drucken bookmarks versenden konfigurieren admin pdf Sicherheit: Mangelnde Prüfung von Signaturen in caasp-container-manifests
| Name: |
Mangelnde Prüfung von Signaturen in caasp-container-manifests |
|
| ID: |
SUSE-SU-2019:0537-1 |
|
| Distribution: |
SUSE |
|
| Plattformen: |
SUSE CaaS Platform 3.0 |
|
| Datum: |
Sa, 2. März 2019, 09:10 |
|
| Referenzen: |
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000539 |
|
| Applikationen: |
caasp-container-manifests |
|
Originalnachricht |
SUSE Security Update: Security update for caasp-container-manifests,
changelog-generator-data-sles12sp3-velum, kubernetes-salt, rubygem-aes_key_wrap, rubygem-json-jwt, sles12sp3-velum-image, velum
______________________________________________________________________________
Announcement ID: SUSE-SU-2019:0537-1
Rating: important
References: #1121145 #1121162 #1121165 #1121166
Cross-References: CVE-2018-1000539
Affected Products:
SUSE CaaS Platform 3.0
______________________________________________________________________________
An update that solves one vulnerability and has three fixes
is now available.
Description:
This update for caasp-container-manifests,
changelog-generator-data-sles12sp3-velum, kubernetes-salt,
rubygem-aes_key_wrap, rubygem-json-jwt, sles12sp3-velum-image, velum
provides the following fixes:
Security issue fixed in rubygem-json-jwt and velum:
- CVE-2018-1000539: Fixed an improper verification of cryptographic
signatures during the decryption of encrypted with AES-GCM JSON Web
Tokens which could lead to a forged authentication tag. (bsc#1099243,
bsc#1121166)
caasp-container-manifests:
- Disable the kubelet servers on the admin node. The admin node is not
part of a k8s cluster, so enabling the endpoints for interaction by the
user/api-server is not needed. Instead (only on the admin node) all
endpoints (healthz and server) that are usually exposed by the kubelet
are disabled. (bsc#1121145)
kubernetes-salt:
- haproxy: Block requests to /internal-api endpoint. The internal api
endpoints expose sensitive data and thus should not be accessed via
internet. This internal api was developed inside the velum project and
haproxy was allowing requests to that endpoint. Velum listens on 0.0.0.0
and needs to block for that specific path. With this change any request
to anything that starts with /internal-api is blocked. (bsc#1121162)
velum:
- Changed kubeconfig download from get to post request. The kubeconfig
download request was previously done via GET request and the file
content could be easily modified through url parameters. Changing from
GET to POST method takes advantage of CSRF protection. (bsc#1121165)
Patch Instructions:
To install this SUSE Security Update use the SUSE recommended installation
methods
like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
- SUSE CaaS Platform 3.0:
To install this update, use the SUSE CaaS Platform Velum dashboard.
It will inform you if it detects new updates and let you then trigger
updating of the complete cluster in a controlled way.
Package List:
- SUSE CaaS Platform 3.0 (x86_64):
sles12-velum-image-3.1.10-3.36.3
- SUSE CaaS Platform 3.0 (noarch):
caasp-container-manifests-3.0.0+git_r297_c3bfc41-3.9.1
kubernetes-salt-3.0.0+git_r935_34ce12d-3.50.1
References:
https://www.suse.com/security/cve/CVE-2018-1000539.html
https://bugzilla.suse.com/1121145
https://bugzilla.suse.com/1121162
https://bugzilla.suse.com/1121165
https://bugzilla.suse.com/1121166
_______________________________________________
sle-security-updates mailing list
sle-security-updates@lists.suse.com
http://lists.suse.com/mailman/listinfo/sle-security-updates
|
|
|
|
