Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CVE-2019-14854
Vulnerability from cvelistv5
Published
2020-01-07 16:36
Modified
2024-08-05 00:26
Severity ?
EPSS score ?
Summary
OpenShift Container Platform 4 does not sanitize secret data written to static pod logs when the log level in a given operator is set to Debug or higher. A low privileged user could read pod logs to discover secret material if the log level has already been modified in an operator by a privileged user.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| secalert@redhat.com | https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14854 | Exploit, Issue Tracking, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14854 | Exploit, Issue Tracking, Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ▼ | Red Hat | library-go |
Version: As shipped with Openshift 4.x |
|
|
|||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T00:26:39.141Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14854"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "library-go",
"vendor": "Red Hat",
"versions": [
{
"status": "affected",
"version": "As shipped with Openshift 4.x"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "OpenShift Container Platform 4 does not sanitize secret data written to static pod logs when the log level in a given operator is set to Debug or higher. A low privileged user could read pod logs to discover secret material if the log level has already been modified in an operator by a privileged user."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-117",
"description": "CWE-117",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-01-07T16:36:45",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14854"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2019-14854",
"datePublished": "2020-01-07T16:36:45",
"dateReserved": "2019-08-10T00:00:00",
"dateUpdated": "2024-08-05T00:26:39.141Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"fkie_nvd": {
"configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:redhat:openshift_container_platform:4.1:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"064E7BDD-4EF0-4A0D-A38D-8C75BAFEDCEF\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:redhat:openshift_container_platform:4.2:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"4C85A84D-A70F-4B02-9E5D-CD9660ABF048\"}]}]}]",
"descriptions": "[{\"lang\": \"en\", \"value\": \"OpenShift Container Platform 4 does not sanitize secret data written to static pod logs when the log level in a given operator is set to Debug or higher. A low privileged user could read pod logs to discover secret material if the log level has already been modified in an operator by a privileged user.\"}, {\"lang\": \"es\", \"value\": \"OpenShift Container Platform versi\\u00f3n 4, no sanea los datos secretos escritos en registros pod est\\u00e1ticos cuando el nivel de registro en un operador dado es establecido en Debug o superior. Un usuario poco privilegiado podr\\u00eda leer registros pod para detectar material secreto si el nivel de registro ya ha sido modificado en un operador por parte de un usuario privilegiado.\"}]",
"id": "CVE-2019-14854",
"lastModified": "2024-11-21T04:27:30.247",
"metrics": "{\"cvssMetricV31\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N\", \"baseScore\": 6.5, \"baseSeverity\": \"MEDIUM\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"LOW\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"NONE\", \"availabilityImpact\": \"NONE\"}, \"exploitabilityScore\": 2.8, \"impactScore\": 3.6}], \"cvssMetricV30\": [{\"source\": \"secalert@redhat.com\", \"type\": \"Secondary\", \"cvssData\": {\"version\": \"3.0\", \"vectorString\": \"CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N\", \"baseScore\": 5.3, \"baseSeverity\": \"MEDIUM\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"HIGH\", \"privilegesRequired\": \"LOW\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"NONE\", \"availabilityImpact\": \"NONE\"}, \"exploitabilityScore\": 1.6, \"impactScore\": 3.6}], \"cvssMetricV2\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"2.0\", \"vectorString\": \"AV:N/AC:L/Au:S/C:P/I:N/A:N\", \"baseScore\": 4.0, \"accessVector\": \"NETWORK\", \"accessComplexity\": \"LOW\", \"authentication\": \"SINGLE\", \"confidentialityImpact\": \"PARTIAL\", \"integrityImpact\": \"NONE\", \"availabilityImpact\": \"NONE\"}, \"baseSeverity\": \"MEDIUM\", \"exploitabilityScore\": 8.0, \"impactScore\": 2.9, \"acInsufInfo\": false, \"obtainAllPrivilege\": false, \"obtainUserPrivilege\": false, \"obtainOtherPrivilege\": false, \"userInteractionRequired\": false}]}",
"published": "2020-01-07T17:15:11.267",
"references": "[{\"url\": \"https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14854\", \"source\": \"secalert@redhat.com\", \"tags\": [\"Exploit\", \"Issue Tracking\", \"Third Party Advisory\"]}, {\"url\": \"https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14854\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Exploit\", \"Issue Tracking\", \"Third Party Advisory\"]}]",
"sourceIdentifier": "secalert@redhat.com",
"vulnStatus": "Modified",
"weaknesses": "[{\"source\": \"secalert@redhat.com\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-117\"}]}, {\"source\": \"nvd@nist.gov\", \"type\": \"Secondary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-532\"}]}]"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2019-14854\",\"sourceIdentifier\":\"secalert@redhat.com\",\"published\":\"2020-01-07T17:15:11.267\",\"lastModified\":\"2024-11-21T04:27:30.247\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"OpenShift Container Platform 4 does not sanitize secret data written to static pod logs when the log level in a given operator is set to Debug or higher. A low privileged user could read pod logs to discover secret material if the log level has already been modified in an operator by a privileged user.\"},{\"lang\":\"es\",\"value\":\"OpenShift Container Platform versi\u00f3n 4, no sanea los datos secretos escritos en registros pod est\u00e1ticos cuando el nivel de registro en un operador dado es establecido en Debug o superior. Un usuario poco privilegiado podr\u00eda leer registros pod para detectar material secreto si el nivel de registro ya ha sido modificado en un operador por parte de un usuario privilegiado.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N\",\"baseScore\":6.5,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.8,\"impactScore\":3.6}],\"cvssMetricV30\":[{\"source\":\"secalert@redhat.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.0\",\"vectorString\":\"CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N\",\"baseScore\":5.3,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":1.6,\"impactScore\":3.6}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:L/Au:S/C:P/I:N/A:N\",\"baseScore\":4.0,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"LOW\",\"authentication\":\"SINGLE\",\"confidentialityImpact\":\"PARTIAL\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":8.0,\"impactScore\":2.9,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"secalert@redhat.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-117\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-532\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:redhat:openshift_container_platform:4.1:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"064E7BDD-4EF0-4A0D-A38D-8C75BAFEDCEF\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:redhat:openshift_container_platform:4.2:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"4C85A84D-A70F-4B02-9E5D-CD9660ABF048\"}]}]}],\"references\":[{\"url\":\"https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14854\",\"source\":\"secalert@redhat.com\",\"tags\":[\"Exploit\",\"Issue Tracking\",\"Third Party Advisory\"]},{\"url\":\"https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14854\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Exploit\",\"Issue Tracking\",\"Third Party Advisory\"]}]}}"
}
}
gsd-2019-14854
Vulnerability from gsd
Modified
2023-12-13 01:23
Details
OpenShift Container Platform 4 does not sanitize secret data written to static pod logs when the log level in a given operator is set to Debug or higher. A low privileged user could read pod logs to discover secret material if the log level has already been modified in an operator by a privileged user.
Aliases
Aliases
{
"GSD": {
"alias": "CVE-2019-14854",
"description": "OpenShift Container Platform 4 does not sanitize secret data written to static pod logs when the log level in a given operator is set to Debug or higher. A low privileged user could read pod logs to discover secret material if the log level has already been modified in an operator by a privileged user.",
"id": "GSD-2019-14854",
"references": [
"https://access.redhat.com/errata/RHSA-2019:4098",
"https://access.redhat.com/errata/RHSA-2019:4091",
"https://access.redhat.com/errata/RHSA-2019:4081",
"https://access.redhat.com/errata/RHSA-2019:4075"
]
},
"gsd": {
"metadata": {
"exploitCode": "unknown",
"remediation": "unknown",
"reportConfidence": "confirmed",
"type": "vulnerability"
},
"osvSchema": {
"aliases": [
"CVE-2019-14854"
],
"details": "OpenShift Container Platform 4 does not sanitize secret data written to static pod logs when the log level in a given operator is set to Debug or higher. A low privileged user could read pod logs to discover secret material if the log level has already been modified in an operator by a privileged user.",
"id": "GSD-2019-14854",
"modified": "2023-12-13T01:23:53.009895Z",
"schema_version": "1.4.0"
}
},
"namespaces": {
"cve.org": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2019-14854",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "library-go",
"version": {
"version_data": [
{
"version_affected": "=",
"version_value": "As shipped with Openshift 4.x"
}
]
}
}
]
},
"vendor_name": "Red Hat"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "OpenShift Container Platform 4 does not sanitize secret data written to static pod logs when the log level in a given operator is set to Debug or higher. A low privileged user could read pod logs to discover secret material if the log level has already been modified in an operator by a privileged user."
}
]
},
"impact": {
"cvss": [
{
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.0"
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"cweId": "CWE-117",
"lang": "eng",
"value": "CWE-117"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14854",
"refsource": "MISC",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14854"
}
]
}
},
"nvd.nist.gov": {
"configurations": {
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:redhat:openshift_container_platform:4.1:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:redhat:openshift_container_platform:4.2:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
}
]
},
"cve": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2019-14854"
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "en",
"value": "OpenShift Container Platform 4 does not sanitize secret data written to static pod logs when the log level in a given operator is set to Debug or higher. A low privileged user could read pod logs to discover secret material if the log level has already been modified in an operator by a privileged user."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "en",
"value": "CWE-117"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14854",
"refsource": "CONFIRM",
"tags": [
"Exploit",
"Issue Tracking",
"Third Party Advisory"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14854"
}
]
}
},
"impact": {
"baseMetricV2": {
"acInsufInfo": false,
"cvssV2": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 4.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "MEDIUM",
"userInteractionRequired": false
},
"baseMetricV3": {
"cvssV3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6
}
},
"lastModifiedDate": "2023-02-12T23:35Z",
"publishedDate": "2020-01-07T17:15Z"
}
}
}
rhsa-2019:4091
Vulnerability from csaf_redhat
Published
2019-12-17 07:38
Modified
2024-11-22 14:13
Summary
Red Hat Security Advisory: OpenShift Container Platform 4.1 library-go security update
Notes
Topic
An update for ose-cluster-kube-controller-manager-operator-container and ose-cluster-kube-scheduler-operator-container is now available for Red Hat OpenShift Container Platform 4.1.
Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments.
Security Fix(es):
* library-go: Secret data written to static pod logs when operator set at Debug level or higher (CVE-2019-14854)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update for ose-cluster-kube-controller-manager-operator-container and ose-cluster-kube-scheduler-operator-container is now available for Red Hat OpenShift Container Platform 4.1.\n\nRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Red Hat OpenShift Container Platform is Red Hat\u0027s cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments.\n\nSecurity Fix(es):\n\n* library-go: Secret data written to static pod logs when operator set at Debug level or higher (CVE-2019-14854)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2019:4091",
"url": "https://access.redhat.com/errata/RHSA-2019:4091"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#moderate",
"url": "https://access.redhat.com/security/updates/classification/#moderate"
},
{
"category": "external",
"summary": "1758953",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1758953"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2019/rhsa-2019_4091.json"
}
],
"title": "Red Hat Security Advisory: OpenShift Container Platform 4.1 library-go security update",
"tracking": {
"current_release_date": "2024-11-22T14:13:53+00:00",
"generator": {
"date": "2024-11-22T14:13:53+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.2.1"
}
},
"id": "RHSA-2019:4091",
"initial_release_date": "2019-12-17T07:38:40+00:00",
"revision_history": [
{
"date": "2019-12-17T07:38:40+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2019-12-17T07:38:40+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2024-11-22T14:13:53+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat OpenShift Container Platform 4.1",
"product": {
"name": "Red Hat OpenShift Container Platform 4.1",
"product_id": "7Server-RH7-RHOSE-4.1",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:openshift:4.1::el7"
}
}
}
],
"category": "product_family",
"name": "Red Hat OpenShift Enterprise"
},
{
"branches": [
{
"category": "product_version",
"name": "openshift4/ose-cluster-kube-controller-manager-operator@sha256:ecea024bd816fef064d79d1f88a0f921a9d8bccd1595f4dfe1251b3c867ff1c8_amd64",
"product": {
"name": "openshift4/ose-cluster-kube-controller-manager-operator@sha256:ecea024bd816fef064d79d1f88a0f921a9d8bccd1595f4dfe1251b3c867ff1c8_amd64",
"product_id": "openshift4/ose-cluster-kube-controller-manager-operator@sha256:ecea024bd816fef064d79d1f88a0f921a9d8bccd1595f4dfe1251b3c867ff1c8_amd64",
"product_identification_helper": {
"purl": "pkg:oci/ose-cluster-kube-controller-manager-operator@sha256:ecea024bd816fef064d79d1f88a0f921a9d8bccd1595f4dfe1251b3c867ff1c8?arch=amd64\u0026repository_url=registry.redhat.io/openshift4/ose-cluster-kube-controller-manager-operator\u0026tag=v4.1.27-201912030019"
}
}
},
{
"category": "product_version",
"name": "openshift4/ose-cluster-kube-scheduler-operator@sha256:cc4f57f436724b1d52988bd6ca168aedc0119e1df9af82714572189524536561_amd64",
"product": {
"name": "openshift4/ose-cluster-kube-scheduler-operator@sha256:cc4f57f436724b1d52988bd6ca168aedc0119e1df9af82714572189524536561_amd64",
"product_id": "openshift4/ose-cluster-kube-scheduler-operator@sha256:cc4f57f436724b1d52988bd6ca168aedc0119e1df9af82714572189524536561_amd64",
"product_identification_helper": {
"purl": "pkg:oci/ose-cluster-kube-scheduler-operator@sha256:cc4f57f436724b1d52988bd6ca168aedc0119e1df9af82714572189524536561?arch=amd64\u0026repository_url=registry.redhat.io/openshift4/ose-cluster-kube-scheduler-operator\u0026tag=v4.1.27-201912030019"
}
}
}
],
"category": "architecture",
"name": "amd64"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "openshift4/ose-cluster-kube-controller-manager-operator@sha256:ecea024bd816fef064d79d1f88a0f921a9d8bccd1595f4dfe1251b3c867ff1c8_amd64 as a component of Red Hat OpenShift Container Platform 4.1",
"product_id": "7Server-RH7-RHOSE-4.1:openshift4/ose-cluster-kube-controller-manager-operator@sha256:ecea024bd816fef064d79d1f88a0f921a9d8bccd1595f4dfe1251b3c867ff1c8_amd64"
},
"product_reference": "openshift4/ose-cluster-kube-controller-manager-operator@sha256:ecea024bd816fef064d79d1f88a0f921a9d8bccd1595f4dfe1251b3c867ff1c8_amd64",
"relates_to_product_reference": "7Server-RH7-RHOSE-4.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openshift4/ose-cluster-kube-scheduler-operator@sha256:cc4f57f436724b1d52988bd6ca168aedc0119e1df9af82714572189524536561_amd64 as a component of Red Hat OpenShift Container Platform 4.1",
"product_id": "7Server-RH7-RHOSE-4.1:openshift4/ose-cluster-kube-scheduler-operator@sha256:cc4f57f436724b1d52988bd6ca168aedc0119e1df9af82714572189524536561_amd64"
},
"product_reference": "openshift4/ose-cluster-kube-scheduler-operator@sha256:cc4f57f436724b1d52988bd6ca168aedc0119e1df9af82714572189524536561_amd64",
"relates_to_product_reference": "7Server-RH7-RHOSE-4.1"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2019-14854",
"cwe": {
"id": "CWE-117",
"name": "Improper Output Neutralization for Logs"
},
"discovery_date": "2019-09-20T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1758953"
}
],
"notes": [
{
"category": "description",
"text": "OpenShift Container Platform 4 does not sanitize secret data written to static pod logs when the log level in a given operator is set to Debug or higher. A low privileged user could read pod logs to discover secret material if the log level has already been modified in an operator by a privileged user.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "library-go: Secret data written to static pod logs when operator set at Debug level or higher",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-RH7-RHOSE-4.1:openshift4/ose-cluster-kube-controller-manager-operator@sha256:ecea024bd816fef064d79d1f88a0f921a9d8bccd1595f4dfe1251b3c867ff1c8_amd64",
"7Server-RH7-RHOSE-4.1:openshift4/ose-cluster-kube-scheduler-operator@sha256:cc4f57f436724b1d52988bd6ca168aedc0119e1df9af82714572189524536561_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2019-14854"
},
{
"category": "external",
"summary": "RHBZ#1758953",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1758953"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2019-14854",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-14854"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2019-14854",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-14854"
}
],
"release_date": "2019-10-07T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2019-12-17T07:38:40+00:00",
"details": "For OpenShift Container Platform 4.1 see the following documentation, which will be updated shortly for release 4.1.27, for important instructions on how to upgrade your cluster and fully apply this asynchronous errata update:\n\nhttps://docs.openshift.com/container-platform/4.1/release_notes/ocp-4-1-release-notes.html\n\nDetails on how to access this content are available at https://docs.openshift.com/container-platform/4.1/updating/updating-cluster-cli.html.",
"product_ids": [
"7Server-RH7-RHOSE-4.1:openshift4/ose-cluster-kube-controller-manager-operator@sha256:ecea024bd816fef064d79d1f88a0f921a9d8bccd1595f4dfe1251b3c867ff1c8_amd64",
"7Server-RH7-RHOSE-4.1:openshift4/ose-cluster-kube-scheduler-operator@sha256:cc4f57f436724b1d52988bd6ca168aedc0119e1df9af82714572189524536561_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2019:4091"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.0"
},
"products": [
"7Server-RH7-RHOSE-4.1:openshift4/ose-cluster-kube-controller-manager-operator@sha256:ecea024bd816fef064d79d1f88a0f921a9d8bccd1595f4dfe1251b3c867ff1c8_amd64",
"7Server-RH7-RHOSE-4.1:openshift4/ose-cluster-kube-scheduler-operator@sha256:cc4f57f436724b1d52988bd6ca168aedc0119e1df9af82714572189524536561_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "library-go: Secret data written to static pod logs when operator set at Debug level or higher"
}
]
}
rhsa-2019_4081
Vulnerability from csaf_redhat
Published
2019-12-04 13:54
Modified
2024-11-22 14:13
Summary
Red Hat Security Advisory: OpenShift Container Platform 4.1 ose-cluster-kube-apiserver-operator-container security update
Notes
Topic
An update for ose-cluster-kube-apiserver-operator-container is now available for Red Hat OpenShift Container Platform 4.1.
Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments.
Security Fix(es):
* library-go: Secret data written to static pod logs when operator set at Debug level or higher (CVE-2019-14854)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update for ose-cluster-kube-apiserver-operator-container is now available for Red Hat OpenShift Container Platform 4.1.\n\nRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Red Hat OpenShift Container Platform is Red Hat\u0027s cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments.\n\nSecurity Fix(es):\n\n* library-go: Secret data written to static pod logs when operator set at Debug level or higher (CVE-2019-14854)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2019:4081",
"url": "https://access.redhat.com/errata/RHSA-2019:4081"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#moderate",
"url": "https://access.redhat.com/security/updates/classification/#moderate"
},
{
"category": "external",
"summary": "1758953",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1758953"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2019/rhsa-2019_4081.json"
}
],
"title": "Red Hat Security Advisory: OpenShift Container Platform 4.1 ose-cluster-kube-apiserver-operator-container security update",
"tracking": {
"current_release_date": "2024-11-22T14:13:42+00:00",
"generator": {
"date": "2024-11-22T14:13:42+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.2.1"
}
},
"id": "RHSA-2019:4081",
"initial_release_date": "2019-12-04T13:54:39+00:00",
"revision_history": [
{
"date": "2019-12-04T13:54:39+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2019-12-04T13:54:39+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2024-11-22T14:13:42+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat OpenShift Container Platform 4.1",
"product": {
"name": "Red Hat OpenShift Container Platform 4.1",
"product_id": "7Server-RH7-RHOSE-4.1",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:openshift:4.1::el7"
}
}
}
],
"category": "product_family",
"name": "Red Hat OpenShift Enterprise"
},
{
"branches": [
{
"category": "product_version",
"name": "openshift4/ose-cluster-kube-apiserver-operator@sha256:2fa02370090f077f1fb8dd759ff38bd3dea6d819c537528743f450752c0cf505_amd64",
"product": {
"name": "openshift4/ose-cluster-kube-apiserver-operator@sha256:2fa02370090f077f1fb8dd759ff38bd3dea6d819c537528743f450752c0cf505_amd64",
"product_id": "openshift4/ose-cluster-kube-apiserver-operator@sha256:2fa02370090f077f1fb8dd759ff38bd3dea6d819c537528743f450752c0cf505_amd64",
"product_identification_helper": {
"purl": "pkg:oci/ose-cluster-kube-apiserver-operator@sha256:2fa02370090f077f1fb8dd759ff38bd3dea6d819c537528743f450752c0cf505?arch=amd64\u0026repository_url=registry.redhat.io/openshift4/ose-cluster-kube-apiserver-operator\u0026tag=v4.1.26-201911260202"
}
}
}
],
"category": "architecture",
"name": "amd64"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "openshift4/ose-cluster-kube-apiserver-operator@sha256:2fa02370090f077f1fb8dd759ff38bd3dea6d819c537528743f450752c0cf505_amd64 as a component of Red Hat OpenShift Container Platform 4.1",
"product_id": "7Server-RH7-RHOSE-4.1:openshift4/ose-cluster-kube-apiserver-operator@sha256:2fa02370090f077f1fb8dd759ff38bd3dea6d819c537528743f450752c0cf505_amd64"
},
"product_reference": "openshift4/ose-cluster-kube-apiserver-operator@sha256:2fa02370090f077f1fb8dd759ff38bd3dea6d819c537528743f450752c0cf505_amd64",
"relates_to_product_reference": "7Server-RH7-RHOSE-4.1"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2019-14854",
"cwe": {
"id": "CWE-117",
"name": "Improper Output Neutralization for Logs"
},
"discovery_date": "2019-09-20T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1758953"
}
],
"notes": [
{
"category": "description",
"text": "OpenShift Container Platform 4 does not sanitize secret data written to static pod logs when the log level in a given operator is set to Debug or higher. A low privileged user could read pod logs to discover secret material if the log level has already been modified in an operator by a privileged user.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "library-go: Secret data written to static pod logs when operator set at Debug level or higher",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-RH7-RHOSE-4.1:openshift4/ose-cluster-kube-apiserver-operator@sha256:2fa02370090f077f1fb8dd759ff38bd3dea6d819c537528743f450752c0cf505_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2019-14854"
},
{
"category": "external",
"summary": "RHBZ#1758953",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1758953"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2019-14854",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-14854"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2019-14854",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-14854"
}
],
"release_date": "2019-10-07T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2019-12-04T13:54:39+00:00",
"details": "For OpenShift Container Platform 4.1 see the following documentation, which will be updated shortly for release 4.1.26, for important instructions on\nhow to upgrade your cluster and fully apply this asynchronous errata update:\n\nhttps://docs.openshift.com/container-platform/4.1/release_notes/ocp-4-1-release-notes.html\n\nDetails on how to access this content are available at https://docs.openshift.com/container-platform/4.1/updating/updating-cluster-cli.html.",
"product_ids": [
"7Server-RH7-RHOSE-4.1:openshift4/ose-cluster-kube-apiserver-operator@sha256:2fa02370090f077f1fb8dd759ff38bd3dea6d819c537528743f450752c0cf505_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2019:4081"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.0"
},
"products": [
"7Server-RH7-RHOSE-4.1:openshift4/ose-cluster-kube-apiserver-operator@sha256:2fa02370090f077f1fb8dd759ff38bd3dea6d819c537528743f450752c0cf505_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "library-go: Secret data written to static pod logs when operator set at Debug level or higher"
}
]
}
rhsa-2019:4081
Vulnerability from csaf_redhat
Published
2019-12-04 13:54
Modified
2024-11-22 14:13
Summary
Red Hat Security Advisory: OpenShift Container Platform 4.1 ose-cluster-kube-apiserver-operator-container security update
Notes
Topic
An update for ose-cluster-kube-apiserver-operator-container is now available for Red Hat OpenShift Container Platform 4.1.
Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments.
Security Fix(es):
* library-go: Secret data written to static pod logs when operator set at Debug level or higher (CVE-2019-14854)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update for ose-cluster-kube-apiserver-operator-container is now available for Red Hat OpenShift Container Platform 4.1.\n\nRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Red Hat OpenShift Container Platform is Red Hat\u0027s cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments.\n\nSecurity Fix(es):\n\n* library-go: Secret data written to static pod logs when operator set at Debug level or higher (CVE-2019-14854)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2019:4081",
"url": "https://access.redhat.com/errata/RHSA-2019:4081"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#moderate",
"url": "https://access.redhat.com/security/updates/classification/#moderate"
},
{
"category": "external",
"summary": "1758953",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1758953"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2019/rhsa-2019_4081.json"
}
],
"title": "Red Hat Security Advisory: OpenShift Container Platform 4.1 ose-cluster-kube-apiserver-operator-container security update",
"tracking": {
"current_release_date": "2024-11-22T14:13:42+00:00",
"generator": {
"date": "2024-11-22T14:13:42+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.2.1"
}
},
"id": "RHSA-2019:4081",
"initial_release_date": "2019-12-04T13:54:39+00:00",
"revision_history": [
{
"date": "2019-12-04T13:54:39+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2019-12-04T13:54:39+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2024-11-22T14:13:42+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat OpenShift Container Platform 4.1",
"product": {
"name": "Red Hat OpenShift Container Platform 4.1",
"product_id": "7Server-RH7-RHOSE-4.1",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:openshift:4.1::el7"
}
}
}
],
"category": "product_family",
"name": "Red Hat OpenShift Enterprise"
},
{
"branches": [
{
"category": "product_version",
"name": "openshift4/ose-cluster-kube-apiserver-operator@sha256:2fa02370090f077f1fb8dd759ff38bd3dea6d819c537528743f450752c0cf505_amd64",
"product": {
"name": "openshift4/ose-cluster-kube-apiserver-operator@sha256:2fa02370090f077f1fb8dd759ff38bd3dea6d819c537528743f450752c0cf505_amd64",
"product_id": "openshift4/ose-cluster-kube-apiserver-operator@sha256:2fa02370090f077f1fb8dd759ff38bd3dea6d819c537528743f450752c0cf505_amd64",
"product_identification_helper": {
"purl": "pkg:oci/ose-cluster-kube-apiserver-operator@sha256:2fa02370090f077f1fb8dd759ff38bd3dea6d819c537528743f450752c0cf505?arch=amd64\u0026repository_url=registry.redhat.io/openshift4/ose-cluster-kube-apiserver-operator\u0026tag=v4.1.26-201911260202"
}
}
}
],
"category": "architecture",
"name": "amd64"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "openshift4/ose-cluster-kube-apiserver-operator@sha256:2fa02370090f077f1fb8dd759ff38bd3dea6d819c537528743f450752c0cf505_amd64 as a component of Red Hat OpenShift Container Platform 4.1",
"product_id": "7Server-RH7-RHOSE-4.1:openshift4/ose-cluster-kube-apiserver-operator@sha256:2fa02370090f077f1fb8dd759ff38bd3dea6d819c537528743f450752c0cf505_amd64"
},
"product_reference": "openshift4/ose-cluster-kube-apiserver-operator@sha256:2fa02370090f077f1fb8dd759ff38bd3dea6d819c537528743f450752c0cf505_amd64",
"relates_to_product_reference": "7Server-RH7-RHOSE-4.1"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2019-14854",
"cwe": {
"id": "CWE-117",
"name": "Improper Output Neutralization for Logs"
},
"discovery_date": "2019-09-20T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1758953"
}
],
"notes": [
{
"category": "description",
"text": "OpenShift Container Platform 4 does not sanitize secret data written to static pod logs when the log level in a given operator is set to Debug or higher. A low privileged user could read pod logs to discover secret material if the log level has already been modified in an operator by a privileged user.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "library-go: Secret data written to static pod logs when operator set at Debug level or higher",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-RH7-RHOSE-4.1:openshift4/ose-cluster-kube-apiserver-operator@sha256:2fa02370090f077f1fb8dd759ff38bd3dea6d819c537528743f450752c0cf505_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2019-14854"
},
{
"category": "external",
"summary": "RHBZ#1758953",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1758953"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2019-14854",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-14854"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2019-14854",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-14854"
}
],
"release_date": "2019-10-07T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2019-12-04T13:54:39+00:00",
"details": "For OpenShift Container Platform 4.1 see the following documentation, which will be updated shortly for release 4.1.26, for important instructions on\nhow to upgrade your cluster and fully apply this asynchronous errata update:\n\nhttps://docs.openshift.com/container-platform/4.1/release_notes/ocp-4-1-release-notes.html\n\nDetails on how to access this content are available at https://docs.openshift.com/container-platform/4.1/updating/updating-cluster-cli.html.",
"product_ids": [
"7Server-RH7-RHOSE-4.1:openshift4/ose-cluster-kube-apiserver-operator@sha256:2fa02370090f077f1fb8dd759ff38bd3dea6d819c537528743f450752c0cf505_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2019:4081"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.0"
},
"products": [
"7Server-RH7-RHOSE-4.1:openshift4/ose-cluster-kube-apiserver-operator@sha256:2fa02370090f077f1fb8dd759ff38bd3dea6d819c537528743f450752c0cf505_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "library-go: Secret data written to static pod logs when operator set at Debug level or higher"
}
]
}
RHSA-2019:4081
Vulnerability from csaf_redhat
Published
2019-12-04 13:54
Modified
2024-11-22 14:13
Summary
Red Hat Security Advisory: OpenShift Container Platform 4.1 ose-cluster-kube-apiserver-operator-container security update
Notes
Topic
An update for ose-cluster-kube-apiserver-operator-container is now available for Red Hat OpenShift Container Platform 4.1.
Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments.
