote code execution through remote API (SECURITY-247) 1335415 - CVE-2016-3721 jenkins: Arbitrary build parameters are passed to build scripts as environment variables (SECURITY-170) 1335416 - CVE-2016-3722 jenkins: Malicious users with multiple user accounts can prevent other users from logging in (SECURITY-243) 1335417 - CVE-2016-3723 jenkins: Information on installed plugins exposed via API (SECURITY-250) 1335418 - CVE-2016-3724 jenkins: Encrypted secrets (e.g. passwords) were leaked to users with permission to read configuration (SECURITY-266) 1335420 - CVE-2016-3725 jenkins: Regular users can trigger download of update site metadata (SECURITY-273) 1335421 - CVE-2016-3726 jenkins: Open redirect to scheme-relative URLs (SECURITY-276) 1335422 - CVE-2016-3727 jenkins: Granting the permission to read node configurations allows access to overall system configuration (SECURITY-281) 1358938 - libcgroup dependency error when installing node in ose-2.2 1361305 - gears exceeding quota cannot be stopped or idled 1361306 - Unable to obtain user-agent or client IP in websocket handshake on OpenShift hosted WildFly 1361307 - mysql cartridge removes logs on start 1362666 - oo-admin-move should move gears to nodes with enough free space + buffer space |
Original Source
Url : https://rhn.redhat.com/errata/RHSA-2016-1773.html |
CWE : Common Weakness Enumeration
% | Id | Name |
---|---|---|
36 % | CWE-200 | Information Exposure |
21 % | CWE-264 | Permissions, Privileges, and Access Controls |
21 % | CWE-20 | Improper Input Validation |
7 % | CWE-502 | Deserialization of Untrusted Data |
7 % | CWE-254 | Security Features |
7 % | CWE-17 | Code |
OVAL Definitions
Definition Id: oval:org.mitre.oval:def:26139 | |||
Oval ID: | oval:org.mitre.oval:def:26139 | ||
Title: | RHSA-2014:1146: httpcomponents-client security update (Important) | ||
Description: | HttpClient is an HTTP/1.1 compliant HTTP agent implementation based on httpcomponents HttpCore. | ||
Family: | unix | Class: | patch |
Reference(s): | RHSA-2014:1146-00 CESA-2014:1146 CVE-2014-3577 | Version: | 3 |
Platform(s): | Red Hat Enterprise Linux 7 CentOS Linux 7 | Product(s): | httpcomponents-client |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:26499 | |||
Oval ID: | oval:org.mitre.oval:def:26499 | ||
Title: | RHSA-2014:1166: jakarta-commons-httpclient security update (Important) | ||
Description: | Jakarta Commons HTTPClient implements the client side of HTTP standards. It was discovered that the HTTPClient incorrectly extracted host name from an X.509 certificate subject's Common Name (CN) field. A man-in-the-middle attacker could use this flaw to spoof an SSL server using a specially crafted X.509 certificate. (CVE-2014-3577) For additional information on this flaw, refer to the Knowledgebase article in the References section. All jakarta-commons-httpclient users are advised to upgrade to these updated packages, which contain a backported patch to correct this issue. | ||
Family: | unix | Class: | patch |
Reference(s): | RHSA-2014:1166-00 CESA-2014:1166 CVE-2014-3577 | Version: | 3 |
Platform(s): | Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 7 Red Hat Enterprise Linux 5 CentOS Linux 5 CentOS Linux 6 CentOS Linux 7 | Product(s): | jakarta-commons-httpclient |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:26509 | |||
Oval ID: | oval:org.mitre.oval:def:26509 | ||
Title: | ELSA-2014-1146 -- httpcomponents-client security update (Important) | ||
Description: | HttpClient is an HTTP/1.1 compliant HTTP agent implementation based on httpcomponents HttpCore. It was discovered that the HttpClient incorrectly extracted host name from an X.509 certificate subject's Common Name (CN) field. A man-in-the-middle attacker could use this flaw to spoof an SSL server using a specially crafted X.509 certificate. (CVE-2014-3577) For additional information on this flaw, refer to the Knowledgebase article in the References section. All httpcomponents-client users are advised to upgrade to these updated packages, which contain a backported patch to correct this issue. | ||
Family: | unix | Class: | patch |
Reference(s): | ELSA-2014-1146 CVE-2014-3577 CVE-2012-6153 | Version: | 3 |
Platform(s): | Oracle Linux 7 | Product(s): | httpcomponents-client |
Definition Synopsis: | |||
Definition Id: oval:org.mitre.oval:def:27050 | |||
Oval ID: | oval:org.mitre.oval:def:27050 | ||
Title: | ELSA-2014-1166 -- jakarta-commons-httpclient security update (Important) | ||
