RHSA-2020:4298: Moderate: OpenShift Container Platform 4.6.1 image security update
Red Hat OpenShift Container Platform is Red Hat's cloud computingKubernetes application platform solution designed for on-premise or privatecloud deployments.Security Fix(es): golang.org/x/crypto: Processing of crafted ssh-ed25519 public keys allows for panic (CVE-2020-9283) SSL/TLS: CBC padding timing attack (lucky-13) (CVE-2013-0169) grafana: XSS vulnerability via a column style on the "Dashboard > Table Panel" screen (CVE-2018-18624) js-jquery: prototype pollution in object's prototype leading to denial of service or remote code execution or property injection (CVE-2019-11358) npm-serialize-javascript: XSS via unsafe characters in serialized regular expressions (CVE-2019-16769) kibana: Prototype pollution in TSVB could result in arbitrary code execution (ESA-2020-06) (CVE-2020-7013) nodejs-minimist: prototype pollution allows adding or modifying properties of Object.prototype using a constructor or proto payload (CVE-2020-7598) npmjs-websocket-extensions: ReDoS vulnerability in Sec-WebSocket-Extensions parser (CVE-2020-7662) nodejs-lodash: prototype pollution in zipObjectDeep function (CVE-2020-8203) jquery: Cross-site scripting due to improper injQuery.htmlPrefilter method (CVE-2020-11022) jQuery: passing HTML containing <option> elements to manipulation methods could result in untrusted code execution (CVE-2020-11023) grafana: stored XSS (CVE-2020-11110) grafana: XSS annotation popup vulnerability (CVE-2020-12052) grafana: XSS via column.title or cellLinkTooltip (CVE-2020-12245) nodejs-elliptic: improper encoding checks allows a certain degree of signature malleability in ECDSA signatures (CVE-2020-13822) golang.org/x/text: possibility to trigger an infinite loop in encoding/unicode could lead to crash (CVE-2020-14040) nodejs-ajv: prototype pollution via crafted JSON schema in ajv.validate function (CVE-2020-15366) openshift/console: text injection on error page via crafted url (CVE-2020-10715) kibana: X-Frame-Option not set by default might lead to clickjacking (CVE-2020-10743) openshift: restricted SCC allows pods to craft custom network packets (CVE-2020-14336) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Affected Software
Remediation
Event History
Frequently Asked Questions
What is the severity of RHSA-2020:4298?
The severity of RHSA-2020:4298 is categorized as moderate due to the potential for panic in processing crafted ssh-ed25519 public keys.
How do I fix RHSA-2020:4298?
To fix RHSA-2020:4298, you should update the Red Hat OpenShift Container Platform to the latest available version that addresses the vulnerability.
What does RHSA-2020:4298 affect?
RHSA-2020:4298 affects the Red Hat OpenShift Container Platform by addressing a specific vulnerability in the crypto library.
What type of vulnerability is reported in RHSA-2020:4298?
RHSA-2020:4298 reports a vulnerability related to the processing of crafted ssh-ed25519 public keys which can lead to panic.
Is RHSA-2020:4298 applicable to cloud deployments?
Yes, RHSA-2020:4298 is applicable to both on-premise and private cloud deployments of Red Hat OpenShift Container Platform.