VARIoT IoT vulnerabilities database

The Omron CX-One Version 4.60 and prior may allow an attacker to supply a pointer to arbitrary memory locations, which may allow an attacker to remotely execute arbitrary code. Provided by OMRON Corporation CX-One There are multiple vulnerabilities in. ‥ * Untrusted pointer reference (CWE-822) - CVE-2020-27259 ‥ * Stack-based buffer overflow (CWE-121) - CVE-2020-27261 ‥ * Wrong type (CWE-843) - CVE-2020-27257The expected impact depends on each vulnerability, but it may be affected as follows. - CVE-2020-27259 ‥ * A third party causes a stack-based buffer overflow to execute arbitrary code remotely - CVE-2020-27261 ‥ * A third party enters the crafted data and executes arbitrary code - CVE-2020-27257. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.The specific flaw exists within the parsing of NCI files by the CX-Position application. The issue results from the lack of proper validation of a user-supplied value prior to dereferencing it as a pointer. An attacker can leverage this vulnerability to execute code in the context of the current process. Omron CX-One is a set of integrated tool kits of Japan's Omron (Omron) company. The product includes frequency converter, temperature controller and PLC programming software, etc. CX-Protocol is one of the components used to create a serial communication protocol to communicate with standard serial devices. The following products and versions are affected: CX-Protocol Versions 2.02 and prior, CX-Server Versions 5.0.28 and prior, CX-Position Versions 2.52 and prior

This vulnerability allows local attackers to execute arbitrary code due to the lack of proper validation of user-supplied data, which can result in a type-confusion condition in the Omron CX-One Version 4.60 and prior devices. Provided by OMRON Corporation CX-One There are multiple vulnerabilities in. ‥ * Untrusted pointer reference (CWE-822) - CVE-2020-27259 ‥ * Stack-based buffer overflow (CWE-121) - CVE-2020-27261 ‥ * Wrong type (CWE-843) - CVE-2020-27257The expected impact depends on each vulnerability, but it may be affected as follows. ‥ * Any memory pointer is referenced by a third party and arbitrary code is executed remotely. - CVE-2020-27259 ‥ * A third party causes a stack-based buffer overflow to execute arbitrary code remotely - CVE-2020-27261 ‥ * A third party enters the crafted data and executes arbitrary code - CVE-2020-27257. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.The specific flaw exists within the parsing of PSW files by the CX-Protocol application. An attacker can leverage this vulnerability to execute code in the context of the current process. Omron CX-One is a set of integrated tool kits of Japan's Omron (Omron) company. The product includes frequency converter, temperature controller and PLC programming software, etc. CX-Protocol is one of the components used to create a serial communication protocol to communicate with standard serial devices. The following products and versions are affected: CX-Protocol Versions 2.02 and prior, CX-Server Versions 5.0.28 and prior, CX-Position Versions 2.52 and prior

A denial-of-service vulnerability exists in the Ethernet/IP server functionality of Rockwell Automation RSLinx Classic 2.57.00.14 CPR 9 SR 3. A specially crafted network request can lead to a denial of service. An attacker can send a sequence of malicious packets to trigger this vulnerability. Rockwell Automation RSLinx Classic Is vulnerable to a buffer error.Denial of service (DoS) It may be put into a state. The solution supports access to RockwellSoftware and Allen-Bradley applications through Allen-Bradley programmable controllers

MERCUSYS Mercury X18G 1.0.5 devices allow Directory Traversal via ../ in conjunction with a loginLess or login.htm URI (for authentication bypass) to the web server, as demonstrated by the /loginLess/../../etc/passwd URI. MERCUSYS Mercury X18G A path traversal vulnerability exists in the device.Information may be obtained. Mercusys Mercury X18G is a router from China Mercusys. Mercusys Mercury X18G has a security vulnerability that allows remote attackers to use the vulnerability to submit a special /loginLess/ request, which can read sensitive information

MERCUSYS Mercury X18G 1.0.5 devices allow Directory Traversal via ../ to the UPnP server, as demonstrated by the /../../conf/template/uhttpd.json URI. MERCUSYS Mercury X18G A path traversal vulnerability exists in the device.Information may be obtained. Mercusys Mercury X18G is a router from China Mercusys

oal_ipt_addBridgeIsolationRules on TP-Link TL-WR840N 6_EU_0.9.1_4.16 devices allows OS command injection because a raw string entered from the web interface (an IP address field) is used directly for a call to the system library function (for iptables). NOTE: oal_ipt_addBridgeIsolationRules is not the only function that calls util_execSystem. TP-Link TL-WR840N Has OS A command injection vulnerability exists.Information is obtained, information is tampered with, and service is disrupted (DoS) It may be put into a state. TP-LINK TL-WR840N is a wireless router with 13 channels and supports VPN function. The oal_ipt_addBridgeIsolationRules in TP-Link TL-WR840N 6_EU_0.9.1_4.16 has an OS command injection vulnerability. The vulnerability stems from the original string input from the Web interface is directly used to call system library functions. Attackers can use this vulnerability to inject OS commands