Description: | Jakarta Commons HTTPClient implements the client side of HTTP standards. It was discovered that the HTTPClient incorrectly extracted host name from an X.509 certificate subject's Common Name (CN) field. A man-in-the-middle attacker could use this flaw to spoof an SSL server using a specially crafted X.509 certificate. (CVE-2014-3577) For additional information on this flaw, refer to the Knowledgebase article in the References section. All jakarta-commons-httpclient users are advised to upgrade to these updated packages, which contain a backported patch to correct this issue. | ||
Family: | unix | Class: | patch |
Reference(s): | ELSA-2014-1166 CVE-2014-3577 CVE-2012-6153 | Version: | 5 |
Platform(s): | Oracle Linux 7 Oracle Linux 6 Oracle Linux 5 | Product(s): | jakarta-commons-httpclient |
Definition Synopsis: | |||
|
CPE : Common Platform Enumeration
SAINT Exploits
Description | Link |
---|---|
Jenkins groovy.util.Expando Java deserialization vulnerability | More info here |
Snort® IPS/IDS
Date | Description |
---|---|
2016-06-14 | Jenkins CI Server insecure deserialization command execution attempt RuleID : 38894 - Revision : 2 - Type : SERVER-WEBAPP |
Nessus® Vulnerability Scanner
Date | Description |
---|---|
2018-03-21 | Name : The remote device is affected by multiple vulnerabilities. File : juniper_space_jsa_10838.nasl - Type : ACT_GATHER_INFO |
2017-01-25 | Name : A web application running on the remote host is affected by multiple vulnerab... File : mysql_enterprise_monitor_3_2_2_1075.nasl - Type : ACT_GATHER_INFO |
2017-01-25 | Name : A web application running on the remote host is affected by a remote code exe... File : mysql_enterprise_monitor_3_1_6_7959.nasl - Type : ACT_GATHER_INFO |
2016-10-31 | Name : The remote FreeBSD host is missing a security-related update. File : freebsd_pkg_ac18046c9b0811e68011005056925db4.nasl - Type : ACT_GATHER_INFO |
2016-10-26 | Name : An application server installed on the remote host is affected by multiple vu... File : oracle_weblogic_server_cpu_oct_2016.nasl - Type : ACT_GATHER_INFO |
2016-07-14 | Name : The remote Fedora host is missing a security update. File : fedora_2016-fd6100dd68.nasl - Type : ACT_GATHER_INFO |
2016-07-14 | Name : The remote Fedora host is missing a security update. File : fedora_2016-f7e7a6067d.nasl - Type : ACT_GATHER_INFO |
2016-07-14 | Name : The remote Fedora host is missing a security update. File : fedora_2016-9ba53cf8a2.nasl - Type : ACT_GATHER_INFO |
2016-05-12 | Name : The remote FreeBSD host is missing one or more security-related updates. File : freebsd_pkg_e387834a17ef11e699477054d2909b71.nasl - Type : ACT_GATHER_INFO |
2016-05-03 | Name : The remote host has a web application installed that is affected by a remote ... File : oracle_oats_cpu_apr_2016.nasl - Type : ACT_GATHER_INFO |
2016-03-18 | Name : The remote Fedora host is missing one or more security updates. File : fedora_2016-641c8b4eb2.nasl - Type : ACT_GATHER_INFO |
2016-03-18 | Name : The remote Fedora host is missing one or more security updates. File : fedora_2016-0f490eea10.nasl - Type : ACT_GATHER_INFO |
2016-03-14 | Name : The remote web server hosts a job scheduling and management system that is af... File : jenkins_1_650.nasl - Type : ACT_GATHER_INFO |
2016-03-07 | Name : The remote web server is affected by a remote code execution vulnerability. File : jenkins_security232.nasl - Type : ACT_GATHER_INFO |
2016-02-29 | Name : The remote web server is affected by a remote code execution vulnerability. File : jenkins_security247.nasl - Type : ACT_ATTACK |
2016-02-25 | Name : The remote FreeBSD host is missing one or more security-related updates. File : freebsd_pkg_7e01df39db7e11e5b93700e0814cab4e.nasl - Type : ACT_GATHER_INFO |
2016-01-11 | Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2015-2540.nasl - Type : ACT_GATHER_INFO |
2015-12-22 | Name : The remote Scientific Linux host is missing one or more security updates. File : sl_20151221_jakarta_commons_collections_on_SL5_x.nasl - Type : ACT_GATHER_INFO |
2015-12-22 | Name : The remote Oracle Linux host is missing one or more security updates. File : oraclelinux_ELSA-2015-2671.nasl - Type : ACT_GATHER_INFO |
2015-12-22 | Name : The remote CentOS host is missing one or more security updates. File : centos_RHSA-2015-2671.nasl - Type : ACT_GATHER_INFO |
2015-12-21 | Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2015-2671.nasl - Type : ACT_GATHER_INFO |
2015-12-15 | Name : The remote Amazon Linux AMI host is missing a security update. File : ala_ALAS-2015-618.nasl - Type : ACT_GATHER_INFO |
2015-12-10 | Name : The remote JBoss server is affected by multiple remote code execution vulnera... File : jboss_java_serialize.nasl - Type : ACT_ATTACK |
2015-12-04 | Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2015-2542.nasl - Type : ACT_GATHER_INFO |
2015-12-04 | Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2015-2539.nasl - Type : ACT_GATHER_INFO |
