rhea-2021_3139
Vulnerability from csaf_redhat
Published
2021-08-11 17:23
Modified
2024-09-16 06:24
Summary
Red Hat Enhancement Advisory: Web Terminal 1.3 release
Notes
Topic
Web Terminal 1.3 has been released.
Details
Web Terminal provides a way to access a fully in-browser terminal emulator within the OpenShift Console. Command-line tools for interacting with the OpenShift cluster are pre-installed.
The Web Terminal 1.3 release provides the following fixes and new features:
- Web Terminal now depends on the newly released DevWorkspace Operator instead of relying on the embedded DevWorkspace controller inside of the Web Terminal Operator.
- Users can now mount their home directory to persist changes to their web terminals over multiple restarts.
- The following tools have been updated:
- oc 4.7.0 -> 4.8.2
- kubectl v1.20.1 -> v0.21.0-beta.1
- odo 2.0.4 -> 2.2.3
- knative 0.19.1 -> 0.21.0
- tekton 0.15.0 -> 0.17.2
- kubectx v0.9.3 -> v0.9.4
- kubens v0.9.3 -> v0.9.4
- rhoas 0.24.1 0.25.0
- submariner N/A -> 0.9.1
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Moderate"
},
"category": "csaf_vex",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Web Terminal 1.3 has been released.",
"title": "Topic"
},
{
"category": "general",
"text": "Web Terminal provides a way to access a fully in-browser terminal emulator within the OpenShift Console. Command-line tools for interacting with the OpenShift cluster are pre-installed.\n\nThe Web Terminal 1.3 release provides the following fixes and new features:\n\n- Web Terminal now depends on the newly released DevWorkspace Operator instead of relying on the embedded DevWorkspace controller inside of the Web Terminal Operator.\n\n- Users can now mount their home directory to persist changes to their web terminals over multiple restarts.\n\n- The following tools have been updated:\n\n - oc 4.7.0 -\u003e 4.8.2\n - kubectl v1.20.1 -\u003e v0.21.0-beta.1\n - odo 2.0.4 -\u003e 2.2.3\n - knative 0.19.1 -\u003e 0.21.0\n - tekton 0.15.0 -\u003e 0.17.2\n - kubectx v0.9.3 -\u003e v0.9.4\n - kubens v0.9.3 -\u003e v0.9.4\n - rhoas 0.24.1 0.25.0\n - submariner N/A -\u003e 0.9.1",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat offerings.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHEA-2021:3139",
"url": "https://access.redhat.com/errata/RHEA-2021:3139"
},
{
"category": "external",
"summary": "WTO-105",
"url": "https://issues.redhat.com/browse/WTO-105"
},
{
"category": "external",
"summary": "WTO-106",
"url": "https://issues.redhat.com/browse/WTO-106"
},
{
"category": "external",
"summary": "WTO-68",
"url": "https://issues.redhat.com/browse/WTO-68"
},
{
"category": "external",
"summary": "WTO-69",
"url": "https://issues.redhat.com/browse/WTO-69"
},
{
"category": "external",
"summary": "WTO-77",
"url": "https://issues.redhat.com/browse/WTO-77"
},
{
"category": "external",
"summary": "WTO-83",
"url": "https://issues.redhat.com/browse/WTO-83"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/data/csaf/v2/advisories/2021/rhea-2021_3139.json"
}
],
"title": "Red Hat Enhancement Advisory: Web Terminal 1.3 release",
"tracking": {
"current_release_date": "2024-09-16T06:24:17+00:00",
"generator": {
"date": "2024-09-16T06:24:17+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "3.33.3"
}
},
"id": "RHEA-2021:3139",
"initial_release_date": "2021-08-11T17:23:34+00:00",
"revision_history": [
{
"date": "2021-08-11T17:23:34+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2021-08-11T17:23:34+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2024-09-16T06:24:17+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Middleware Containers for OpenShift",
"product": {
"name": "Middleware Containers for OpenShift",