Security Fix(es):
* library-go: Secret data written to static pod logs when operator set at Debug level or higher (CVE-2019-14854)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update for ose-cluster-kube-apiserver-operator-container is now available for Red Hat OpenShift Container Platform 4.1.\n\nRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Red Hat OpenShift Container Platform is Red Hat\u0027s cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments.\n\nSecurity Fix(es):\n\n* library-go: Secret data written to static pod logs when operator set at Debug level or higher (CVE-2019-14854)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2019:4081",
"url": "https://access.redhat.com/errata/RHSA-2019:4081"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#moderate",
"url": "https://access.redhat.com/security/updates/classification/#moderate"
},
{
"category": "external",
"summary": "1758953",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1758953"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2019/rhsa-2019_4081.json"
}
],
"title": "Red Hat Security Advisory: OpenShift Container Platform 4.1 ose-cluster-kube-apiserver-operator-container security update",
"tracking": {
"current_release_date": "2024-11-22T14:13:42+00:00",
"generator": {
"date": "2024-11-22T14:13:42+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.2.1"
}
},
"id": "RHSA-2019:4081",
"initial_release_date": "2019-12-04T13:54:39+00:00",
"revision_history": [
{
"date": "2019-12-04T13:54:39+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2019-12-04T13:54:39+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2024-11-22T14:13:42+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat OpenShift Container Platform 4.1",
"product": {
"name": "Red Hat OpenShift Container Platform 4.1",
"product_id": "7Server-RH7-RHOSE-4.1",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:openshift:4.1::el7"
}
}
}
],
"category": "product_family",
"name": "Red Hat OpenShift Enterprise"
},
{
"branches": [
{
"category": "product_version",
"name": "openshift4/ose-cluster-kube-apiserver-operator@sha256:2fa02370090f077f1fb8dd759ff38bd3dea6d819c537528743f450752c0cf505_amd64",
"product": {
"name": "openshift4/ose-cluster-kube-apiserver-operator@sha256:2fa02370090f077f1fb8dd759ff38bd3dea6d819c537528743f450752c0cf505_amd64",
"product_id": "openshift4/ose-cluster-kube-apiserver-operator@sha256:2fa02370090f077f1fb8dd759ff38bd3dea6d819c537528743f450752c0cf505_amd64",
"product_identification_helper": {
"purl": "pkg:oci/ose-cluster-kube-apiserver-operator@sha256:2fa02370090f077f1fb8dd759ff38bd3dea6d819c537528743f450752c0cf505?arch=amd64\u0026repository_url=registry.redhat.io/openshift4/ose-cluster-kube-apiserver-operator\u0026tag=v4.1.26-201911260202"
}
}
}
],
"category": "architecture",
"name": "amd64"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "openshift4/ose-cluster-kube-apiserver-operator@sha256:2fa02370090f077f1fb8dd759ff38bd3dea6d819c537528743f450752c0cf505_amd64 as a component of Red Hat OpenShift Container Platform 4.1",
"product_id": "7Server-RH7-RHOSE-4.1:openshift4/ose-cluster-kube-apiserver-operator@sha256:2fa02370090f077f1fb8dd759ff38bd3dea6d819c537528743f450752c0cf505_amd64"
},
"product_reference": "openshift4/ose-cluster-kube-apiserver-operator@sha256:2fa02370090f077f1fb8dd759ff38bd3dea6d819c537528743f450752c0cf505_amd64",
"relates_to_product_reference": "7Server-RH7-RHOSE-4.1"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2019-14854",
"cwe": {
"id": "CWE-117",
"name": "Improper Output Neutralization for Logs"
},
"discovery_date": "2019-09-20T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1758953"
}
],
"notes": [
{
"category": "description",
"text": "OpenShift Container Platform 4 does not sanitize secret data written to static pod logs when the log level in a given operator is set to Debug or higher. A low privileged user could read pod logs to discover secret material if the log level has already been modified in an operator by a privileged user.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "library-go: Secret data written to static pod logs when operator set at Debug level or higher",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-RH7-RHOSE-4.1:openshift4/ose-cluster-kube-apiserver-operator@sha256:2fa02370090f077f1fb8dd759ff38bd3dea6d819c537528743f450752c0cf505_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2019-14854"
},
{
"category": "external",
"summary": "RHBZ#1758953",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1758953"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2019-14854",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-14854"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2019-14854",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-14854"
}
],
"release_date": "2019-10-07T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2019-12-04T13:54:39+00:00",
"details": "For OpenShift Container Platform 4.1 see the following documentation, which will be updated shortly for release 4.1.26, for important instructions on\nhow to upgrade your cluster and fully apply this asynchronous errata update:\n\nhttps://docs.openshift.com/container-platform/4.1/release_notes/ocp-4-1-release-notes.html\n\nDetails on how to access this content are available at https://docs.openshift.com/container-platform/4.1/updating/updating-cluster-cli.html.",
"product_ids": [
"7Server-RH7-RHOSE-4.1:openshift4/ose-cluster-kube-apiserver-operator@sha256:2fa02370090f077f1fb8dd759ff38bd3dea6d819c537528743f450752c0cf505_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2019:4081"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.0"
},
"products": [
"7Server-RH7-RHOSE-4.1:openshift4/ose-cluster-kube-apiserver-operator@sha256:2fa02370090f077f1fb8dd759ff38bd3dea6d819c537528743f450752c0cf505_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "library-go: Secret data written to static pod logs when operator set at Debug level or higher"
}
]
}
RHSA-2019:4075
Vulnerability from csaf_redhat
Published
2019-12-03 21:10
Modified
2024-11-22 14:13
Summary
Red Hat Security Advisory: OpenShift Container Platform 4.2 library-go security update
Notes
Topic
An update for ose-cluster-kube-apiserver-operator-container and ose-cluster-kube-scheduler-operator-container is now available for Red Hat OpenShift Container Platform 4.2.
Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private
cloud deployments.
This advisory contains the ose-cluster-kube-apiserver-operator-container and ose-cluster-kube-scheduler-operator-container images for Red Hat OpenShift Container Platform 4.2.9. These images have been rebuilt with an updated version of openshift/library-go to address the below security issue.
Security Fix(es):
* OpenShift Container Platform 4 did not sanitize secret data written to static Pod logs when an Operator's log level was set to Debug or higher. A low privileged user could read Pod logs to discover secret material if the log level had already been modified in an Operator by a privileged user. (CVE-2019-14854)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update for ose-cluster-kube-apiserver-operator-container and ose-cluster-kube-scheduler-operator-container is now available for Red Hat OpenShift Container Platform 4.2.\n\nRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Red Hat OpenShift Container Platform is Red Hat\u0027s cloud computing Kubernetes application platform solution designed for on-premise or private\ncloud deployments.\n\nThis advisory contains the ose-cluster-kube-apiserver-operator-container and ose-cluster-kube-scheduler-operator-container images for Red Hat OpenShift Container Platform 4.2.9. These images have been rebuilt with an updated version of openshift/library-go to address the below security issue.\n\nSecurity Fix(es):\n\n* OpenShift Container Platform 4 did not sanitize secret data written to static Pod logs when an Operator\u0027s log level was set to Debug or higher. A low privileged user could read Pod logs to discover secret material if the log level had already been modified in an Operator by a privileged user. (CVE-2019-14854)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2019:4075",
"url": "https://access.redhat.com/errata/RHSA-2019:4075"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#moderate",
"url": "https://access.redhat.com/security/updates/classification/#moderate"
},
{
"category": "external",
"summary": "1758953",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1758953"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2019/rhsa-2019_4075.json"
}
],
"title": "Red Hat Security Advisory: OpenShift Container Platform 4.2 library-go security update",
"tracking": {
"current_release_date": "2024-11-22T14:13:37+00:00",
"generator": {
"date": "2024-11-22T14:13:37+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.2.1"
}
},
"id": "RHSA-2019:4075",
"initial_release_date": "2019-12-03T21:10:58+00:00",
"revision_history": [
{
"date": "2019-12-03T21:10:58+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2019-12-03T21:10:58+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2024-11-22T14:13:37+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat OpenShift Container Platform 4.2",
"product": {
"name": "Red Hat OpenShift Container Platform 4.2",
"product_id": "7Server-RH7-RHOSE-4.2",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:openshift:4.2::el7"
}
}
}
],
"category": "product_family",
"name": "Red Hat OpenShift Enterprise"
},
{
"branches": [
{
"category": "product_version",
"name": "openshift4/ose-cluster-kube-apiserver-operator@sha256:85998589eaac7c525b66ad16eac4bd4fafc35a6b358bf966cd65c0ea6b94ad49_amd64",
"product": {
"name": "openshift4/ose-cluster-kube-apiserver-operator@sha256:85998589eaac7c525b66ad16eac4bd4fafc35a6b358bf966cd65c0ea6b94ad49_amd64",
"product_id": "openshift4/ose-cluster-kube-apiserver-operator@sha256:85998589eaac7c525b66ad16eac4bd4fafc35a6b358bf966cd65c0ea6b94ad49_amd64",
"product_identification_helper": {
"purl": "pkg:oci/ose-cluster-kube-apiserver-operator@sha256:85998589eaac7c525b66ad16eac4bd4fafc35a6b358bf966cd65c0ea6b94ad49?arch=amd64\u0026repository_url=registry.redhat.io/openshift4/ose-cluster-kube-apiserver-operator\u0026tag=v4.2.9-201911261133"
}
}
},
{
"category": "product_version",
"name": "openshift4/ose-cluster-kube-scheduler-operator@sha256:8120e6a8338da40660e8bd2918bc5544a411dece47d7080e2b7aee67b58387f7_amd64",
"product": {
"name": "openshift4/ose-cluster-kube-scheduler-operator@sha256:8120e6a8338da40660e8bd2918bc5544a411dece47d7080e2b7aee67b58387f7_amd64",
"product_id": "openshift4/ose-cluster-kube-scheduler-operator@sha256:8120e6a8338da40660e8bd2918bc5544a411dece47d7080e2b7aee67b58387f7_amd64",
"product_identification_helper": {
"purl": "pkg:oci/ose-cluster-kube-scheduler-operator@sha256:8120e6a8338da40660e8bd2918bc5544a411dece47d7080e2b7aee67b58387f7?arch=amd64\u0026repository_url=registry.redhat.io/openshift4/ose-cluster-kube-scheduler-operator\u0026tag=v4.2.9-201911261133"
}
}
}
],
"category": "architecture",
"name": "amd64"
},
{
"branches": [
{
"category": "product_version",
"name": "openshift4/ose-cluster-kube-apiserver-operator@sha256:5e3d9da1d5ae42a255d9ee3802b7788b8f644d31335a719da03c72fca664848a_s390x",
"product": {
"name": "openshift4/ose-cluster-kube-apiserver-operator@sha256:5e3d9da1d5ae42a255d9ee3802b7788b8f644d31335a719da03c72fca664848a_s390x",
"product_id": "openshift4/ose-cluster-kube-apiserver-operator@sha256:5e3d9da1d5ae42a255d9ee3802b7788b8f644d31335a719da03c72fca664848a_s390x",
"product_identification_helper": {
"purl": "pkg:oci/ose-cluster-kube-apiserver-operator@sha256:5e3d9da1d5ae42a255d9ee3802b7788b8f644d31335a719da03c72fca664848a?arch=s390x\u0026repository_url=registry.redhat.io/openshift4/ose-cluster-kube-apiserver-operator\u0026tag=v4.2.9-201911261133"
}
}
},
{
"category": "product_version",
"name": "openshift4/ose-cluster-kube-scheduler-operator@sha256:af7bde30c76c1f63f70e501370a07bfbb7ba0886d250dc721fcdb2956c7211d3_s390x",
"product": {
"name": "openshift4/ose-cluster-kube-scheduler-operator@sha256:af7bde30c76c1f63f70e501370a07bfbb7ba0886d250dc721fcdb2956c7211d3_s390x",
"product_id": "openshift4/ose-cluster-kube-scheduler-operator@sha256:af7bde30c76c1f63f70e501370a07bfbb7ba0886d250dc721fcdb2956c7211d3_s390x",
"product_identification_helper": {
"purl": "pkg:oci/ose-cluster-kube-scheduler-operator@sha256:af7bde30c76c1f63f70e501370a07bfbb7ba0886d250dc721fcdb2956c7211d3?arch=s390x\u0026repository_url=registry.redhat.io/openshift4/ose-cluster-kube-scheduler-operator\u0026tag=v4.2.9-201911261133"
}
}
}
],
"category": "architecture",
"name": "s390x"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "openshift4/ose-cluster-kube-apiserver-operator@sha256:5e3d9da1d5ae42a255d9ee3802b7788b8f644d31335a719da03c72fca664848a_s390x as a component of Red Hat OpenShift Container Platform 4.2",
"product_id": "7Server-RH7-RHOSE-4.2:openshift4/ose-cluster-kube-apiserver-operator@sha256:5e3d9da1d5ae42a255d9ee3802b7788b8f644d31335a719da03c72fca664848a_s390x"
},
"product_reference": "openshift4/ose-cluster-kube-apiserver-operator@sha256:5e3d9da1d5ae42a255d9ee3802b7788b8f644d31335a719da03c72fca664848a_s390x",
"relates_to_product_reference": "7Server-RH7-RHOSE-4.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openshift4/ose-cluster-kube-apiserver-operator@sha256:85998589eaac7c525b66ad16eac4bd4fafc35a6b358bf966cd65c0ea6b94ad49_amd64 as a component of Red Hat OpenShift Container Platform 4.2",
"product_id": "7Server-RH7-RHOSE-4.2:openshift4/ose-cluster-kube-apiserver-operator@sha256:85998589eaac7c525b66ad16eac4bd4fafc35a6b358bf966cd65c0ea6b94ad49_amd64"
},
"product_reference": "openshift4/ose-cluster-kube-apiserver-operator@sha256:85998589eaac7c525b66ad16eac4bd4fafc35a6b358bf966cd65c0ea6b94ad49_amd64",
"relates_to_product_reference": "7Server-RH7-RHOSE-4.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openshift4/ose-cluster-kube-scheduler-operator@sha256:8120e6a8338da40660e8bd2918bc5544a411dece47d7080e2b7aee67b58387f7_amd64 as a component of Red Hat OpenShift Container Platform 4.2",
"product_id": "7Server-RH7-RHOSE-4.2:openshift4/ose-cluster-kube-scheduler-operator@sha256:8120e6a8338da40660e8bd2918bc5544a411dece47d7080e2b7aee67b58387f7_amd64"
},
"product_reference": "openshift4/ose-cluster-kube-scheduler-operator@sha256:8120e6a8338da40660e8bd2918bc5544a411dece47d7080e2b7aee67b58387f7_amd64",
"relates_to_product_reference": "7Server-RH7-RHOSE-4.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openshift4/ose-cluster-kube-scheduler-operator@sha256:af7bde30c76c1f63f70e501370a07bfbb7ba0886d250dc721fcdb2956c7211d3_s390x as a component of Red Hat OpenShift Container Platform 4.2",
"product_id": "7Server-RH7-RHOSE-4.2:openshift4/ose-cluster-kube-scheduler-operator@sha256:af7bde30c76c1f63f70e501370a07bfbb7ba0886d250dc721fcdb2956c7211d3_s390x"
},
"product_reference": "openshift4/ose-cluster-kube-scheduler-operator@sha256:af7bde30c76c1f63f70e501370a07bfbb7ba0886d250dc721fcdb2956c7211d3_s390x",
"relates_to_product_reference": "7Server-RH7-RHOSE-4.2"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2019-14854",
"cwe": {
"id": "CWE-117",
"name": "Improper Output Neutralization for Logs"
},
"discovery_date": "2019-09-20T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1758953"
}
],
"notes": [
{
"category": "description",
"text": "OpenShift Container Platform 4 does not sanitize secret data written to static pod logs when the log level in a given operator is set to Debug or higher. A low privileged user could read pod logs to discover secret material if the log level has already been modified in an operator by a privileged user.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "library-go: Secret data written to static pod logs when operator set at Debug level or higher",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-RH7-RHOSE-4.2:openshift4/ose-cluster-kube-apiserver-operator@sha256:5e3d9da1d5ae42a255d9ee3802b7788b8f644d31335a719da03c72fca664848a_s390x",
"7Server-RH7-RHOSE-4.2:openshift4/ose-cluster-kube-apiserver-operator@sha256:85998589eaac7c525b66ad16eac4bd4fafc35a6b358bf966cd65c0ea6b94ad49_amd64",
"7Server-RH7-RHOSE-4.2:openshift4/ose-cluster-kube-scheduler-operator@sha256:8120e6a8338da40660e8bd2918bc5544a411dece47d7080e2b7aee67b58387f7_amd64",
"7Server-RH7-RHOSE-4.2:openshift4/ose-cluster-kube-scheduler-operator@sha256:af7bde30c76c1f63f70e501370a07bfbb7ba0886d250dc721fcdb2956c7211d3_s390x"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2019-14854"
},
{
"category": "external",
"summary": "RHBZ#1758953",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1758953"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2019-14854",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-14854"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2019-14854",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-14854"
}
],
"release_date": "2019-10-07T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2019-12-03T21:10:58+00:00",
"details": "For OpenShift Container Platform 4.2 see the following documentation, which will be updated shortly for release 4.2.9, for important instructions on\nhow to upgrade your cluster and fully apply this asynchronous errata update:\n\nhttps://docs.openshift.com/container-platform/4.2/release_notes/ocp-4-2-release-notes.html\n\nDetails on how to access this content are available at https://docs.openshift.com/container-platform/4.2/updating/updating-cluster-cli.html.",
"product_ids": [
"7Server-RH7-RHOSE-4.2:openshift4/ose-cluster-kube-apiserver-operator@sha256:5e3d9da1d5ae42a255d9ee3802b7788b8f644d31335a719da03c72fca664848a_s390x",
"7Server-RH7-RHOSE-4.2:openshift4/ose-cluster-kube-apiserver-operator@sha256:85998589eaac7c525b66ad16eac4bd4fafc35a6b358bf966cd65c0ea6b94ad49_amd64",
"7Server-RH7-RHOSE-4.2:openshift4/ose-cluster-kube-scheduler-operator@sha256:8120e6a8338da40660e8bd2918bc5544a411dece47d7080e2b7aee67b58387f7_amd64",
"7Server-RH7-RHOSE-4.2:openshift4/ose-cluster-kube-scheduler-operator@sha256:af7bde30c76c1f63f70e501370a07bfbb7ba0886d250dc721fcdb2956c7211d3_s390x"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2019:4075"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.0"
},
"products": [
"7Server-RH7-RHOSE-4.2:openshift4/ose-cluster-kube-apiserver-operator@sha256:5e3d9da1d5ae42a255d9ee3802b7788b8f644d31335a719da03c72fca664848a_s390x",
"7Server-RH7-RHOSE-4.2:openshift4/ose-cluster-kube-apiserver-operator@sha256:85998589eaac7c525b66ad16eac4bd4fafc35a6b358bf966cd65c0ea6b94ad49_amd64",
"7Server-RH7-RHOSE-4.2:openshift4/ose-cluster-kube-scheduler-operator@sha256:8120e6a8338da40660e8bd2918bc5544a411dece47d7080e2b7aee67b58387f7_amd64",
"7Server-RH7-RHOSE-4.2:openshift4/ose-cluster-kube-scheduler-operator@sha256:af7bde30c76c1f63f70e501370a07bfbb7ba0886d250dc721fcdb2956c7211d3_s390x"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "library-go: Secret data written to static pod logs when operator set at Debug level or higher"
}
]
}
rhsa-2019_4091
Vulnerability from csaf_redhat
Published
2019-12-17 07:38
Modified
2024-11-22 14:13
Summary
Red Hat Security Advisory: OpenShift Container Platform 4.1 library-go security update
Notes
Topic
An update for ose-cluster-kube-controller-manager-operator-container and ose-cluster-kube-scheduler-operator-container is now available for Red Hat OpenShift Container Platform 4.1.
Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments.
Security Fix(es):
* library-go: Secret data written to static pod logs when operator set at Debug level or higher (CVE-2019-14854)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update for ose-cluster-kube-controller-manager-operator-container and ose-cluster-kube-scheduler-operator-container is now available for Red Hat OpenShift Container Platform 4.1.\n\nRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Red Hat OpenShift Container Platform is Red Hat\u0027s cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments.\n\nSecurity Fix(es):\n\n* library-go: Secret data written to static pod logs when operator set at Debug level or higher (CVE-2019-14854)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2019:4091",
"url": "https://access.redhat.com/errata/RHSA-2019:4091"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#moderate",
"url": "https://access.redhat.com/security/updates/classification/#moderate"
},
{
"category": "external",
"summary": "1758953",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1758953"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2019/rhsa-2019_4091.json"
}
],
"title": "Red Hat Security Advisory: OpenShift Container Platform 4.1 library-go security update",
"tracking": {
"current_release_date": "2024-11-22T14:13:53+00:00",
"generator": {
"date": "2024-11-22T14:13:53+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.2.1"
}
},
"id": "RHSA-2019:4091",
"initial_release_date": "2019-12-17T07:38:40+00:00",
"revision_history": [
{
"date": "2019-12-17T07:38:40+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2019-12-17T07:38:40+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2024-11-22T14:13:53+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat OpenShift Container Platform 4.1",
"product": {
"name": "Red Hat OpenShift Container Platform 4.1",
"product_id": "7Server-RH7-RHOSE-4.1",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:openshift:4.1::el7"
}
}
}
],
"category": "product_family",
"name": "Red Hat OpenShift Enterprise"
},
{
"branches": [
{
"category": "product_version",
"name": "openshift4/ose-cluster-kube-controller-manager-operator@sha256:ecea024bd816fef064d79d1f88a0f921a9d8bccd1595f4dfe1251b3c867ff1c8_amd64",
"product": {
"name": "openshift4/ose-cluster-kube-controller-manager-operator@sha256:ecea024bd816fef064d79d1f88a0f921a9d8bccd1595f4dfe1251b3c867ff1c8_amd64",
"product_id": "openshift4/ose-cluster-kube-controller-manager-operator@sha256:ecea024bd816fef064d79d1f88a0f921a9d8bccd1595f4dfe1251b3c867ff1c8_amd64",
"product_identification_helper": {
"purl": "pkg:oci/ose-cluster-kube-controller-manager-operator@sha256:ecea024bd816fef064d79d1f88a0f921a9d8bccd1595f4dfe1251b3c867ff1c8?arch=amd64\u0026repository_url=registry.redhat.io/openshift4/ose-cluster-kube-controller-manager-operator\u0026tag=v4.1.27-201912030019"
}
}
},
{
"category": "product_version",
"name": "openshift4/ose-cluster-kube-scheduler-operator@sha256:cc4f57f436724b1d52988bd6ca168aedc0119e1df9af82714572189524536561_amd64",
"product": {
"name": "openshift4/ose-cluster-kube-scheduler-operator@sha256:cc4f57f436724b1d52988bd6ca168aedc0119e1df9af82714572189524536561_amd64",
"product_id": "openshift4/ose-cluster-kube-scheduler-operator@sha256:cc4f57f436724b1d52988bd6ca168aedc0119e1df9af82714572189524536561_amd64",
"product_identification_helper": {
"purl": "pkg:oci/ose-cluster-kube-scheduler-operator@sha256:cc4f57f436724b1d52988bd6ca168aedc0119e1df9af82714572189524536561?arch=amd64\u0026repository_url=registry.redhat.io/openshift4/ose-cluster-kube-scheduler-operator\u0026tag=v4.1.27-201912030019"
}
}
}
],
"category": "architecture",
"name": "amd64"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "openshift4/ose-cluster-kube-controller-manager-operator@sha256:ecea024bd816fef064d79d1f88a0f921a9d8bccd1595f4dfe1251b3c867ff1c8_amd64 as a component of Red Hat OpenShift Container Platform 4.1",
"product_id": "7Server-RH7-RHOSE-4.1:openshift4/ose-cluster-kube-controller-manager-operator@sha256:ecea024bd816fef064d79d1f88a0f921a9d8bccd1595f4dfe1251b3c867ff1c8_amd64"
},
"product_reference": "openshift4/ose-cluster-kube-controller-manager-operator@sha256:ecea024bd816fef064d79d1f88a0f921a9d8bccd1595f4dfe1251b3c867ff1c8_amd64",
"relates_to_product_reference": "7Server-RH7-RHOSE-4.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openshift4/ose-cluster-kube-scheduler-operator@sha256:cc4f57f436724b1d52988bd6ca168aedc0119e1df9af82714572189524536561_amd64 as a component of Red Hat OpenShift Container Platform 4.1",
"product_id": "7Server-RH7-RHOSE-4.1:openshift4/ose-cluster-kube-scheduler-operator@sha256:cc4f57f436724b1d52988bd6ca168aedc0119e1df9af82714572189524536561_amd64"
},
"product_reference": "openshift4/ose-cluster-kube-scheduler-operator@sha256:cc4f57f436724b1d52988bd6ca168aedc0119e1df9af82714572189524536561_amd64",
"relates_to_product_reference": "7Server-RH7-RHOSE-4.1"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2019-14854",
"cwe": {
"id": "CWE-117",
"name": "Improper Output Neutralization for Logs"
},
"discovery_date": "2019-09-20T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1758953"
}
],
"notes": [
{
"category": "description",
"text": "OpenShift Container Platform 4 does not sanitize secret data written to static pod logs when the log level in a given operator is set to Debug or higher. A low privileged user could read pod logs to discover secret material if the log level has already been modified in an operator by a privileged user.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "library-go: Secret data written to static pod logs when operator set at Debug level or higher",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-RH7-RHOSE-4.1:openshift4/ose-cluster-kube-controller-manager-operator@sha256:ecea024bd816fef064d79d1f88a0f921a9d8bccd1595f4dfe1251b3c867ff1c8_amd64",
"7Server-RH7-RHOSE-4.1:openshift4/ose-cluster-kube-scheduler-operator@sha256:cc4f57f436724b1d52988bd6ca168aedc0119e1df9af82714572189524536561_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2019-14854"
},
{
"category": "external",
"summary": "RHBZ#1758953",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1758953"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2019-14854",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-14854"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2019-14854",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-14854"
}
],
"release_date": "2019-10-07T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2019-12-17T07:38:40+00:00",
"details": "For OpenShift Container Platform 4.1 see the following documentation, which will be updated shortly for release 4.1.27, for important instructions on how to upgrade your cluster and fully apply this asynchronous errata update:\n\nhttps://docs.openshift.com/container-platform/4.1/release_notes/ocp-4-1-release-notes.html\n\nDetails on how to access this content are available at https://docs.openshift.com/container-platform/4.1/updating/updating-cluster-cli.html.",
"product_ids": [
"7Server-RH7-RHOSE-4.1:openshift4/ose-cluster-kube-controller-manager-operator@sha256:ecea024bd816fef064d79d1f88a0f921a9d8bccd1595f4dfe1251b3c867ff1c8_amd64",
"7Server-RH7-RHOSE-4.1:openshift4/ose-cluster-kube-scheduler-operator@sha256:cc4f57f436724b1d52988bd6ca168aedc0119e1df9af82714572189524536561_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2019:4091"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.0"
},
"products": [
"7Server-RH7-RHOSE-4.1:openshift4/ose-cluster-kube-controller-manager-operator@sha256:ecea024bd816fef064d79d1f88a0f921a9d8bccd1595f4dfe1251b3c867ff1c8_amd64",
"7Server-RH7-RHOSE-4.1:openshift4/ose-cluster-kube-scheduler-operator@sha256:cc4f57f436724b1d52988bd6ca168aedc0119e1df9af82714572189524536561_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "library-go: Secret data written to static pod logs when operator set at Debug level or higher"
}
]
}
RHSA-2019:4098
Vulnerability from csaf_redhat
Published
2019-12-11 08:23
Modified
2024-11-22 14:13
Summary
Red Hat Security Advisory: OpenShift Container Platform 4.2 ose-cluster-kube-controller-manager-operator-container security update
Notes
Topic
An update for ose-cluster-kube-controller-manager-operator-container is now available for Red Hat OpenShift Container Platform 4.2.
Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments.