2015-12-04 | Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2015-2538.nasl - Type : ACT_GATHER_INFO |
2015-12-04 | Name : The remote Red Hat host is missing a security update. File : redhat-RHSA-2015-2536.nasl - Type : ACT_GATHER_INFO |
2015-12-04 | Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2015-2535.nasl - Type : ACT_GATHER_INFO |
2015-12-03 | Name : The remote CentOS host is missing one or more security updates. File : centos_RHSA-2015-2521.nasl - Type : ACT_GATHER_INFO |
2015-12-03 | Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2015-2522.nasl - Type : ACT_GATHER_INFO |
2015-12-02 | Name : The remote CentOS host is missing one or more security updates. File : centos_RHSA-2015-2522.nasl - Type : ACT_GATHER_INFO |
2015-12-01 | Name : The remote Scientific Linux host is missing one or more security updates. File : sl_20151130_jakarta_commons_collections_on_SL6_x.nasl - Type : ACT_GATHER_INFO |
2015-12-01 | Name : The remote Scientific Linux host is missing one or more security updates. File : sl_20151130_apache_commons_collections_on_SL7_x.nasl - Type : ACT_GATHER_INFO |
2015-12-01 | Name : The remote Oracle Linux host is missing one or more security updates. File : oraclelinux_ELSA-2015-2522.nasl - Type : ACT_GATHER_INFO |
2015-12-01 | Name : The remote Oracle Linux host is missing one or more security updates. File : oraclelinux_ELSA-2015-2521.nasl - Type : ACT_GATHER_INFO |
2015-11-30 | Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2015-2521.nasl - Type : ACT_GATHER_INFO |
2015-11-24 | Name : The remote Red Hat host is missing a security update. File : redhat-RHSA-2015-2500.nasl - Type : ACT_GATHER_INFO |
2015-10-15 | Name : The remote Ubuntu host is missing a security-related patch. File : ubuntu_USN-2769-1.nasl - Type : ACT_GATHER_INFO |
2015-09-01 | Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2015-0158.nasl - Type : ACT_GATHER_INFO |
2015-05-20 | Name : The remote Debian host is missing a security update. File : debian_DLA-222.nasl - Type : ACT_GATHER_INFO |
2015-04-17 | Name : The remote Windows host has web portal software installed that is affected by... File : websphere_portal_8_0_0_1_cf15.nasl - Type : ACT_GATHER_INFO |
2014-12-22 | Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2014-2019.nasl - Type : ACT_GATHER_INFO |
2014-11-12 | Name : The remote Red Hat host is missing a security update. File : redhat-RHSA-2014-1834.nasl - Type : ACT_GATHER_INFO |
2014-11-12 | Name : The remote Red Hat host is missing a security update. File : redhat-RHSA-2014-1833.nasl - Type : ACT_GATHER_INFO |
2014-11-08 | Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2014-1098.nasl - Type : ACT_GATHER_INFO |
2014-10-12 | Name : The remote Amazon Linux AMI host is missing a security update. File : ala_ALAS-2014-410.nasl - Type : ACT_GATHER_INFO |
2014-10-01 | Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2014-1321.nasl - Type : ACT_GATHER_INFO |
2014-10-01 | Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2014-1320.nasl - Type : ACT_GATHER_INFO |
2014-09-12 | Name : The remote Mandriva Linux host is missing one or more security updates. File : mandriva_MDVSA-2014-170.nasl - Type : ACT_GATHER_INFO |
2014-09-09 | Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2014-1166.nasl - Type : ACT_GATHER_INFO |
2014-09-09 | Name : The remote Oracle Linux host is missing one or more security updates. File : oraclelinux_ELSA-2014-1166.nasl - Type : ACT_GATHER_INFO |
2014-09-09 | Name : The remote CentOS host is missing one or more security updates. File : centos_RHSA-2014-1166.nasl - Type : ACT_GATHER_INFO |
2014-09-08 | Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2014-1162.nasl - Type : ACT_GATHER_INFO |
2014-09-04 | Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2014-1146.nasl - Type : ACT_GATHER_INFO |
2014-09-04 | Name : The remote Oracle Linux host is missing one or more security updates. File : oraclelinux_ELSA-2014-1146.nasl - Type : ACT_GATHER_INFO |
2014-09-04 | Name : The remote CentOS host is missing one or more security updates. File : centos_RHSA-2014-1146.nasl - Type : ACT_GATHER_INFO |
2014-08-30 | Name : The remote Fedora host is missing a security update. File : fedora_2014-9629.nasl - Type : ACT_GATHER_INFO |
2014-08-30 | Name : The remote Fedora host is missing a security update. File : fedora_2014-9617.nasl - Type : ACT_GATHER_INFO |
2014-08-27 | Name : The remote Fedora host is missing a security update. File : fedora_2014-9539.nasl - Type : ACT_GATHER_INFO |
2014-08-27 | Name : The remote Fedora host is missing a security update. File : fedora_2014-9581.nasl - Type : ACT_GATHER_INFO |
Alert History
Date | Informations |
---|---|
2017-11-22 12:10:25 |
|
2016-08-25 00:23:32 |
|