"product_id": "8Base-RHOSE-Middleware",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:rhosemc:1.0::el8"
}
}
}
],
"category": "product_family",
"name": "Red Hat OpenShift Enterprise"
},
{
"branches": [
{
"category": "product_version",
"name": "web-terminal-tech-preview/web-terminal-exec-rhel8@sha256:fc7b7de34b066e77a770be79990b17ec859e265226c4a8959e971b95a95f87bc_amd64",
"product": {
"name": "web-terminal-tech-preview/web-terminal-exec-rhel8@sha256:fc7b7de34b066e77a770be79990b17ec859e265226c4a8959e971b95a95f87bc_amd64",
"product_id": "web-terminal-tech-preview/web-terminal-exec-rhel8@sha256:fc7b7de34b066e77a770be79990b17ec859e265226c4a8959e971b95a95f87bc_amd64",
"product_identification_helper": {
"purl": "pkg:oci/web-terminal-exec-rhel8@sha256:fc7b7de34b066e77a770be79990b17ec859e265226c4a8959e971b95a95f87bc?arch=amd64\u0026repository_url=registry.redhat.io/web-terminal-tech-preview/web-terminal-exec-rhel8\u0026tag=1.3-9"
}
}
},
{
"category": "product_version",
"name": "web-terminal-tech-preview/web-terminal-rhel8-operator@sha256:9440cf4a2a39ee48b23bd1f727f243e515909baaf233bcbe1a87d00cc5344b33_amd64",
"product": {
"name": "web-terminal-tech-preview/web-terminal-rhel8-operator@sha256:9440cf4a2a39ee48b23bd1f727f243e515909baaf233bcbe1a87d00cc5344b33_amd64",
"product_id": "web-terminal-tech-preview/web-terminal-rhel8-operator@sha256:9440cf4a2a39ee48b23bd1f727f243e515909baaf233bcbe1a87d00cc5344b33_amd64",
"product_identification_helper": {
"purl": "pkg:oci/web-terminal-rhel8-operator@sha256:9440cf4a2a39ee48b23bd1f727f243e515909baaf233bcbe1a87d00cc5344b33?arch=amd64\u0026repository_url=registry.redhat.io/web-terminal-tech-preview/web-terminal-rhel8-operator\u0026tag=1.3-20"
}
}
},
{
"category": "product_version",
"name": "web-terminal-tech-preview/web-terminal-rhel8-operator-metadata@sha256:e437111649abfadb422b093ca0ccba873d1d13736e90f2837609c9f4adcee2d1_amd64",
"product": {
"name": "web-terminal-tech-preview/web-terminal-rhel8-operator-metadata@sha256:e437111649abfadb422b093ca0ccba873d1d13736e90f2837609c9f4adcee2d1_amd64",
"product_id": "web-terminal-tech-preview/web-terminal-rhel8-operator-metadata@sha256:e437111649abfadb422b093ca0ccba873d1d13736e90f2837609c9f4adcee2d1_amd64",
"product_identification_helper": {
"purl": "pkg:oci/web-terminal-rhel8-operator-metadata@sha256:e437111649abfadb422b093ca0ccba873d1d13736e90f2837609c9f4adcee2d1?arch=amd64\u0026repository_url=registry.redhat.io/web-terminal-tech-preview/web-terminal-rhel8-operator-metadata\u0026tag=1.3-19"
}
}
},
{
"category": "product_version",
"name": "web-terminal-tech-preview/web-terminal-tooling-rhel8@sha256:7af235e60e15603183aec7c244754edee3b87ba601d1b28e999607f372174b0c_amd64",
"product": {
"name": "web-terminal-tech-preview/web-terminal-tooling-rhel8@sha256:7af235e60e15603183aec7c244754edee3b87ba601d1b28e999607f372174b0c_amd64",
"product_id": "web-terminal-tech-preview/web-terminal-tooling-rhel8@sha256:7af235e60e15603183aec7c244754edee3b87ba601d1b28e999607f372174b0c_amd64",
"product_identification_helper": {
"purl": "pkg:oci/web-terminal-tooling-rhel8@sha256:7af235e60e15603183aec7c244754edee3b87ba601d1b28e999607f372174b0c?arch=amd64\u0026repository_url=registry.redhat.io/web-terminal-tech-preview/web-terminal-tooling-rhel8\u0026tag=1.3-6"
}
}
}
],
"category": "architecture",
"name": "amd64"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "web-terminal-tech-preview/web-terminal-exec-rhel8@sha256:fc7b7de34b066e77a770be79990b17ec859e265226c4a8959e971b95a95f87bc_amd64 as a component of Middleware Containers for OpenShift",
"product_id": "8Base-RHOSE-Middleware:web-terminal-tech-preview/web-terminal-exec-rhel8@sha256:fc7b7de34b066e77a770be79990b17ec859e265226c4a8959e971b95a95f87bc_amd64"
},
