RHEL 6 : Red Hat OpenShift Enterprise 2.2.10 (RHSA-2016:1773)

Critical Nessus Plugin ID 119378

Synopsis

The remote Red Hat host is missing one or more security updates.

Description

An update is now available for Red Hat OpenShift Enterprise 2.2.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

OpenShift Enterprise by Red Hat is the company's cloud computing Platform-as-a-Service (PaaS) solution designed for on-premise or private cloud deployments.

* The Jenkins continuous integration server has been updated to upstream version 1.651.2 LTS that addresses a large number of security issues, including open redirects, a potential denial of service, unsafe handling of user provided environment variables and several instances of sensitive information disclosure. (CVE-2014-3577, CVE-2016-0788, CVE-2016-0789, CVE-2016-0790, CVE-2016-0791, CVE-2016-0792, CVE-2016-3721, CVE-2016-3722, CVE-2016-3723, CVE-2016-3724, CVE-2016-3725, CVE-2016-3726, CVE-2016-3727, CVE-2015-7501)

Space precludes documenting all of the bug fixes and enhancements in this advisory. See the OpenShift Enterprise Technical Notes, which will be updated shortly for release 2.2.10, for details about these changes :

https://access.redhat.com/documentation/en-US/OpenShift_Enterprise/2/ html-single/Technical_Notes/index.html

All OpenShift Enterprise 2 users are advised to upgrade to these updated packages.

Solution

Update the affected packages.

See Also

https://access.redhat.com/errata/RHSA-2016:1773

https://access.redhat.com/security/cve/cve-2014-3577

https://access.redhat.com/security/cve/cve-2015-7501

https://access.redhat.com/security/cve/cve-2016-0788

https://access.redhat.com/security/cve/cve-2016-0789

https://access.redhat.com/security/cve/cve-2016-0790

https://access.redhat.com/security/cve/cve-2016-0791

https://access.redhat.com/security/cve/cve-2016-0792

https://access.redhat.com/security/cve/cve-2016-3721

https://access.redhat.com/security/cve/cve-2016-3722

https://access.redhat.com/security/cve/cve-2016-3723

https://access.redhat.com/security/cve/cve-2016-3724

https://access.redhat.com/security/cve/cve-2016-3725

https://access.redhat.com/security/cve/cve-2016-3726

https://access.redhat.com/security/cve/cve-2016-3727

Plugin Details

Severity: Critical

ID: 119378

File Name: redhat-RHSA-2016-1773.nasl

Version: 1.1

Type: local

Agent: unix

Published: 2018/12/04

Modified: 2018/12/04

Dependencies: 12634

Risk Information

Risk Factor: Critical

CVSS v2.0

Base Score: 10

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

CVSS v3.0

Base Score: 9.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Vulnerability Information

CPE: p-cpe:/a:redhat:enterprise_linux:ImageMagick-debuginfo, p-cpe:/a:redhat:enterprise_linux:ImageMagick-devel, p-cpe:/a:redhat:enterprise_linux:ImageMagick-doc, p-cpe:/a:redhat:enterprise_linux:ImageMagick-perl, p-cpe:/a:redhat:enterprise_linux:activemq, p-cpe:/a:redhat:enterprise_linux:activemq-client, p-cpe:/a:redhat:enterprise_linux:jenkins, p-cpe:/a:redhat:enterprise_linux:libcgroup-debuginfo, p-cpe:/a:redhat:enterprise_linux:libcgroup-pam, p-cpe:/a:redhat:enterprise_linux:openshift-origin-broker, p-cpe:/a:redhat:enterprise_linux:openshift-origin-broker-util, p-cpe:/a:redhat:enterprise_linux:openshift-origin-cartridge-cron, p-cpe:/a:redhat:enterprise_linux:openshift-origin-cartridge-diy, p-cpe:/a:redhat:enterprise_linux:openshift-origin-cartridge-haproxy, p-cpe:/a:redhat:enterprise_linux:openshift-origin-cartridge-jbosseap, p-cpe:/a:redhat:enterprise_linux:openshift-origin-cartridge-jbossews, p-cpe:/a:redhat:enterprise_linux:openshift-origin-cartridge-jenkins, p-cpe:/a:redhat:enterprise_linux:openshift-origin-cartridge-jenkins-client, p-cpe:/a:redhat:enterprise_linux:openshift-origin-cartridge-mongodb, p-cpe:/a:redhat:enterprise_linux:openshift-origin-cartridge-mysql, p-cpe:/a:redhat:enterprise_linux:openshift-origin-cartridge-nodejs, p-cpe:/a:redhat:enterprise_linux:openshift-origin-cartridge-perl, p-cpe:/a:redhat:enterprise_linux:openshift-origin-cartridge-php, p-cpe:/a:redhat:enterprise_linux:openshift-origin-cartridge-python, p-cpe:/a:redhat:enterprise_linux:openshift-origin-cartridge-ruby, p-cpe:/a:redhat:enterprise_linux:openshift-origin-msg-node-mcollective, p-cpe:/a:redhat:enterprise_linux:openshift-origin-node-proxy, p-cpe:/a:redhat:enterprise_linux:openshift-origin-node-util, p-cpe:/a:redhat:enterprise_linux:rhc, p-cpe:/a:redhat:enterprise_linux:rubygem-openshift-origin-admin-console, p-cpe:/a:redhat:enterprise_linux:rubygem-openshift-origin-controller, p-cpe:/a:redhat:enterprise_linux:rubygem-openshift-origin-frontend-haproxy-sni-proxy, p-cpe:/a:redhat:enterprise_linux:rubygem-openshift-origin-msg-broker-mcollective, p-cpe:/a:redhat:enterprise_linux:rubygem-openshift-origin-node, p-cpe:/a:redhat:enterprise_linux:rubygem-openshift-origin-routing-daemon, cpe:/o:redhat:enterprise_linux:6

Required KB Items: Host/local_checks_enabled, Host/RedHat/release, Host/RedHat/rpm-list, Host/cpu

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 2016/08/24

Exploitable With

CANVAS (CANVAS)

Core Impact

Metasploit (Jenkins XStream Groovy classpath Deserialization Vulnerability)

Reference Information

CVE: CVE-2014-3577, CVE-2015-7501, CVE-2016-0788, CVE-2016-0789, CVE-2016-0790, CVE-2016-0791, CVE-2016-0792, CVE-2016-3721, CVE-2016-3722, CVE-2016-3723, CVE-2016-3724, CVE-2016-3725, CVE-2016-3726, CVE-2016-3727

RHSA: 2016:1773