Security Fix(es):
* library-go: Secret data written to static pod logs when operator set at Debug level or higher (CVE-2019-14854)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update for ose-cluster-kube-controller-manager-operator-container is now available for Red Hat OpenShift Container Platform 4.2.\n\nRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Red Hat OpenShift Container Platform is Red Hat\u0027s cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments.\n\nSecurity Fix(es):\n\n* library-go: Secret data written to static pod logs when operator set at Debug level or higher (CVE-2019-14854)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2019:4098",
"url": "https://access.redhat.com/errata/RHSA-2019:4098"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#moderate",
"url": "https://access.redhat.com/security/updates/classification/#moderate"
},
{
"category": "external",
"summary": "1758953",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1758953"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2019/rhsa-2019_4098.json"
}
],
"title": "Red Hat Security Advisory: OpenShift Container Platform 4.2 ose-cluster-kube-controller-manager-operator-container security update",
"tracking": {
"current_release_date": "2024-11-22T14:13:48+00:00",
"generator": {
"date": "2024-11-22T14:13:48+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.2.1"
}
},
"id": "RHSA-2019:4098",
"initial_release_date": "2019-12-11T08:23:25+00:00",
"revision_history": [
{
"date": "2019-12-11T08:23:25+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2019-12-11T08:23:25+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2024-11-22T14:13:48+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat OpenShift Container Platform 4.2",
"product": {
"name": "Red Hat OpenShift Container Platform 4.2",
"product_id": "7Server-RH7-RHOSE-4.2",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:openshift:4.2::el7"
}
}
}
],
"category": "product_family",
"name": "Red Hat OpenShift Enterprise"
},
{
"branches": [
{
"category": "product_version",
"name": "openshift4/ose-cluster-kube-controller-manager-operator@sha256:eac23979d42d27a83434f162c0059d4ac8bc50d3b751c9c439bf03eea70b9507_amd64",
"product": {
"name": "openshift4/ose-cluster-kube-controller-manager-operator@sha256:eac23979d42d27a83434f162c0059d4ac8bc50d3b751c9c439bf03eea70b9507_amd64",
"product_id": "openshift4/ose-cluster-kube-controller-manager-operator@sha256:eac23979d42d27a83434f162c0059d4ac8bc50d3b751c9c439bf03eea70b9507_amd64",
"product_identification_helper": {
"purl": "pkg:oci/ose-cluster-kube-controller-manager-operator@sha256:eac23979d42d27a83434f162c0059d4ac8bc50d3b751c9c439bf03eea70b9507?arch=amd64\u0026repository_url=registry.redhat.io/openshift4/ose-cluster-kube-controller-manager-operator\u0026tag=v4.2.10-201912022352"
}
}
}
],
"category": "architecture",
"name": "amd64"
},
{
"branches": [
{
"category": "product_version",
"name": "openshift4/ose-cluster-kube-controller-manager-operator@sha256:758c2dc76493095b50945a836f29a6093d3b8341e8327ede098beb4bdde0956d_s390x",
"product": {
"name": "openshift4/ose-cluster-kube-controller-manager-operator@sha256:758c2dc76493095b50945a836f29a6093d3b8341e8327ede098beb4bdde0956d_s390x",
"product_id": "openshift4/ose-cluster-kube-controller-manager-operator@sha256:758c2dc76493095b50945a836f29a6093d3b8341e8327ede098beb4bdde0956d_s390x",
"product_identification_helper": {
"purl": "pkg:oci/ose-cluster-kube-controller-manager-operator@sha256:758c2dc76493095b50945a836f29a6093d3b8341e8327ede098beb4bdde0956d?arch=s390x\u0026repository_url=registry.redhat.io/openshift4/ose-cluster-kube-controller-manager-operator\u0026tag=v4.2.10-201912022352"
}
}
}
],
"category": "architecture",
"name": "s390x"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "openshift4/ose-cluster-kube-controller-manager-operator@sha256:758c2dc76493095b50945a836f29a6093d3b8341e8327ede098beb4bdde0956d_s390x as a component of Red Hat OpenShift Container Platform 4.2",
"product_id": "7Server-RH7-RHOSE-4.2:openshift4/ose-cluster-kube-controller-manager-operator@sha256:758c2dc76493095b50945a836f29a6093d3b8341e8327ede098beb4bdde0956d_s390x"
},
"product_reference": "openshift4/ose-cluster-kube-controller-manager-operator@sha256:758c2dc76493095b50945a836f29a6093d3b8341e8327ede098beb4bdde0956d_s390x",
"relates_to_product_reference": "7Server-RH7-RHOSE-4.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openshift4/ose-cluster-kube-controller-manager-operator@sha256:eac23979d42d27a83434f162c0059d4ac8bc50d3b751c9c439bf03eea70b9507_amd64 as a component of Red Hat OpenShift Container Platform 4.2",
"product_id": "7Server-RH7-RHOSE-4.2:openshift4/ose-cluster-kube-controller-manager-operator@sha256:eac23979d42d27a83434f162c0059d4ac8bc50d3b751c9c439bf03eea70b9507_amd64"
},
"product_reference": "openshift4/ose-cluster-kube-controller-manager-operator@sha256:eac23979d42d27a83434f162c0059d4ac8bc50d3b751c9c439bf03eea70b9507_amd64",
"relates_to_product_reference": "7Server-RH7-RHOSE-4.2"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2019-14854",
"cwe": {
"id": "CWE-117",
"name": "Improper Output Neutralization for Logs"
},
"discovery_date": "2019-09-20T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1758953"
}
],
"notes": [
{
"category": "description",
"text": "OpenShift Container Platform 4 does not sanitize secret data written to static pod logs when the log level in a given operator is set to Debug or higher. A low privileged user could read pod logs to discover secret material if the log level has already been modified in an operator by a privileged user.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "library-go: Secret data written to static pod logs when operator set at Debug level or higher",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-RH7-RHOSE-4.2:openshift4/ose-cluster-kube-controller-manager-operator@sha256:758c2dc76493095b50945a836f29a6093d3b8341e8327ede098beb4bdde0956d_s390x",
"7Server-RH7-RHOSE-4.2:openshift4/ose-cluster-kube-controller-manager-operator@sha256:eac23979d42d27a83434f162c0059d4ac8bc50d3b751c9c439bf03eea70b9507_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2019-14854"
},
{
"category": "external",
"summary": "RHBZ#1758953",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1758953"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2019-14854",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-14854"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2019-14854",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-14854"
}
],
"release_date": "2019-10-07T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2019-12-11T08:23:25+00:00",
"details": "For OpenShift Container Platform 4.2 see the following documentation, which will be updated shortly for release 4.2.10, for important instructions on how to upgrade your cluster and fully apply this asynchronous errata update:\n\nhttps://docs.openshift.com/container-platform/4.2/release_notes/ocp-4-2-release-notes.html\n\nDetails on how to access this content are available at https://docs.openshift.com/container-platform/4.2/updating/updating-cluster-cli.html.",
"product_ids": [
"7Server-RH7-RHOSE-4.2:openshift4/ose-cluster-kube-controller-manager-operator@sha256:758c2dc76493095b50945a836f29a6093d3b8341e8327ede098beb4bdde0956d_s390x",
"7Server-RH7-RHOSE-4.2:openshift4/ose-cluster-kube-controller-manager-operator@sha256:eac23979d42d27a83434f162c0059d4ac8bc50d3b751c9c439bf03eea70b9507_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2019:4098"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.0"
},
"products": [
"7Server-RH7-RHOSE-4.2:openshift4/ose-cluster-kube-controller-manager-operator@sha256:758c2dc76493095b50945a836f29a6093d3b8341e8327ede098beb4bdde0956d_s390x",
"7Server-RH7-RHOSE-4.2:openshift4/ose-cluster-kube-controller-manager-operator@sha256:eac23979d42d27a83434f162c0059d4ac8bc50d3b751c9c439bf03eea70b9507_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "library-go: Secret data written to static pod logs when operator set at Debug level or higher"
}
]
}
rhsa-2019_4098
Vulnerability from csaf_redhat
Published
2019-12-11 08:23
Modified
2024-11-22 14:13
Summary
Red Hat Security Advisory: OpenShift Container Platform 4.2 ose-cluster-kube-controller-manager-operator-container security update
Notes
Topic
An update for ose-cluster-kube-controller-manager-operator-container is now available for Red Hat OpenShift Container Platform 4.2.
Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments.
Security Fix(es):
* library-go: Secret data written to static pod logs when operator set at Debug level or higher (CVE-2019-14854)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update for ose-cluster-kube-controller-manager-operator-container is now available for Red Hat OpenShift Container Platform 4.2.\n\nRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Red Hat OpenShift Container Platform is Red Hat\u0027s cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments.\n\nSecurity Fix(es):\n\n* library-go: Secret data written to static pod logs when operator set at Debug level or higher (CVE-2019-14854)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2019:4098",
"url": "https://access.redhat.com/errata/RHSA-2019:4098"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#moderate",
"url": "https://access.redhat.com/security/updates/classification/#moderate"
},
{
"category": "external",
"summary": "1758953",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1758953"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2019/rhsa-2019_4098.json"
}
],
"title": "Red Hat Security Advisory: OpenShift Container Platform 4.2 ose-cluster-kube-controller-manager-operator-container security update",
"tracking": {
"current_release_date": "2024-11-22T14:13:48+00:00",
"generator": {
"date": "2024-11-22T14:13:48+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.2.1"
}
},
"id": "RHSA-2019:4098",
"initial_release_date": "2019-12-11T08:23:25+00:00",
"revision_history": [
{
"date": "2019-12-11T08:23:25+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2019-12-11T08:23:25+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2024-11-22T14:13:48+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat OpenShift Container Platform 4.2",
"product": {
"name": "Red Hat OpenShift Container Platform 4.2",
"product_id": "7Server-RH7-RHOSE-4.2",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:openshift:4.2::el7"
}
}
}
],
"category": "product_family",
"name": "Red Hat OpenShift Enterprise"
},
{
"branches": [
{
"category": "product_version",
"name": "openshift4/ose-cluster-kube-controller-manager-operator@sha256:eac23979d42d27a83434f162c0059d4ac8bc50d3b751c9c439bf03eea70b9507_amd64",
"product": {
"name": "openshift4/ose-cluster-kube-controller-manager-operator@sha256:eac23979d42d27a83434f162c0059d4ac8bc50d3b751c9c439bf03eea70b9507_amd64",
"product_id": "openshift4/ose-cluster-kube-controller-manager-operator@sha256:eac23979d42d27a83434f162c0059d4ac8bc50d3b751c9c439bf03eea70b9507_amd64",
"product_identification_helper": {
"purl": "pkg:oci/ose-cluster-kube-controller-manager-operator@sha256:eac23979d42d27a83434f162c0059d4ac8bc50d3b751c9c439bf03eea70b9507?arch=amd64\u0026repository_url=registry.redhat.io/openshift4/ose-cluster-kube-controller-manager-operator\u0026tag=v4.2.10-201912022352"
}
}
}
],
"category": "architecture",
"name": "amd64"
},
{
"branches": [
{
"category": "product_version",
"name": "openshift4/ose-cluster-kube-controller-manager-operator@sha256:758c2dc76493095b50945a836f29a6093d3b8341e8327ede098beb4bdde0956d_s390x",
"product": {
"name": "openshift4/ose-cluster-kube-controller-manager-operator@sha256:758c2dc76493095b50945a836f29a6093d3b8341e8327ede098beb4bdde0956d_s390x",
"product_id": "openshift4/ose-cluster-kube-controller-manager-operator@sha256:758c2dc76493095b50945a836f29a6093d3b8341e8327ede098beb4bdde0956d_s390x",
"product_identification_helper": {
"purl": "pkg:oci/ose-cluster-kube-controller-manager-operator@sha256:758c2dc76493095b50945a836f29a6093d3b8341e8327ede098beb4bdde0956d?arch=s390x\u0026repository_url=registry.redhat.io/openshift4/ose-cluster-kube-controller-manager-operator\u0026tag=v4.2.10-201912022352"
}
}
}
],
"category": "architecture",
"name": "s390x"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "openshift4/ose-cluster-kube-controller-manager-operator@sha256:758c2dc76493095b50945a836f29a6093d3b8341e8327ede098beb4bdde0956d_s390x as a component of Red Hat OpenShift Container Platform 4.2",
"product_id": "7Server-RH7-RHOSE-4.2:openshift4/ose-cluster-kube-controller-manager-operator@sha256:758c2dc76493095b50945a836f29a6093d3b8341e8327ede098beb4bdde0956d_s390x"
},
"product_reference": "openshift4/ose-cluster-kube-controller-manager-operator@sha256:758c2dc76493095b50945a836f29a6093d3b8341e8327ede098beb4bdde0956d_s390x",
"relates_to_product_reference": "7Server-RH7-RHOSE-4.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openshift4/ose-cluster-kube-controller-manager-operator@sha256:eac23979d42d27a83434f162c0059d4ac8bc50d3b751c9c439bf03eea70b9507_amd64 as a component of Red Hat OpenShift Container Platform 4.2",
"product_id": "7Server-RH7-RHOSE-4.2:openshift4/ose-cluster-kube-controller-manager-operator@sha256:eac23979d42d27a83434f162c0059d4ac8bc50d3b751c9c439bf03eea70b9507_amd64"
},
"product_reference": "openshift4/ose-cluster-kube-controller-manager-operator@sha256:eac23979d42d27a83434f162c0059d4ac8bc50d3b751c9c439bf03eea70b9507_amd64",
"relates_to_product_reference": "7Server-RH7-RHOSE-4.2"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2019-14854",
"cwe": {
"id": "CWE-117",
"name": "Improper Output Neutralization for Logs"
},
"discovery_date": "2019-09-20T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1758953"
}
],
"notes": [
{
"category": "description",
"text": "OpenShift Container Platform 4 does not sanitize secret data written to static pod logs when the log level in a given operator is set to Debug or higher. A low privileged user could read pod logs to discover secret material if the log level has already been modified in an operator by a privileged user.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "library-go: Secret data written to static pod logs when operator set at Debug level or higher",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-RH7-RHOSE-4.2:openshift4/ose-cluster-kube-controller-manager-operator@sha256:758c2dc76493095b50945a836f29a6093d3b8341e8327ede098beb4bdde0956d_s390x",
"7Server-RH7-RHOSE-4.2:openshift4/ose-cluster-kube-controller-manager-operator@sha256:eac23979d42d27a83434f162c0059d4ac8bc50d3b751c9c439bf03eea70b9507_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2019-14854"
},
{
"category": "external",
"summary": "RHBZ#1758953",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1758953"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2019-14854",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-14854"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2019-14854",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-14854"
}
],
"release_date": "2019-10-07T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2019-12-11T08:23:25+00:00",
"details": "For OpenShift Container Platform 4.2 see the following documentation, which will be updated shortly for release 4.2.10, for important instructions on how to upgrade your cluster and fully apply this asynchronous errata update:\n\nhttps://docs.openshift.com/container-platform/4.2/release_notes/ocp-4-2-release-notes.html\n\nDetails on how to access this content are available at https://docs.openshift.com/container-platform/4.2/updating/updating-cluster-cli.html.",
"product_ids": [
"7Server-RH7-RHOSE-4.2:openshift4/ose-cluster-kube-controller-manager-operator@sha256:758c2dc76493095b50945a836f29a6093d3b8341e8327ede098beb4bdde0956d_s390x",
"7Server-RH7-RHOSE-4.2:openshift4/ose-cluster-kube-controller-manager-operator@sha256:eac23979d42d27a83434f162c0059d4ac8bc50d3b751c9c439bf03eea70b9507_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2019:4098"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.0"
},
"products": [
"7Server-RH7-RHOSE-4.2:openshift4/ose-cluster-kube-controller-manager-operator@sha256:758c2dc76493095b50945a836f29a6093d3b8341e8327ede098beb4bdde0956d_s390x",
"7Server-RH7-RHOSE-4.2:openshift4/ose-cluster-kube-controller-manager-operator@sha256:eac23979d42d27a83434f162c0059d4ac8bc50d3b751c9c439bf03eea70b9507_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "library-go: Secret data written to static pod logs when operator set at Debug level or higher"
}
]
}
RHSA-2019:4091
Vulnerability from csaf_redhat
Published
2019-12-17 07:38
Modified
2024-11-22 14:13
Summary
Red Hat Security Advisory: OpenShift Container Platform 4.1 library-go security update
Notes
Topic
An update for ose-cluster-kube-controller-manager-operator-container and ose-cluster-kube-scheduler-operator-container is now available for Red Hat OpenShift Container Platform 4.1.
Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments.