"product_reference": "web-terminal-tech-preview/web-terminal-exec-rhel8@sha256:fc7b7de34b066e77a770be79990b17ec859e265226c4a8959e971b95a95f87bc_amd64",
"relates_to_product_reference": "8Base-RHOSE-Middleware"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "web-terminal-tech-preview/web-terminal-rhel8-operator-metadata@sha256:e437111649abfadb422b093ca0ccba873d1d13736e90f2837609c9f4adcee2d1_amd64 as a component of Middleware Containers for OpenShift",
"product_id": "8Base-RHOSE-Middleware:web-terminal-tech-preview/web-terminal-rhel8-operator-metadata@sha256:e437111649abfadb422b093ca0ccba873d1d13736e90f2837609c9f4adcee2d1_amd64"
},
"product_reference": "web-terminal-tech-preview/web-terminal-rhel8-operator-metadata@sha256:e437111649abfadb422b093ca0ccba873d1d13736e90f2837609c9f4adcee2d1_amd64",
"relates_to_product_reference": "8Base-RHOSE-Middleware"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "web-terminal-tech-preview/web-terminal-rhel8-operator@sha256:9440cf4a2a39ee48b23bd1f727f243e515909baaf233bcbe1a87d00cc5344b33_amd64 as a component of Middleware Containers for OpenShift",
"product_id": "8Base-RHOSE-Middleware:web-terminal-tech-preview/web-terminal-rhel8-operator@sha256:9440cf4a2a39ee48b23bd1f727f243e515909baaf233bcbe1a87d00cc5344b33_amd64"
},
"product_reference": "web-terminal-tech-preview/web-terminal-rhel8-operator@sha256:9440cf4a2a39ee48b23bd1f727f243e515909baaf233bcbe1a87d00cc5344b33_amd64",
"relates_to_product_reference": "8Base-RHOSE-Middleware"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "web-terminal-tech-preview/web-terminal-tooling-rhel8@sha256:7af235e60e15603183aec7c244754edee3b87ba601d1b28e999607f372174b0c_amd64 as a component of Middleware Containers for OpenShift",
"product_id": "8Base-RHOSE-Middleware:web-terminal-tech-preview/web-terminal-tooling-rhel8@sha256:7af235e60e15603183aec7c244754edee3b87ba601d1b28e999607f372174b0c_amd64"
},
"product_reference": "web-terminal-tech-preview/web-terminal-tooling-rhel8@sha256:7af235e60e15603183aec7c244754edee3b87ba601d1b28e999607f372174b0c_amd64",
"relates_to_product_reference": "8Base-RHOSE-Middleware"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2021-32690",
"cwe": {
"id": "CWE-200",
"name": "Exposure of Sensitive Information to an Unauthorized Actor"
},
"discovery_date": "2021-06-17T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1978144"
}
],
"notes": [
{
"category": "description",
"text": "A vulnerability was discovered in Helm, which could allow credentials associated with one Helm repository to be leaked to another repository referenced by the first one. In order to exploit this vulnerability, an attacker would need to control a repository trusted by the configuration of the target Helm instance.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "helm: information disclosure vulnerability",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Advanced Cluster Management for Kubernetes:\n\nIn Red Hat Advanced Cluster Management for Kubernetes (RHACM) the affected components are using helm chart provided by the installer, so components are not using untrusted charts except in the application-lifecycle area. For this reason we marked the impact as low. For RHACM, the credentials could be leaked only when a helm chart is stored in a domain other than the helm repository itself. In practice, this rarely happens as the chart is stored in the same helm repository. For example, this chart in the helm repo https://charts.helm.sh/stable/index.yaml references only charts stored in the same domain (charts.heml.sh). From version, 2.2 onwards, multicloud-operators-placementrule and multicloud-operators-deployable do not use helm at all.