RHEL 6 : Red Hat OpenShift Enterprise 2.2.9 (RHSA-2016:0489)

High Nessus Plugin ID 119368

Synopsis

The remote Red Hat host is missing one or more security updates.

Description

Red Hat OpenShift Enterprise release 2.2.9, which fixes several security issues, several bugs, and introduces feature enhancements, is now available.

Red Hat Product Security has rated this update as having Important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.

OpenShift Enterprise by Red Hat is the company's cloud computing Platform-as-a-Service (PaaS) solution designed for on-premise or private cloud deployments.

The following security issue is addressed with this release :

It was found that ActiveMQ did not safely handle user-supplied data when deserializing objects. A remote attacker could use this flaw to execute arbitrary code with the permissions of the ActiveMQ application. (CVE-2015-5254)

An update for Jenkins Continuous Integration Server that addresses a large number of security issues including XSS, CSRF, information disclosure and code execution have been addressed as well.
(CVE-2015-5317, CVE-2015-5318, CVE-2015-5319, CVE-2015-5320, CVE-2015-5321, CVE-2015-5322, CVE-2015-5323, CVE-2015-5324, CVE-2015-5325, CVE-2015-5326, CVE-2015-7537, CVE-2015-7538, CVE-2015-7539, CVE-2015-8103)

Space precludes documenting all of the bug fixes in this advisory. See the OpenShift Enterprise Technical Notes, which will be updated shortly for release 2.2.9, for details about these changes :

https://access.redhat.com/documentation/en-US/OpenShift_Enterprise/2/ html-single/Technical_Notes/index.html

All OpenShift Enterprise 2 users are advised to upgrade to these updated packages.

Solution

Update the affected packages.

See Also

https://access.redhat.com/errata/RHSA-2016:0489

https://access.redhat.com/security/cve/cve-2015-7538

https://access.redhat.com/security/cve/cve-2015-7539

https://access.redhat.com/security/cve/cve-2015-5318

https://access.redhat.com/security/cve/cve-2015-7537

https://access.redhat.com/security/cve/cve-2015-5320

https://access.redhat.com/security/cve/cve-2015-5317

https://access.redhat.com/security/cve/cve-2015-8103

https://access.redhat.com/security/cve/cve-2015-5324

https://access.redhat.com/security/cve/cve-2015-5325

https://access.redhat.com/security/cve/cve-2015-5254

https://access.redhat.com/security/cve/cve-2015-5326

https://access.redhat.com/security/cve/cve-2015-5321

https://access.redhat.com/security/cve/cve-2015-5319

https://access.redhat.com/security/cve/cve-2015-5323

https://access.redhat.com/security/cve/cve-2015-5322

Plugin Details

Severity: High

ID: 119368

File Name: redhat-RHSA-2016-0489.nasl

Version: 1.1

Type: local

Agent: unix

Published: 2018/12/04

Modified: 2018/12/04

Dependencies: 12634

Risk Information

Risk Factor: High

CVSS v2.0

Base Score: 7.6

Vector: CVSS2#AV:N/AC:H/Au:N/C:C/I:C/A:C

CVSS v3.0

Base Score: 9.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Vulnerability Information

CPE: p-cpe:/a:redhat:enterprise_linux:activemq-client, p-cpe:/a:redhat:enterprise_linux:jenkins, p-cpe:/a:redhat:enterprise_linux:openshift-enterprise-release, p-cpe:/a:redhat:enterprise_linux:openshift-enterprise-upgrade-node, p-cpe:/a:redhat:enterprise_linux:openshift-enterprise-yum-validator, p-cpe:/a:redhat:enterprise_linux:openshift-origin-cartridge-cron, p-cpe:/a:redhat:enterprise_linux:openshift-origin-cartridge-haproxy, p-cpe:/a:redhat:enterprise_linux:openshift-origin-cartridge-mysql, p-cpe:/a:redhat:enterprise_linux:openshift-origin-cartridge-php, p-cpe:/a:redhat:enterprise_linux:openshift-origin-cartridge-python, p-cpe:/a:redhat:enterprise_linux:openshift-origin-msg-node-mcollective, p-cpe:/a:redhat:enterprise_linux:openshift-origin-node-proxy, p-cpe:/a:redhat:enterprise_linux:openshift-origin-node-util, p-cpe:/a:redhat:enterprise_linux:php-bcmath, p-cpe:/a:redhat:enterprise_linux:php-debuginfo, p-cpe:/a:redhat:enterprise_linux:php-devel, p-cpe:/a:redhat:enterprise_linux:php-fpm, p-cpe:/a:redhat:enterprise_linux:php-imap, p-cpe:/a:redhat:enterprise_linux:php-intl, p-cpe:/a:redhat:enterprise_linux:php-mbstring, p-cpe:/a:redhat:enterprise_linux:php-process, p-cpe:/a:redhat:enterprise_linux:rubygem-openshift-origin-common, p-cpe:/a:redhat:enterprise_linux:rubygem-openshift-origin-frontend-apache-vhost, p-cpe:/a:redhat:enterprise_linux:rubygem-openshift-origin-node, cpe:/o:redhat:enterprise_linux:6

Required KB Items: Host/local_checks_enabled, Host/RedHat/release, Host/RedHat/rpm-list, Host/cpu

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 2016/03/22

Exploitable With

CANVAS (CANVAS)

Core Impact

Metasploit (OpenNMS Java Object Unserialization Remote Code Execution)

Reference Information

CVE: CVE-2015-5254, CVE-2015-5317, CVE-2015-5318, CVE-2015-5319, CVE-2015-5320, CVE-2015-5321, CVE-2015-5322, CVE-2015-5323, CVE-2015-5324, CVE-2015-5325, CVE-2015-5326, CVE-2015-7537, CVE-2015-7538, CVE-2015-7539, CVE-2015-8103

RHSA: 2016:0489