Security Fix(es):
* library-go: Secret data written to static pod logs when operator set at Debug level or higher (CVE-2019-14854)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update for ose-cluster-kube-controller-manager-operator-container and ose-cluster-kube-scheduler-operator-container is now available for Red Hat OpenShift Container Platform 4.1.\n\nRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Red Hat OpenShift Container Platform is Red Hat\u0027s cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments.\n\nSecurity Fix(es):\n\n* library-go: Secret data written to static pod logs when operator set at Debug level or higher (CVE-2019-14854)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2019:4091",
"url": "https://access.redhat.com/errata/RHSA-2019:4091"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#moderate",
"url": "https://access.redhat.com/security/updates/classification/#moderate"
},
{
"category": "external",
"summary": "1758953",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1758953"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2019/rhsa-2019_4091.json"
}
],
"title": "Red Hat Security Advisory: OpenShift Container Platform 4.1 library-go security update",
"tracking": {
"current_release_date": "2024-11-22T14:13:53+00:00",
"generator": {
"date": "2024-11-22T14:13:53+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.2.1"
}
},
"id": "RHSA-2019:4091",
"initial_release_date": "2019-12-17T07:38:40+00:00",
"revision_history": [
{
"date": "2019-12-17T07:38:40+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2019-12-17T07:38:40+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2024-11-22T14:13:53+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat OpenShift Container Platform 4.1",
"product": {
"name": "Red Hat OpenShift Container Platform 4.1",
"product_id": "7Server-RH7-RHOSE-4.1",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:openshift:4.1::el7"
}
}
}
],
"category": "product_family",
"name": "Red Hat OpenShift Enterprise"
},
{
"branches": [
{
"category": "product_version",
"name": "openshift4/ose-cluster-kube-controller-manager-operator@sha256:ecea024bd816fef064d79d1f88a0f921a9d8bccd1595f4dfe1251b3c867ff1c8_amd64",
"product": {
"name": "openshift4/ose-cluster-kube-controller-manager-operator@sha256:ecea024bd816fef064d79d1f88a0f921a9d8bccd1595f4dfe1251b3c867ff1c8_amd64",
"product_id": "openshift4/ose-cluster-kube-controller-manager-operator@sha256:ecea024bd816fef064d79d1f88a0f921a9d8bccd1595f4dfe1251b3c867ff1c8_amd64",
"product_identification_helper": {
"purl": "pkg:oci/ose-cluster-kube-controller-manager-operator@sha256:ecea024bd816fef064d79d1f88a0f921a9d8bccd1595f4dfe1251b3c867ff1c8?arch=amd64\u0026repository_url=registry.redhat.io/openshift4/ose-cluster-kube-controller-manager-operator\u0026tag=v4.1.27-201912030019"
}
}
},
{
"category": "product_version",
"name": "openshift4/ose-cluster-kube-scheduler-operator@sha256:cc4f57f436724b1d52988bd6ca168aedc0119e1df9af82714572189524536561_amd64",
"product": {
"name": "openshift4/ose-cluster-kube-scheduler-operator@sha256:cc4f57f436724b1d52988bd6ca168aedc0119e1df9af82714572189524536561_amd64",
"product_id": "openshift4/ose-cluster-kube-scheduler-operator@sha256:cc4f57f436724b1d52988bd6ca168aedc0119e1df9af82714572189524536561_amd64",
"product_identification_helper": {
"purl": "pkg:oci/ose-cluster-kube-scheduler-operator@sha256:cc4f57f436724b1d52988bd6ca168aedc0119e1df9af82714572189524536561?arch=amd64\u0026repository_url=registry.redhat.io/openshift4/ose-cluster-kube-scheduler-operator\u0026tag=v4.1.27-201912030019"
}
}
}
],
"category": "architecture",
"name": "amd64"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "openshift4/ose-cluster-kube-controller-manager-operator@sha256:ecea024bd816fef064d79d1f88a0f921a9d8bccd1595f4dfe1251b3c867ff1c8_amd64 as a component of Red Hat OpenShift Container Platform 4.1",
"product_id": "7Server-RH7-RHOSE-4.1:openshift4/ose-cluster-kube-controller-manager-operator@sha256:ecea024bd816fef064d79d1f88a0f921a9d8bccd1595f4dfe1251b3c867ff1c8_amd64"
},
"product_reference": "openshift4/ose-cluster-kube-controller-manager-operator@sha256:ecea024bd816fef064d79d1f88a0f921a9d8bccd1595f4dfe1251b3c867ff1c8_amd64",
"relates_to_product_reference": "7Server-RH7-RHOSE-4.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openshift4/ose-cluster-kube-scheduler-operator@sha256:cc4f57f436724b1d52988bd6ca168aedc0119e1df9af82714572189524536561_amd64 as a component of Red Hat OpenShift Container Platform 4.1",
"product_id": "7Server-RH7-RHOSE-4.1:openshift4/ose-cluster-kube-scheduler-operator@sha256:cc4f57f436724b1d52988bd6ca168aedc0119e1df9af82714572189524536561_amd64"
},
"product_reference": "openshift4/ose-cluster-kube-scheduler-operator@sha256:cc4f57f436724b1d52988bd6ca168aedc0119e1df9af82714572189524536561_amd64",
"relates_to_product_reference": "7Server-RH7-RHOSE-4.1"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2019-14854",
"cwe": {
"id": "CWE-117",
"name": "Improper Output Neutralization for Logs"
},
"discovery_date": "2019-09-20T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1758953"
}
],
"notes": [
{
"category": "description",
"text": "OpenShift Container Platform 4 does not sanitize secret data written to static pod logs when the log level in a given operator is set to Debug or higher. A low privileged user could read pod logs to discover secret material if the log level has already been modified in an operator by a privileged user.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "library-go: Secret data written to static pod logs when operator set at Debug level or higher",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-RH7-RHOSE-4.1:openshift4/ose-cluster-kube-controller-manager-operator@sha256:ecea024bd816fef064d79d1f88a0f921a9d8bccd1595f4dfe1251b3c867ff1c8_amd64",
"7Server-RH7-RHOSE-4.1:openshift4/ose-cluster-kube-scheduler-operator@sha256:cc4f57f436724b1d52988bd6ca168aedc0119e1df9af82714572189524536561_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2019-14854"
},
{
"category": "external",
"summary": "RHBZ#1758953",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1758953"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2019-14854",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-14854"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2019-14854",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-14854"
}
],
"release_date": "2019-10-07T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2019-12-17T07:38:40+00:00",
"details": "For OpenShift Container Platform 4.1 see the following documentation, which will be updated shortly for release 4.1.27, for important instructions on how to upgrade your cluster and fully apply this asynchronous errata update:\n\nhttps://docs.openshift.com/container-platform/4.1/release_notes/ocp-4-1-release-notes.html\n\nDetails on how to access this content are available at https://docs.openshift.com/container-platform/4.1/updating/updating-cluster-cli.html.",
"product_ids": [
"7Server-RH7-RHOSE-4.1:openshift4/ose-cluster-kube-controller-manager-operator@sha256:ecea024bd816fef064d79d1f88a0f921a9d8bccd1595f4dfe1251b3c867ff1c8_amd64",
"7Server-RH7-RHOSE-4.1:openshift4/ose-cluster-kube-scheduler-operator@sha256:cc4f57f436724b1d52988bd6ca168aedc0119e1df9af82714572189524536561_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2019:4091"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.0"
},
"products": [
"7Server-RH7-RHOSE-4.1:openshift4/ose-cluster-kube-controller-manager-operator@sha256:ecea024bd816fef064d79d1f88a0f921a9d8bccd1595f4dfe1251b3c867ff1c8_amd64",
"7Server-RH7-RHOSE-4.1:openshift4/ose-cluster-kube-scheduler-operator@sha256:cc4f57f436724b1d52988bd6ca168aedc0119e1df9af82714572189524536561_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "library-go: Secret data written to static pod logs when operator set at Debug level or higher"
}
]
}
rhsa-2019_4075
Vulnerability from csaf_redhat
Published
2019-12-03 21:10
Modified
2024-11-22 14:13
Summary
Red Hat Security Advisory: OpenShift Container Platform 4.2 library-go security update
Notes
Topic
An update for ose-cluster-kube-apiserver-operator-container and ose-cluster-kube-scheduler-operator-container is now available for Red Hat OpenShift Container Platform 4.2.
Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private
cloud deployments.
This advisory contains the ose-cluster-kube-apiserver-operator-container and ose-cluster-kube-scheduler-operator-container images for Red Hat OpenShift Container Platform 4.2.9. These images have been rebuilt with an updated version of openshift/library-go to address the below security issue.
Security Fix(es):
* OpenShift Container Platform 4 did not sanitize secret data written to static Pod logs when an Operator's log level was set to Debug or higher. A low privileged user could read Pod logs to discover secret material if the log level had already been modified in an Operator by a privileged user. (CVE-2019-14854)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update for ose-cluster-kube-apiserver-operator-container and ose-cluster-kube-scheduler-operator-container is now available for Red Hat OpenShift Container Platform 4.2.\n\nRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Red Hat OpenShift Container Platform is Red Hat\u0027s cloud computing Kubernetes application platform solution designed for on-premise or private\ncloud deployments.\n\nThis advisory contains the ose-cluster-kube-apiserver-operator-container and ose-cluster-kube-scheduler-operator-container images for Red Hat OpenShift Container Platform 4.2.9. These images have been rebuilt with an updated version of openshift/library-go to address the below security issue.\n\nSecurity Fix(es):\n\n* OpenShift Container Platform 4 did not sanitize secret data written to static Pod logs when an Operator\u0027s log level was set to Debug or higher. A low privileged user could read Pod logs to discover secret material if the log level had already been modified in an Operator by a privileged user. (CVE-2019-14854)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2019:4075",
"url": "https://access.redhat.com/errata/RHSA-2019:4075"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#moderate",
"url": "https://access.redhat.com/security/updates/classification/#moderate"
},
{
"category": "external",
"summary": "1758953",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1758953"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2019/rhsa-2019_4075.json"
}
],
"title": "Red Hat Security Advisory: OpenShift Container Platform 4.2 library-go security update",
"tracking": {
"current_release_date": "2024-11-22T14:13:37+00:00",
"generator": {
"date": "2024-11-22T14:13:37+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.2.1"
}
},
"id": "RHSA-2019:4075",
"initial_release_date": "2019-12-03T21:10:58+00:00",
"revision_history": [
{
"date": "2019-12-03T21:10:58+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2019-12-03T21:10:58+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2024-11-22T14:13:37+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat OpenShift Container Platform 4.2",
"product": {
"name": "Red Hat OpenShift Container Platform 4.2",
"product_id": "7Server-RH7-RHOSE-4.2",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:openshift:4.2::el7"
}
}
}
],
"category": "product_family",
"name": "Red Hat OpenShift Enterprise"
},
{
"branches": [
{
"category": "product_version",
"name": "openshift4/ose-cluster-kube-apiserver-operator@sha256:85998589eaac7c525b66ad16eac4bd4fafc35a6b358bf966cd65c0ea6b94ad49_amd64",
"product": {
"name": "openshift4/ose-cluster-kube-apiserver-operator@sha256:85998589eaac7c525b66ad16eac4bd4fafc35a6b358bf966cd65c0ea6b94ad49_amd64",
"product_id": "openshift4/ose-cluster-kube-apiserver-operator@sha256:85998589eaac7c525b66ad16eac4bd4fafc35a6b358bf966cd65c0ea6b94ad49_amd64",
"product_identification_helper": {
"purl": "pkg:oci/ose-cluster-kube-apiserver-operator@sha256:85998589eaac7c525b66ad16eac4bd4fafc35a6b358bf966cd65c0ea6b94ad49?arch=amd64\u0026repository_url=registry.redhat.io/openshift4/ose-cluster-kube-apiserver-operator\u0026tag=v4.2.9-201911261133"
}
}
},
{
"category": "product_version",
"name": "openshift4/ose-cluster-kube-scheduler-operator@sha256:8120e6a8338da40660e8bd2918bc5544a411dece47d7080e2b7aee67b58387f7_amd64",
"product": {
"name": "openshift4/ose-cluster-kube-scheduler-operator@sha256:8120e6a8338da40660e8bd2918bc5544a411dece47d7080e2b7aee67b58387f7_amd64",
"product_id": "openshift4/ose-cluster-kube-scheduler-operator@sha256:8120e6a8338da40660e8bd2918bc5544a411dece47d7080e2b7aee67b58387f7_amd64",
"product_identification_helper": {
"purl": "pkg:oci/ose-cluster-kube-scheduler-operator@sha256:8120e6a8338da40660e8bd2918bc5544a411dece47d7080e2b7aee67b58387f7?arch=amd64\u0026repository_url=registry.redhat.io/openshift4/ose-cluster-kube-scheduler-operator\u0026tag=v4.2.9-201911261133"
}
}
}
],
"category": "architecture",
"name": "amd64"
},
{
"branches": [
{
"category": "product_version",
"name": "openshift4/ose-cluster-kube-apiserver-operator@sha256:5e3d9da1d5ae42a255d9ee3802b7788b8f644d31335a719da03c72fca664848a_s390x",
"product": {
"name": "openshift4/ose-cluster-kube-apiserver-operator@sha256:5e3d9da1d5ae42a255d9ee3802b7788b8f644d31335a719da03c72fca664848a_s390x",
"product_id": "openshift4/ose-cluster-kube-apiserver-operator@sha256:5e3d9da1d5ae42a255d9ee3802b7788b8f644d31335a719da03c72fca664848a_s390x",
"product_identification_helper": {
"purl": "pkg:oci/ose-cluster-kube-apiserver-operator@sha256:5e3d9da1d5ae42a255d9ee3802b7788b8f644d31335a719da03c72fca664848a?arch=s390x\u0026repository_url=registry.redhat.io/openshift4/ose-cluster-kube-apiserver-operator\u0026tag=v4.2.9-201911261133"
}
}
},
{
"category": "product_version",
"name": "openshift4/ose-cluster-kube-scheduler-operator@sha256:af7bde30c76c1f63f70e501370a07bfbb7ba0886d250dc721fcdb2956c7211d3_s390x",
"product": {
"name": "openshift4/ose-cluster-kube-scheduler-operator@sha256:af7bde30c76c1f63f70e501370a07bfbb7ba0886d250dc721fcdb2956c7211d3_s390x",
"product_id": "openshift4/ose-cluster-kube-scheduler-operator@sha256:af7bde30c76c1f63f70e501370a07bfbb7ba0886d250dc721fcdb2956c7211d3_s390x",
"product_identification_helper": {
"purl": "pkg:oci/ose-cluster-kube-scheduler-operator@sha256:af7bde30c76c1f63f70e501370a07bfbb7ba0886d250dc721fcdb2956c7211d3?arch=s390x\u0026repository_url=registry.redhat.io/openshift4/ose-cluster-kube-scheduler-operator\u0026tag=v4.2.9-201911261133"
}
}
}
],
"category": "architecture",
"name": "s390x"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "openshift4/ose-cluster-kube-apiserver-operator@sha256:5e3d9da1d5ae42a255d9ee3802b7788b8f644d31335a719da03c72fca664848a_s390x as a component of Red Hat OpenShift Container Platform 4.2",
"product_id": "7Server-RH7-RHOSE-4.2:openshift4/ose-cluster-kube-apiserver-operator@sha256:5e3d9da1d5ae42a255d9ee3802b7788b8f644d31335a719da03c72fca664848a_s390x"
},
"product_reference": "openshift4/ose-cluster-kube-apiserver-operator@sha256:5e3d9da1d5ae42a255d9ee3802b7788b8f644d31335a719da03c72fca664848a_s390x",
"relates_to_product_reference": "7Server-RH7-RHOSE-4.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openshift4/ose-cluster-kube-apiserver-operator@sha256:85998589eaac7c525b66ad16eac4bd4fafc35a6b358bf966cd65c0ea6b94ad49_amd64 as a component of Red Hat OpenShift Container Platform 4.2",
"product_id": "7Server-RH7-RHOSE-4.2:openshift4/ose-cluster-kube-apiserver-operator@sha256:85998589eaac7c525b66ad16eac4bd4fafc35a6b358bf966cd65c0ea6b94ad49_amd64"
},
"product_reference": "openshift4/ose-cluster-kube-apiserver-operator@sha256:85998589eaac7c525b66ad16eac4bd4fafc35a6b358bf966cd65c0ea6b94ad49_amd64",
"relates_to_product_reference": "7Server-RH7-RHOSE-4.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openshift4/ose-cluster-kube-scheduler-operator@sha256:8120e6a8338da40660e8bd2918bc5544a411dece47d7080e2b7aee67b58387f7_amd64 as a component of Red Hat OpenShift Container Platform 4.2",
"product_id": "7Server-RH7-RHOSE-4.2:openshift4/ose-cluster-kube-scheduler-operator@sha256:8120e6a8338da40660e8bd2918bc5544a411dece47d7080e2b7aee67b58387f7_amd64"
},
"product_reference": "openshift4/ose-cluster-kube-scheduler-operator@sha256:8120e6a8338da40660e8bd2918bc5544a411dece47d7080e2b7aee67b58387f7_amd64",
"relates_to_product_reference": "7Server-RH7-RHOSE-4.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openshift4/ose-cluster-kube-scheduler-operator@sha256:af7bde30c76c1f63f70e501370a07bfbb7ba0886d250dc721fcdb2956c7211d3_s390x as a component of Red Hat OpenShift Container Platform 4.2",
"product_id": "7Server-RH7-RHOSE-4.2:openshift4/ose-cluster-kube-scheduler-operator@sha256:af7bde30c76c1f63f70e501370a07bfbb7ba0886d250dc721fcdb2956c7211d3_s390x"
},
"product_reference": "openshift4/ose-cluster-kube-scheduler-operator@sha256:af7bde30c76c1f63f70e501370a07bfbb7ba0886d250dc721fcdb2956c7211d3_s390x",
"relates_to_product_reference": "7Server-RH7-RHOSE-4.2"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2019-14854",
"cwe": {
"id": "CWE-117",
"name": "Improper Output Neutralization for Logs"
},