\n\nOpenShift Developer Tools and Services:\n\nThe OpenShift Helm team has analyzed this CVE and we have come to the conclusion that this only affects OpenShift Helm customers that use the CLI to install and update charts. It does not affect customers that use the OpenShift Console to install and update charts. To mitigate this issue, customers can refresh their Helm cli by following the Red Had official Helm install guide here: https://docs.openshift.com/container-platform/4.7/cli_reference/helm_cli/getting-started-with-helm-on-openshift-container-platform.html#installing-helm_getting-started-with-helm-on-openshift. The mirror (https://mirror.openshift.com/pub/openshift-v4/clients/helm/latest/) have already been updated with helm 3.6.2 which contains the fix for this CVE.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"8Base-RHOSE-Middleware:web-terminal-tech-preview/web-terminal-exec-rhel8@sha256:fc7b7de34b066e77a770be79990b17ec859e265226c4a8959e971b95a95f87bc_amd64",
"8Base-RHOSE-Middleware:web-terminal-tech-preview/web-terminal-rhel8-operator-metadata@sha256:e437111649abfadb422b093ca0ccba873d1d13736e90f2837609c9f4adcee2d1_amd64",
"8Base-RHOSE-Middleware:web-terminal-tech-preview/web-terminal-rhel8-operator@sha256:9440cf4a2a39ee48b23bd1f727f243e515909baaf233bcbe1a87d00cc5344b33_amd64",
"8Base-RHOSE-Middleware:web-terminal-tech-preview/web-terminal-tooling-rhel8@sha256:7af235e60e15603183aec7c244754edee3b87ba601d1b28e999607f372174b0c_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2021-32690"
},
{
"category": "external",
"summary": "RHBZ#1978144",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1978144"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2021-32690",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-32690"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-32690",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-32690"
},
{
"category": "external",
"summary": "https://github.com/helm/helm/security/advisories/GHSA-56hp-xqp3-w2jf",
"url": "https://github.com/helm/helm/security/advisories/GHSA-56hp-xqp3-w2jf"
}
],
"release_date": "2021-06-16T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"details": "To start using Web Terminal, install the Web Terminal Operator from OpenShift OperatorHub on OpenShift Container Platform 4.5.3 or higher.",
"product_ids": [
"8Base-RHOSE-Middleware:web-terminal-tech-preview/web-terminal-exec-rhel8@sha256:fc7b7de34b066e77a770be79990b17ec859e265226c4a8959e971b95a95f87bc_amd64",
"8Base-RHOSE-Middleware:web-terminal-tech-preview/web-terminal-rhel8-operator-metadata@sha256:e437111649abfadb422b093ca0ccba873d1d13736e90f2837609c9f4adcee2d1_amd64",
"8Base-RHOSE-Middleware:web-terminal-tech-preview/web-terminal-rhel8-operator@sha256:9440cf4a2a39ee48b23bd1f727f243e515909baaf233bcbe1a87d00cc5344b33_amd64",
"8Base-RHOSE-Middleware:web-terminal-tech-preview/web-terminal-tooling-rhel8@sha256:7af235e60e15603183aec7c244754edee3b87ba601d1b28e999607f372174b0c_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHEA-2021:3139"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N",
"version": "3.1"
},
"products": [
"8Base-RHOSE-Middleware:web-terminal-tech-preview/web-terminal-exec-rhel8@sha256:fc7b7de34b066e77a770be79990b17ec859e265226c4a8959e971b95a95f87bc_amd64",
"8Base-RHOSE-Middleware:web-terminal-tech-preview/web-terminal-rhel8-operator-metadata@sha256:e437111649abfadb422b093ca0ccba873d1d13736e90f2837609c9f4adcee2d1_amd64",
"8Base-RHOSE-Middleware:web-terminal-tech-preview/web-terminal-rhel8-operator@sha256:9440cf4a2a39ee48b23bd1f727f243e515909baaf233bcbe1a87d00cc5344b33_amd64",
"8Base-RHOSE-Middleware:web-terminal-tech-preview/web-terminal-tooling-rhel8@sha256:7af235e60e15603183aec7c244754edee3b87ba601d1b28e999607f372174b0c_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "helm: information disclosure vulnerability"
}
]
}
Loading...