Описание
ELSA-2020-5726: grafana kubernetes-cni kubernetes-cni-plugins kubernetes kubernetes olcne security update (IMPORTANT)
grafana [%{}-1.0.1]
- Added Oracle Specific Build Files for grafana
kubernetes-cni [0.7.1-1.0.1]
- Added Oracle specific build files for Kubernetes CNI
kubernetes-cni-plugins [0.8.6-1.0.1]
- Added Oracle specific build files for Kubernetes CNI Plugins
kubernetes [1.14.9-1.0.4]
- CVE-2020-10749: IPv4 only clusters susceptible to MitM attacks via IPv6 rogue router advertisements
- CVE-2020-8555: Half-Blind SSRF in kube-controller-manager
[1.14.9-1.0.3]
- [CVE-2019-11254] kube-apiserver Denial of Service vulnerability from malicious YAML payloads
[1.14.9-1.0.2]
- Use bounded crio version
[1.14.9-1.0.1]
- Added Oracle specific build files for Kubernetes
kubernetes [1.17.6-1.0.2.el7]
- Update to kubernetes-cni for CVE-2020-10749
[1.17.6-1.0.2.el7]
- Added Oracle specific build files for Kubernetes
olcne [1.1.1-1]
- Update Istio to use Grafana 6.7.4 to address CVE-2020-13379
- Kubernetes update due to CVE-2020-10749 and CVE-2020-8555
Обновленные пакеты
Oracle Linux 7
Oracle Linux x86_64
grafana
6.7.4-1.0.1.el7
kubeadm
1.14.9-1.0.4.el7
kubeadm
1.17.6-1.0.2.el7
kubectl
1.14.9-1.0.4.el7
kubectl
1.17.6-1.0.2.el7
kubelet
1.14.9-1.0.4.el7
kubelet
1.17.6-1.0.2.el7
kubernetes-cni
0.7.1-1.0.1.el7
kubernetes-cni-plugins
0.8.6-1.0.2.el7
olcne-agent
1.1.1-3.el7
olcne-api-server
1.1.1-3.el7
olcne-istio-chart
1.1.1-3.el7
olcne-nginx
1.1.1-3.el7
olcne-prometheus-chart
1.1.1-3.el7
olcne-utils
1.1.1-3.el7
olcnectl
1.1.1-3.el7
Связанные CVE
Связанные уязвимости
ELSA-2020-5727: kubernetes-cni-plugins kubernetes-cni kubernetes olcne security update (IMPORTANT)
ELSA-2020-5725: kubernetes kubeadm-ha-setup kubernetes-cni kubernetes-cni-plugins security update (IMPORTANT)
The avatar feature in Grafana 3.0.1 through 7.0.1 has an SSRF Incorrect Access Control issue. This vulnerability allows any unauthenticated user/client to make Grafana send HTTP requests to any URL and return its result to the user/client. This can be used to gain information about the network that Grafana is running on. Furthermore, passing invalid URL objects could be used for DOS'ing Grafana via SegFault.
The avatar feature in Grafana 3.0.1 through 7.0.1 has an SSRF Incorrect Access Control issue. This vulnerability allows any unauthenticated user/client to make Grafana send HTTP requests to any URL and return its result to the user/client. This can be used to gain information about the network that Grafana is running on. Furthermore, passing invalid URL objects could be used for DOS'ing Grafana via SegFault.
The avatar feature in Grafana 3.0.1 through 7.0.1 has an SSRF Incorrect Access Control issue. This vulnerability allows any unauthenticated user/client to make Grafana send HTTP requests to any URL and return its result to the user/client. This can be used to gain information about the network that Grafana is running on. Furthermore, passing invalid URL objects could be used for DOS'ing Grafana via SegFault.