"discovery_date": "2019-09-20T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1758953"
}
],
"notes": [
{
"category": "description",
"text": "OpenShift Container Platform 4 does not sanitize secret data written to static pod logs when the log level in a given operator is set to Debug or higher. A low privileged user could read pod logs to discover secret material if the log level has already been modified in an operator by a privileged user.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "library-go: Secret data written to static pod logs when operator set at Debug level or higher",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-RH7-RHOSE-4.2:openshift4/ose-cluster-kube-apiserver-operator@sha256:5e3d9da1d5ae42a255d9ee3802b7788b8f644d31335a719da03c72fca664848a_s390x",
"7Server-RH7-RHOSE-4.2:openshift4/ose-cluster-kube-apiserver-operator@sha256:85998589eaac7c525b66ad16eac4bd4fafc35a6b358bf966cd65c0ea6b94ad49_amd64",
"7Server-RH7-RHOSE-4.2:openshift4/ose-cluster-kube-scheduler-operator@sha256:8120e6a8338da40660e8bd2918bc5544a411dece47d7080e2b7aee67b58387f7_amd64",
"7Server-RH7-RHOSE-4.2:openshift4/ose-cluster-kube-scheduler-operator@sha256:af7bde30c76c1f63f70e501370a07bfbb7ba0886d250dc721fcdb2956c7211d3_s390x"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2019-14854"
},
{
"category": "external",
"summary": "RHBZ#1758953",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1758953"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2019-14854",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-14854"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2019-14854",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-14854"
}
],
"release_date": "2019-10-07T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2019-12-03T21:10:58+00:00",
"details": "For OpenShift Container Platform 4.2 see the following documentation, which will be updated shortly for release 4.2.9, for important instructions on\nhow to upgrade your cluster and fully apply this asynchronous errata update:\n\nhttps://docs.openshift.com/container-platform/4.2/release_notes/ocp-4-2-release-notes.html\n\nDetails on how to access this content are available at https://docs.openshift.com/container-platform/4.2/updating/updating-cluster-cli.html.",
"product_ids": [
"7Server-RH7-RHOSE-4.2:openshift4/ose-cluster-kube-apiserver-operator@sha256:5e3d9da1d5ae42a255d9ee3802b7788b8f644d31335a719da03c72fca664848a_s390x",
"7Server-RH7-RHOSE-4.2:openshift4/ose-cluster-kube-apiserver-operator@sha256:85998589eaac7c525b66ad16eac4bd4fafc35a6b358bf966cd65c0ea6b94ad49_amd64",
"7Server-RH7-RHOSE-4.2:openshift4/ose-cluster-kube-scheduler-operator@sha256:8120e6a8338da40660e8bd2918bc5544a411dece47d7080e2b7aee67b58387f7_amd64",
"7Server-RH7-RHOSE-4.2:openshift4/ose-cluster-kube-scheduler-operator@sha256:af7bde30c76c1f63f70e501370a07bfbb7ba0886d250dc721fcdb2956c7211d3_s390x"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2019:4075"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.0"
},
"products": [
"7Server-RH7-RHOSE-4.2:openshift4/ose-cluster-kube-apiserver-operator@sha256:5e3d9da1d5ae42a255d9ee3802b7788b8f644d31335a719da03c72fca664848a_s390x",
"7Server-RH7-RHOSE-4.2:openshift4/ose-cluster-kube-apiserver-operator@sha256:85998589eaac7c525b66ad16eac4bd4fafc35a6b358bf966cd65c0ea6b94ad49_amd64",
"7Server-RH7-RHOSE-4.2:openshift4/ose-cluster-kube-scheduler-operator@sha256:8120e6a8338da40660e8bd2918bc5544a411dece47d7080e2b7aee67b58387f7_amd64",
"7Server-RH7-RHOSE-4.2:openshift4/ose-cluster-kube-scheduler-operator@sha256:af7bde30c76c1f63f70e501370a07bfbb7ba0886d250dc721fcdb2956c7211d3_s390x"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "library-go: Secret data written to static pod logs when operator set at Debug level or higher"
}
]
}
rhsa-2019:4075
Vulnerability from csaf_redhat
Published
2019-12-03 21:10
Modified
2024-11-22 14:13
Summary
Red Hat Security Advisory: OpenShift Container Platform 4.2 library-go security update
Notes
Topic
An update for ose-cluster-kube-apiserver-operator-container and ose-cluster-kube-scheduler-operator-container is now available for Red Hat OpenShift Container Platform 4.2.
Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private
cloud deployments.
This advisory contains the ose-cluster-kube-apiserver-operator-container and ose-cluster-kube-scheduler-operator-container images for Red Hat OpenShift Container Platform 4.2.9. These images have been rebuilt with an updated version of openshift/library-go to address the below security issue.
Security Fix(es):
* OpenShift Container Platform 4 did not sanitize secret data written to static Pod logs when an Operator's log level was set to Debug or higher. A low privileged user could read Pod logs to discover secret material if the log level had already been modified in an Operator by a privileged user. (CVE-2019-14854)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update for ose-cluster-kube-apiserver-operator-container and ose-cluster-kube-scheduler-operator-container is now available for Red Hat OpenShift Container Platform 4.2.\n\nRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Red Hat OpenShift Container Platform is Red Hat\u0027s cloud computing Kubernetes application platform solution designed for on-premise or private\ncloud deployments.\n\nThis advisory contains the ose-cluster-kube-apiserver-operator-container and ose-cluster-kube-scheduler-operator-container images for Red Hat OpenShift Container Platform 4.2.9. These images have been rebuilt with an updated version of openshift/library-go to address the below security issue.\n\nSecurity Fix(es):\n\n* OpenShift Container Platform 4 did not sanitize secret data written to static Pod logs when an Operator\u0027s log level was set to Debug or higher. A low privileged user could read Pod logs to discover secret material if the log level had already been modified in an Operator by a privileged user. (CVE-2019-14854)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2019:4075",
"url": "https://access.redhat.com/errata/RHSA-2019:4075"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#moderate",
"url": "https://access.redhat.com/security/updates/classification/#moderate"
},
{
"category": "external",
"summary": "1758953",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1758953"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2019/rhsa-2019_4075.json"
}
],
"title": "Red Hat Security Advisory: OpenShift Container Platform 4.2 library-go security update",
"tracking": {
"current_release_date": "2024-11-22T14:13:37+00:00",
"generator": {
"date": "2024-11-22T14:13:37+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.2.1"
}
},
"id": "RHSA-2019:4075",
"initial_release_date": "2019-12-03T21:10:58+00:00",
"revision_history": [
{
"date": "2019-12-03T21:10:58+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2019-12-03T21:10:58+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2024-11-22T14:13:37+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat OpenShift Container Platform 4.2",
"product": {
"name": "Red Hat OpenShift Container Platform 4.2",
"product_id": "7Server-RH7-RHOSE-4.2",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:openshift:4.2::el7"
}
}
}
],
"category": "product_family",
"name": "Red Hat OpenShift Enterprise"
},
{
"branches": [
{
"category": "product_version",
"name": "openshift4/ose-cluster-kube-apiserver-operator@sha256:85998589eaac7c525b66ad16eac4bd4fafc35a6b358bf966cd65c0ea6b94ad49_amd64",
"product": {
"name": "openshift4/ose-cluster-kube-apiserver-operator@sha256:85998589eaac7c525b66ad16eac4bd4fafc35a6b358bf966cd65c0ea6b94ad49_amd64",
"product_id": "openshift4/ose-cluster-kube-apiserver-operator@sha256:85998589eaac7c525b66ad16eac4bd4fafc35a6b358bf966cd65c0ea6b94ad49_amd64",
"product_identification_helper": {
"purl": "pkg:oci/ose-cluster-kube-apiserver-operator@sha256:85998589eaac7c525b66ad16eac4bd4fafc35a6b358bf966cd65c0ea6b94ad49?arch=amd64\u0026repository_url=registry.redhat.io/openshift4/ose-cluster-kube-apiserver-operator\u0026tag=v4.2.9-201911261133"
}
}
},
{
"category": "product_version",
"name": "openshift4/ose-cluster-kube-scheduler-operator@sha256:8120e6a8338da40660e8bd2918bc5544a411dece47d7080e2b7aee67b58387f7_amd64",
"product": {
"name": "openshift4/ose-cluster-kube-scheduler-operator@sha256:8120e6a8338da40660e8bd2918bc5544a411dece47d7080e2b7aee67b58387f7_amd64",
"product_id": "openshift4/ose-cluster-kube-scheduler-operator@sha256:8120e6a8338da40660e8bd2918bc5544a411dece47d7080e2b7aee67b58387f7_amd64",
"product_identification_helper": {
"purl": "pkg:oci/ose-cluster-kube-scheduler-operator@sha256:8120e6a8338da40660e8bd2918bc5544a411dece47d7080e2b7aee67b58387f7?arch=amd64\u0026repository_url=registry.redhat.io/openshift4/ose-cluster-kube-scheduler-operator\u0026tag=v4.2.9-201911261133"
}
}
}
],
"category": "architecture",
"name": "amd64"
},
{
"branches": [
{
"category": "product_version",
"name": "openshift4/ose-cluster-kube-apiserver-operator@sha256:5e3d9da1d5ae42a255d9ee3802b7788b8f644d31335a719da03c72fca664848a_s390x",
"product": {
"name": "openshift4/ose-cluster-kube-apiserver-operator@sha256:5e3d9da1d5ae42a255d9ee3802b7788b8f644d31335a719da03c72fca664848a_s390x",
"product_id": "openshift4/ose-cluster-kube-apiserver-operator@sha256:5e3d9da1d5ae42a255d9ee3802b7788b8f644d31335a719da03c72fca664848a_s390x",
"product_identification_helper": {
"purl": "pkg:oci/ose-cluster-kube-apiserver-operator@sha256:5e3d9da1d5ae42a255d9ee3802b7788b8f644d31335a719da03c72fca664848a?arch=s390x\u0026repository_url=registry.redhat.io/openshift4/ose-cluster-kube-apiserver-operator\u0026tag=v4.2.9-201911261133"
}
}
},
{
"category": "product_version",
"name": "openshift4/ose-cluster-kube-scheduler-operator@sha256:af7bde30c76c1f63f70e501370a07bfbb7ba0886d250dc721fcdb2956c7211d3_s390x",
"product": {
"name": "openshift4/ose-cluster-kube-scheduler-operator@sha256:af7bde30c76c1f63f70e501370a07bfbb7ba0886d250dc721fcdb2956c7211d3_s390x",
"product_id": "openshift4/ose-cluster-kube-scheduler-operator@sha256:af7bde30c76c1f63f70e501370a07bfbb7ba0886d250dc721fcdb2956c7211d3_s390x",
"product_identification_helper": {
"purl": "pkg:oci/ose-cluster-kube-scheduler-operator@sha256:af7bde30c76c1f63f70e501370a07bfbb7ba0886d250dc721fcdb2956c7211d3?arch=s390x\u0026repository_url=registry.redhat.io/openshift4/ose-cluster-kube-scheduler-operator\u0026tag=v4.2.9-201911261133"
}
}
}
],
"category": "architecture",
"name": "s390x"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "openshift4/ose-cluster-kube-apiserver-operator@sha256:5e3d9da1d5ae42a255d9ee3802b7788b8f644d31335a719da03c72fca664848a_s390x as a component of Red Hat OpenShift Container Platform 4.2",
"product_id": "7Server-RH7-RHOSE-4.2:openshift4/ose-cluster-kube-apiserver-operator@sha256:5e3d9da1d5ae42a255d9ee3802b7788b8f644d31335a719da03c72fca664848a_s390x"
},
"product_reference": "openshift4/ose-cluster-kube-apiserver-operator@sha256:5e3d9da1d5ae42a255d9ee3802b7788b8f644d31335a719da03c72fca664848a_s390x",
"relates_to_product_reference": "7Server-RH7-RHOSE-4.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openshift4/ose-cluster-kube-apiserver-operator@sha256:85998589eaac7c525b66ad16eac4bd4fafc35a6b358bf966cd65c0ea6b94ad49_amd64 as a component of Red Hat OpenShift Container Platform 4.2",
"product_id": "7Server-RH7-RHOSE-4.2:openshift4/ose-cluster-kube-apiserver-operator@sha256:85998589eaac7c525b66ad16eac4bd4fafc35a6b358bf966cd65c0ea6b94ad49_amd64"
},
"product_reference": "openshift4/ose-cluster-kube-apiserver-operator@sha256:85998589eaac7c525b66ad16eac4bd4fafc35a6b358bf966cd65c0ea6b94ad49_amd64",
"relates_to_product_reference": "7Server-RH7-RHOSE-4.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openshift4/ose-cluster-kube-scheduler-operator@sha256:8120e6a8338da40660e8bd2918bc5544a411dece47d7080e2b7aee67b58387f7_amd64 as a component of Red Hat OpenShift Container Platform 4.2",
"product_id": "7Server-RH7-RHOSE-4.2:openshift4/ose-cluster-kube-scheduler-operator@sha256:8120e6a8338da40660e8bd2918bc5544a411dece47d7080e2b7aee67b58387f7_amd64"
},
"product_reference": "openshift4/ose-cluster-kube-scheduler-operator@sha256:8120e6a8338da40660e8bd2918bc5544a411dece47d7080e2b7aee67b58387f7_amd64",
"relates_to_product_reference": "7Server-RH7-RHOSE-4.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openshift4/ose-cluster-kube-scheduler-operator@sha256:af7bde30c76c1f63f70e501370a07bfbb7ba0886d250dc721fcdb2956c7211d3_s390x as a component of Red Hat OpenShift Container Platform 4.2",
"product_id": "7Server-RH7-RHOSE-4.2:openshift4/ose-cluster-kube-scheduler-operator@sha256:af7bde30c76c1f63f70e501370a07bfbb7ba0886d250dc721fcdb2956c7211d3_s390x"
},
"product_reference": "openshift4/ose-cluster-kube-scheduler-operator@sha256:af7bde30c76c1f63f70e501370a07bfbb7ba0886d250dc721fcdb2956c7211d3_s390x",
"relates_to_product_reference": "7Server-RH7-RHOSE-4.2"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2019-14854",
"cwe": {
"id": "CWE-117",
"name": "Improper Output Neutralization for Logs"
},
"discovery_date": "2019-09-20T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1758953"
}
],
"notes": [
{
"category": "description",
"text": "OpenShift Container Platform 4 does not sanitize secret data written to static pod logs when the log level in a given operator is set to Debug or higher. A low privileged user could read pod logs to discover secret material if the log level has already been modified in an operator by a privileged user.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "library-go: Secret data written to static pod logs when operator set at Debug level or higher",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-RH7-RHOSE-4.2:openshift4/ose-cluster-kube-apiserver-operator@sha256:5e3d9da1d5ae42a255d9ee3802b7788b8f644d31335a719da03c72fca664848a_s390x",
"7Server-RH7-RHOSE-4.2:openshift4/ose-cluster-kube-apiserver-operator@sha256:85998589eaac7c525b66ad16eac4bd4fafc35a6b358bf966cd65c0ea6b94ad49_amd64",
"7Server-RH7-RHOSE-4.2:openshift4/ose-cluster-kube-scheduler-operator@sha256:8120e6a8338da40660e8bd2918bc5544a411dece47d7080e2b7aee67b58387f7_amd64",
"7Server-RH7-RHOSE-4.2:openshift4/ose-cluster-kube-scheduler-operator@sha256:af7bde30c76c1f63f70e501370a07bfbb7ba0886d250dc721fcdb2956c7211d3_s390x"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2019-14854"
},
{
"category": "external",
"summary": "RHBZ#1758953",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1758953"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2019-14854",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-14854"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2019-14854",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-14854"
}
],
"release_date": "2019-10-07T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2019-12-03T21:10:58+00:00",
"details": "For OpenShift Container Platform 4.2 see the following documentation, which will be updated shortly for release 4.2.9, for important instructions on\nhow to upgrade your cluster and fully apply this asynchronous errata update:\n\nhttps://docs.openshift.com/container-platform/4.2/release_notes/ocp-4-2-release-notes.html\n\nDetails on how to access this content are available at https://docs.openshift.com/container-platform/4.2/updating/updating-cluster-cli.html.",
"product_ids": [
"7Server-RH7-RHOSE-4.2:openshift4/ose-cluster-kube-apiserver-operator@sha256:5e3d9da1d5ae42a255d9ee3802b7788b8f644d31335a719da03c72fca664848a_s390x",
"7Server-RH7-RHOSE-4.2:openshift4/ose-cluster-kube-apiserver-operator@sha256:85998589eaac7c525b66ad16eac4bd4fafc35a6b358bf966cd65c0ea6b94ad49_amd64",
"7Server-RH7-RHOSE-4.2:openshift4/ose-cluster-kube-scheduler-operator@sha256:8120e6a8338da40660e8bd2918bc5544a411dece47d7080e2b7aee67b58387f7_amd64",
"7Server-RH7-RHOSE-4.2:openshift4/ose-cluster-kube-scheduler-operator@sha256:af7bde30c76c1f63f70e501370a07bfbb7ba0886d250dc721fcdb2956c7211d3_s390x"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2019:4075"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.0"
},
"products": [
"7Server-RH7-RHOSE-4.2:openshift4/ose-cluster-kube-apiserver-operator@sha256:5e3d9da1d5ae42a255d9ee3802b7788b8f644d31335a719da03c72fca664848a_s390x",
"7Server-RH7-RHOSE-4.2:openshift4/ose-cluster-kube-apiserver-operator@sha256:85998589eaac7c525b66ad16eac4bd4fafc35a6b358bf966cd65c0ea6b94ad49_amd64",
"7Server-RH7-RHOSE-4.2:openshift4/ose-cluster-kube-scheduler-operator@sha256:8120e6a8338da40660e8bd2918bc5544a411dece47d7080e2b7aee67b58387f7_amd64",
"7Server-RH7-RHOSE-4.2:openshift4/ose-cluster-kube-scheduler-operator@sha256:af7bde30c76c1f63f70e501370a07bfbb7ba0886d250dc721fcdb2956c7211d3_s390x"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "library-go: Secret data written to static pod logs when operator set at Debug level or higher"
}
]
}
rhsa-2019:4098
Vulnerability from csaf_redhat
Published
2019-12-11 08:23
Modified
2024-11-22 14:13
Summary
Red Hat Security Advisory: OpenShift Container Platform 4.2 ose-cluster-kube-controller-manager-operator-container security update
Notes
Topic
An update for ose-cluster-kube-controller-manager-operator-container is now available for Red Hat OpenShift Container Platform 4.2.
Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments.
Security Fix(es):
* library-go: Secret data written to static pod logs when operator set at Debug level or higher (CVE-2019-14854)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update for ose-cluster-kube-controller-manager-operator-container is now available for Red Hat OpenShift Container Platform 4.2.\n\nRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Red Hat OpenShift Container Platform is Red Hat\u0027s cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments.\n\nSecurity Fix(es):\n\n* library-go: Secret data written to static pod logs when operator set at Debug level or higher (CVE-2019-14854)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2019:4098",
"url": "https://access.redhat.com/errata/RHSA-2019:4098"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#moderate",
"url": "https://access.redhat.com/security/updates/classification/#moderate"
},
{
"category": "external",
"summary": "1758953",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1758953"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2019/rhsa-2019_4098.json"
}
],
"title": "Red Hat Security Advisory: OpenShift Container Platform 4.2 ose-cluster-kube-controller-manager-operator-container security update",
"tracking": {
"current_release_date": "2024-11-22T14:13:48+00:00",
"generator": {
"date": "2024-11-22T14:13:48+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.2.1"
}
},
"id": "RHSA-2019:4098",
"initial_release_date": "2019-12-11T08:23:25+00:00",
"revision_history": [
{
"date": "2019-12-11T08:23:25+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2019-12-11T08:23:25+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2024-11-22T14:13:48+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat OpenShift Container Platform 4.2",
"product": {
"name": "Red Hat OpenShift Container Platform 4.2",
"product_id": "7Server-RH7-RHOSE-4.2",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:openshift:4.2::el7"
}
}
}
],
"category": "product_family",
"name": "Red Hat OpenShift Enterprise"
},
{
"branches": [
{
"category": "product_version",
"name": "openshift4/ose-cluster-kube-controller-manager-operator@sha256:eac23979d42d27a83434f162c0059d4ac8bc50d3b751c9c439bf03eea70b9507_amd64",
"product": {
"name": "openshift4/ose-cluster-kube-controller-manager-operator@sha256:eac23979d42d27a83434f162c0059d4ac8bc50d3b751c9c439bf03eea70b9507_amd64",
"product_id": "openshift4/ose-cluster-kube-controller-manager-operator@sha256:eac23979d42d27a83434f162c0059d4ac8bc50d3b751c9c439bf03eea70b9507_amd64",
"product_identification_helper": {
"purl": "pkg:oci/ose-cluster-kube-controller-manager-operator@sha256:eac23979d42d27a83434f162c0059d4ac8bc50d3b751c9c439bf03eea70b9507?arch=amd64\u0026repository_url=registry.redhat.io/openshift4/ose-cluster-kube-controller-manager-operator\u0026tag=v4.2.10-201912022352"
}
}
}
],
"category": "architecture",
"name": "amd64"
},
{
"branches": [
{
"category": "product_version",
"name": "openshift4/ose-cluster-kube-controller-manager-operator@sha256:758c2dc76493095b50945a836f29a6093d3b8341e8327ede098beb4bdde0956d_s390x",
"product": {
"name": "openshift4/ose-cluster-kube-controller-manager-operator@sha256:758c2dc76493095b50945a836f29a6093d3b8341e8327ede098beb4bdde0956d_s390x",
"product_id": "openshift4/ose-cluster-kube-controller-manager-operator@sha256:758c2dc76493095b50945a836f29a6093d3b8341e8327ede098beb4bdde0956d_s390x",
"product_identification_helper": {
"purl": "pkg:oci/ose-cluster-kube-controller-manager-operator@sha256:758c2dc76493095b50945a836f29a6093d3b8341e8327ede098beb4bdde0956d?arch=s390x\u0026repository_url=registry.redhat.io/openshift4/ose-cluster-kube-controller-manager-operator\u0026tag=v4.2.10-201912022352"
}
}
}
],
"category": "architecture",
"name": "s390x"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "openshift4/ose-cluster-kube-controller-manager-operator@sha256:758c2dc76493095b50945a836f29a6093d3b8341e8327ede098beb4bdde0956d_s390x as a component of Red Hat OpenShift Container Platform 4.2",
"product_id": "7Server-RH7-RHOSE-4.2:openshift4/ose-cluster-kube-controller-manager-operator@sha256:758c2dc76493095b50945a836f29a6093d3b8341e8327ede098beb4bdde0956d_s390x"
},
"product_reference": "openshift4/ose-cluster-kube-controller-manager-operator@sha256:758c2dc76493095b50945a836f29a6093d3b8341e8327ede098beb4bdde0956d_s390x",
"relates_to_product_reference": "7Server-RH7-RHOSE-4.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "openshift4/ose-cluster-kube-controller-manager-operator@sha256:eac23979d42d27a83434f162c0059d4ac8bc50d3b751c9c439bf03eea70b9507_amd64 as a component of Red Hat OpenShift Container Platform 4.2",
"product_id": "7Server-RH7-RHOSE-4.2:openshift4/ose-cluster-kube-controller-manager-operator@sha256:eac23979d42d27a83434f162c0059d4ac8bc50d3b751c9c439bf03eea70b9507_amd64"
},
"product_reference": "openshift4/ose-cluster-kube-controller-manager-operator@sha256:eac23979d42d27a83434f162c0059d4ac8bc50d3b751c9c439bf03eea70b9507_amd64",
"relates_to_product_reference": "7Server-RH7-RHOSE-4.2"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2019-14854",
"cwe": {
"id": "CWE-117",
"name": "Improper Output Neutralization for Logs"
},
"discovery_date": "2019-09-20T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1758953"
}
],
"notes": [
{
"category": "description",
"text": "OpenShift Container Platform 4 does not sanitize secret data written to static pod logs when the log level in a given operator is set to Debug or higher. A low privileged user could read pod logs to discover secret material if the log level has already been modified in an operator by a privileged user.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "library-go: Secret data written to static pod logs when operator set at Debug level or higher",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-RH7-RHOSE-4.2:openshift4/ose-cluster-kube-controller-manager-operator@sha256:758c2dc76493095b50945a836f29a6093d3b8341e8327ede098beb4bdde0956d_s390x",
"7Server-RH7-RHOSE-4.2:openshift4/ose-cluster-kube-controller-manager-operator@sha256:eac23979d42d27a83434f162c0059d4ac8bc50d3b751c9c439bf03eea70b9507_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2019-14854"
},
{
"category": "external",
"summary": "RHBZ#1758953",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1758953"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2019-14854",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-14854"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2019-14854",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-14854"
}
],
"release_date": "2019-10-07T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2019-12-11T08:23:25+00:00",
"details": "For OpenShift Container Platform 4.2 see the following documentation, which will be updated shortly for release 4.2.10, for important instructions on how to upgrade your cluster and fully apply this asynchronous errata update:\n\nhttps://docs.openshift.com/container-platform/4.2/release_notes/ocp-4-2-release-notes.html\n\nDetails on how to access this content are available at https://docs.openshift.com/container-platform/4.2/updating/updating-cluster-cli.html.",
"product_ids": [
"7Server-RH7-RHOSE-4.2:openshift4/ose-cluster-kube-controller-manager-operator@sha256:758c2dc76493095b50945a836f29a6093d3b8341e8327ede098beb4bdde0956d_s390x",
"7Server-RH7-RHOSE-4.2:openshift4/ose-cluster-kube-controller-manager-operator@sha256:eac23979d42d27a83434f162c0059d4ac8bc50d3b751c9c439bf03eea70b9507_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2019:4098"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.0"
},
"products": [
"7Server-RH7-RHOSE-4.2:openshift4/ose-cluster-kube-controller-manager-operator@sha256:758c2dc76493095b50945a836f29a6093d3b8341e8327ede098beb4bdde0956d_s390x",
"7Server-RH7-RHOSE-4.2:openshift4/ose-cluster-kube-controller-manager-operator@sha256:eac23979d42d27a83434f162c0059d4ac8bc50d3b751c9c439bf03eea70b9507_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "library-go: Secret data written to static pod logs when operator set at Debug level or higher"
}
]
}
ghsa-rcxj-gjxv-rf5c
Vulnerability from github
Published
2022-05-24 17:05
Modified
2023-02-02 21:33
Severity ?
Details
OpenShift Container Platform 4 does not sanitize secret data written to static pod logs when the log level in a given operator is set to Debug or higher. A low privileged user could read pod logs to discover secret material if the log level has already been modified in an operator by a privileged user.
{
"affected": [],
"aliases": [
"CVE-2019-14854"
],
"database_specific": {
"cwe_ids": [
"CWE-117",
"CWE-532"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-01-07T17:15:00Z",
"severity": "MODERATE"
},
"details": "OpenShift Container Platform 4 does not sanitize secret data written to static pod logs when the log level in a given operator is set to Debug or higher. A low privileged user could read pod logs to discover secret material if the log level has already been modified in an operator by a privileged user.",
"id": "GHSA-rcxj-gjxv-rf5c",
"modified": "2023-02-02T21:33:45Z",
"published": "2022-05-24T17:05:42Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-14854"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2019:4075"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2019:4081"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2019:4091"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2019:4098"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2019-14854"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1758953"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14854"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
CVE-2019-14854
Vulnerability from fkie_nvd
Published
2020-01-07 17:15
Modified
2024-11-21 04:27
Severity ?
Summary
OpenShift Container Platform 4 does not sanitize secret data written to static pod logs when the log level in a given operator is set to Debug or higher. A low privileged user could read pod logs to discover secret material if the log level has already been modified in an operator by a privileged user.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| secalert@redhat.com | https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14854 | Exploit, Issue Tracking, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14854 | Exploit, Issue Tracking, Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| redhat | openshift_container_platform | 4.1 | |
| redhat | openshift_container_platform | 4.2 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:redhat:openshift_container_platform:4.1:*:*:*:*:*:*:*",
"matchCriteriaId": "064E7BDD-4EF0-4A0D-A38D-8C75BAFEDCEF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:redhat:openshift_container_platform:4.2:*:*:*:*:*:*:*",
"matchCriteriaId": "4C85A84D-A70F-4B02-9E5D-CD9660ABF048",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "OpenShift Container Platform 4 does not sanitize secret data written to static pod logs when the log level in a given operator is set to Debug or higher. A low privileged user could read pod logs to discover secret material if the log level has already been modified in an operator by a privileged user."
},
{
"lang": "es",
"value": "OpenShift Container Platform versi\u00f3n 4, no sanea los datos secretos escritos en registros pod est\u00e1ticos cuando el nivel de registro en un operador dado es establecido en Debug o superior. Un usuario poco privilegiado podr\u00eda leer registros pod para detectar material secreto si el nivel de registro ya ha sido modificado en un operador por parte de un usuario privilegiado."
}
],
"id": "CVE-2019-14854",
"lastModified": "2024-11-21T04:27:30.247",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 4.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.0"
},
"exploitabilityScore": 1.6,
"impactScore": 3.6,
"source": "secalert@redhat.com",
"type": "Secondary"
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-01-07T17:15:11.267",
"references": [
{
"source": "secalert@redhat.com",
"tags": [
"Exploit",
"Issue Tracking",
"Third Party Advisory"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14854"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Issue Tracking",
"Third Party Advisory"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14854"
}
],
"sourceIdentifier": "secalert@redhat.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-117"
}
],
"source": "secalert@redhat.com",
"type": "Primary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-532"
}
],
"source": "nvd@nist.gov",
"type": "Secondary"
}
]
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.