Описание
ELSA-2020-5765: Unbreakable Enterprise kernel-container kata-image kata-runtime kata kubernetes kubernetes istio olcne security update (IMPORTANT)
kernel-uek-container [4.14.35-1902.303.5.3.el7]
- rds: Deregister all FRWR mr with free_mr (Hans Westgaard Ry) [Orabug: 31476202]
- Revert 'rds: Do not cancel RDMAs that have been posted to the HCA' (Gerd Rausch) [Orabug: 31475329]
- Revert 'rds: Introduce rds_conn_to_path helper' (Gerd Rausch) [Orabug: 31475329]
- Revert 'rds: Three cancel fixes' (Gerd Rausch) [Orabug: 31475318]
[4.14.35-1902.303.5.2.el7]
- rds: Three cancel fixes (Hakon Bugge) [Orabug: 31463014]
[4.14.35-1902.303.5.1.el7]
- x86/speculation: Add SRBDS vulnerability and mitigation documentation (Mark Gross) [Orabug: 31446720] {CVE-2020-0543}
- x86/speculation: Add Special Register Buffer Data Sampling (SRBDS) mitigation (Mark Gross) [Orabug: 31446720] {CVE-2020-0543}
- x86/cpu: Add 'table' argument to cpu_matches() (Mark Gross) [Orabug: 31446720] {CVE-2020-0543}
- x86/cpu: Add a steppings field to struct x86_cpu_id (Mark Gross) [Orabug: 31446720] {CVE-2020-0543}
[4.14.35-1902.303.5.el7]
- net/mlx5: Decrease default mr cache size (Artemy Kovalyov) [Orabug: 31446379]
[4.14.35-1902.303.4.el7]
- net/rds: suppress memory allocation failure reports (Manjunath Patil) [Orabug: 31422157]
- rds: Do not cancel RDMAs that have been posted to the HCA (Hakon Bugge) [Orabug: 31422151]
- rds: Introduce rds_conn_to_path helper (Hakon Bugge) [Orabug: 31422151]
kata-image [1.7.3-1.0.5.1]
- Address Kata CVE 2023
kata-runtime [1.7.3-1.0.5]
- Address Kata CVE-2020-2023
- Address Kata CVE-2020-2024
- Address Kata CVE-2020-2025
- Address Kata CVE-2020-2026
kata [1.7.3-1.0.7]
- Address CVE-2020-2023
- Address CVE-2020-2024
- Address CVE-2020-2025
- Address CVE-2020-2026
kubernetes [1.14.9-1.0.6]
- CVE-2020-8559: Privilege escalation from compromised node to cluster
- CVE-2020-8557: Node disk DOS by writing to container /etc/hosts
[1.14.9-1.0.5]
- Update dependency on Kata containers to a build that includes fixes for CVE-2020-2023 thru CVE-2020-2026
kubernetes [1.17.9-1.0.1.el7]
- Added Oracle specific build files for Kubernetes
istio [1.4.10-1.0.1]
- CVE-2020-15104: Incorrect validation of wildcard DNS Subject Alternative Names
[1.4.10-1.0.0]
- Added Oracle Specific Build Files for istio/istio
olcne [1.1.2-6]
- Include kata-runtime in the default template
[1.1.2-5]
- CVE-2020-8559: Privilege escalation from compromised node to cluster
- CVE-2020-8557: Node disk DOS by writing to container /etc/hosts
[1.1.2-4]
- Update arguments added for istio module.
[1.1.2-3]
- Ensure Istio sidecar injector uses valid executable
[1.1.2-2]
- Update Kubernetes to use Kata 1.7.3-1.0.7 to address CVE-2020-2023 thru CVE-2020-2026
[1.1.2-1]
- Added istio-1.4.10 charts and updated istio.yaml to use istio-1.4.10
Обновленные пакеты
Oracle Linux 7
Oracle Linux x86_64
istio
1.4.10-1.0.1.el7
istio-citadel
1.4.10-1.0.1.el7
istio-galley
1.4.10-1.0.1.el7
istio-istioctl
1.4.10-1.0.1.el7
istio-mixc
1.4.10-1.0.1.el7
istio-mixs
1.4.10-1.0.1.el7
istio-node-agent
1.4.10-1.0.1.el7
istio-pilot-agent
1.4.10-1.0.1.el7
istio-pilot-discovery
1.4.10-1.0.1.el7
istio-proxy-init
1.4.10-1.0.1.el7
istio-sidecar-injector
1.4.10-1.0.1.el7
kata
1.7.3-1.0.7.el7
kata-image
1.7.3-1.0.5.1.ol7_202007011859
kata-runtime
1.7.3-1.0.5.el7
kernel-uek-container
4.14.35-1902.303.5.3.el7
kubeadm
1.14.9-1.0.6.el7
kubeadm
1.17.9-1.0.1.el7
kubectl
1.14.9-1.0.6.el7
kubectl
1.17.9-1.0.1.el7
kubelet
1.14.9-1.0.6.el7
kubelet
1.17.9-1.0.1.el7
olcne-agent
1.1.2-6.el7
olcne-api-server
1.1.2-6.el7
olcne-istio-chart
1.1.2-6.el7
olcne-nginx
1.1.2-6.el7
olcne-prometheus-chart
1.1.2-6.el7
olcne-utils
1.1.2-6.el7
olcnectl
1.1.2-6.el7
Ссылки на источники
Связанные уязвимости
A hard-coded cryptographic key vulnerability in the default configuration file was found in Kiali, all versions prior to 1.15.1. A remote attacker could abuse this flaw by creating their own JWT signed tokens and bypass Kiali authentication mechanisms, possibly gaining privileges to view and alter the Istio configuration.
A hard-coded cryptographic key vulnerability in the default configuration file was found in Kiali, all versions prior to 1.15.1. A remote attacker could abuse this flaw by creating their own JWT signed tokens and bypass Kiali authentication mechanisms, possibly gaining privileges to view and alter the Istio configuration.
Уязвимость консоли управления для сервисной сетки на основе Istio Kiali, связанная с использованием жестко закодированного ключа шифрования, позволяющая нарушителю повысить свои привилегии
In Envoy before versions 1.12.6, 1.13.4, 1.14.4, and 1.15.0 when validating TLS certificates, Envoy would incorrectly allow a wildcard DNS Subject Alternative Name apply to multiple subdomains. For example, with a SAN of *.example.com, Envoy would incorrectly allow nested.subdomain.example.com, when it should only allow subdomain.example.com. This defect applies to both validating a client TLS certificate in mTLS, and validating a server TLS certificate for upstream connections. This vulnerability is only applicable to situations where an untrusted entity can obtain a signed wildcard TLS certificate for a domain of which you only intend to trust a subdomain of. For example, if you intend to trust api.mysubdomain.example.com, and an untrusted actor can obtain a signed TLS certificate for *.example.com or *.com. Configurations are vulnerable if they use verify_subject_alt_name in any Envoy version, or if they use match_subject_alt_names in version 1.14 or later. This issue has been fi...