Описание
ELSA-2021-9028: olcne security update (IMPORTANT)
kubernetes [1.18.10-3]
- Kata CVE-2020-28914
kata-proxy [1.11.5-1]
- Added Oracle Specific Build Files for kata-proxy
kata-shim [1.11.5-1]
- Added Oracle Specific Build Files for kata-shim
kata-ksm-throttler [1.11.5-1]
- Added Oracle Specific Build Files for kata-ksm-throttler
kata-runtime [1.11.5-1]
- Added Oracle Specific Files For kata-runtime
kata-agent [1.11.5-1]
- Added Oracle Specific Build Files for kata-agent
kata-image [1.11.5-1]
- Added Oracle Specific Build Files for kata-image
kata [1.11.5-2]
- Update to kata 1.11.5
olcne [1.2.2-1]
- Address CVE-2020-28914: An improper file permissions vulnerability affects Kata Containers prior to 1.11.5
[1.2.1-1]
- Enhance the Kubernetes module to restrict the usage of external IPs
- Address CVE-2020-8554: man-in-the-middle vulnerability using Kubernetes service External IPs
[1.2.0-4]
- Add support for deprecating module args
Обновленные пакеты
Oracle Linux 7
Oracle Linux x86_64
kata
1.11.5-2.el7
kata-agent
1.11.5-1.el7
kata-image
1.11.5-1.1.ol7_202101151825
kata-ksm-throttler
1.11.5-1.el7
kata-proxy
1.11.5-1.el7
kata-runtime
1.11.5-1.el7
kata-shim
1.11.5-1.el7
kubeadm
1.18.10-3.el7
kubectl
1.18.10-3.el7
kubelet
1.18.10-3.el7
olcne-agent
1.2.2-1.el7
olcne-api-server
1.2.2-1.el7
olcne-istio-chart
1.2.2-1.el7
olcne-nginx
1.2.2-1.el7
olcne-prometheus-chart
1.2.2-1.el7
olcne-utils
1.2.2-1.el7
olcnectl
1.2.2-1.el7
Oracle Linux 8
Oracle Linux x86_64
kata
1.11.5-2.el8
kata-agent
1.11.5-1.el8
kata-image
1.11.5-1.1.ol8_202101151826
kata-ksm-throttler
1.11.5-1.el8
kata-proxy
1.11.5-1.el8
kata-runtime
1.11.5-1.el8
kata-shim
1.11.5-1.el8
kubeadm
1.18.10-3.el8
kubectl
1.18.10-3.el8
kubelet
1.18.10-3.el8
olcne-agent
1.2.2-1.el8
olcne-api-server
1.2.2-1.el8
olcne-istio-chart
1.2.2-1.el8
olcne-nginx
1.2.2-1.el8
olcne-prometheus-chart
1.2.2-1.el8
olcne-utils
1.2.2-1.el8
olcnectl
1.2.2-1.el8
Связанные CVE
Связанные уязвимости
An improper file permissions vulnerability affects Kata Containers prior to 1.11.5. When using a Kubernetes hostPath volume and mounting either a file or directory into a container as readonly, the file/directory is mounted as readOnly inside the container, but is still writable inside the guest. For a container breakout situation, a malicious guest can potentially modify or delete files/directories expected to be read-only.
Kubernetes API server in all versions allow an attacker who is able to create a ClusterIP service and set the spec.externalIPs field, to intercept traffic to that IP address. Additionally, an attacker who is able to patch the status (which is considered a privileged operation and should not typically be granted to users) of a LoadBalancer service can set the status.loadBalancer.ingress.ip to similar effect.
Kubernetes API server in all versions allow an attacker who is able to create a ClusterIP service and set the spec.externalIPs field, to intercept traffic to that IP address. Additionally, an attacker who is able to patch the status (which is considered a privileged operation and should not typically be granted to users) of a LoadBalancer service can set the status.loadBalancer.ingress.ip to similar effect.
Kubernetes API server in all versions allow an attacker who is able to create a ClusterIP service and set the spec.externalIPs field, to intercept traffic to that IP address. Additionally, an attacker who is able to patch the status (which is considered a privileged operation and should not typically be granted to users) of a LoadBalancer service can set the status.loadBalancer.ingress.ip to similar effect.