Century Star Configuration Software is an obstruction software launched by Beijing Century Changqiu Technology Co., Ltd. It is a real-time man-machine interface utility program generator. It consists of CSMaker development system and CSViewer operating system. CSMaker development system is its application Integrated development environment, in which the developer completes the design of the working condition screen, database definition, animation connection, equipment installation, command language writing, etc. The Century Star configuration software has a denial of service vulnerability. The vulnerability is due to the failure to check the length when receiving tcp packets. Attackers can use this vulnerability to cause remote denial of service.

Century Star Configuration Software is an obstruction software launched by Beijing Century Changqiu Technology Co., Ltd. It is a real-time man-machine interface utility program generator. It consists of CSMaker development system and CSViewer operating system. CSMaker development system is its application Integrated development environment, in which the developer completes the design of the working condition screen, database definition, animation connection, equipment installation, command language writing, etc. The Century Star configuration software has input verification loopholes. Attackers can use this vulnerability to cause the program to crash.

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp2.cpdsadapter.DriverAdapterCPDS. FasterXML jackson-databind There is a vulnerability in deserialization of untrusted data.Information is obtained, information is tampered with, and service is disrupted (DoS) It may be put into a state. Pillow is a Python-based image processing library. There is currently no information about this vulnerability, please feel free to follow CNNVD or manufacturer announcements. FasterXML jackson-databind is a library based on JAVA that can convert data formats such as XML and JSON to JAVA objects. Jackson can easily convert Java objects into json objects and xml documents, as well as convert json and xml into Java objects. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Important: OpenShift Container Platform 4.6.26 security and extras update Advisory ID: RHSA-2021:1230-01 Product: Red Hat OpenShift Enterprise Advisory URL: https://access.redhat.com/errata/RHSA-2021:1230 Issue date: 2021-04-27 CVE Names: CVE-2018-14718 CVE-2018-14719 CVE-2018-14720 CVE-2018-14721 CVE-2018-19360 CVE-2018-19361 CVE-2018-19362 CVE-2019-14379 CVE-2020-24750 CVE-2020-35490 CVE-2020-35491 CVE-2020-35728 CVE-2020-36179 CVE-2020-36180 CVE-2020-36181 CVE-2020-36182 CVE-2020-36183 CVE-2020-36184 CVE-2020-36185 CVE-2020-36186 CVE-2020-36187 CVE-2020-36188 CVE-2020-36189 CVE-2021-3449 CVE-2021-20190 ===================================================================== 1. Summary: Red Hat OpenShift Container Platform release 4.6.26 is now available with updates to packages and images that fix several bugs and add enhancements. This release includes a security update for Red Hat OpenShift Container Platform 4.6. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Description: Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. 3. Solution: This advisory contains the RPM packages for Red Hat OpenShift Container Platform 4.6.26. See the following advisory for the container images for this release: https://access.redhat.com/errata/RHBA-2021:1232 All OpenShift Container Platform 4.6 users are advised to upgrade to these updated packages and images when they are available in the appropriate release channel. To check for available updates, use the OpenShift Console or the CLI oc command. Instructions for upgrading a cluster are available at https://docs.openshift.com/container-platform/4.6/updating/updating-cluster - -between-minor.html#understanding-upgrade-channels_updating-cluster-between - -minor For OpenShift Container Platform 4.6 see the following documentation, which will be updated shortly for this release, for important instructions on how to upgrade your cluster and fully apply this asynchronous errata update: https://docs.openshift.com/container-platform/4.6/release_notes/ocp-4-6-rel ease-notes.html Details on how to access this content are available at https://docs.openshift.com/container-platform/4.6/updating/updating-cluster - -cli.html 4. Bugs fixed (https://bugzilla.redhat.com/): 1666415 - CVE-2018-14718 jackson-databind: arbitrary code execution in slf4j-ext class 1666418 - CVE-2018-14719 jackson-databind: arbitrary code execution in blaze-ds-opt and blaze-ds-core classes 1666423 - CVE-2018-14720 jackson-databind: exfiltration/XXE in some JDK classes 1666428 - CVE-2018-14721 jackson-databind: server-side request forgery (SSRF) in axis2-jaxws class 1666482 - CVE-2018-19360 jackson-databind: improper polymorphic deserialization in axis2-transport-jms class 1666484 - CVE-2018-19361 jackson-databind: improper polymorphic deserialization in openjpa class 1666489 - CVE-2018-19362 jackson-databind: improper polymorphic deserialization in jboss-common-core class 1737517 - CVE-2019-14379 jackson-databind: default typing mishandling leading to remote code execution 1859004 - Sometimes the eventrouter couldn't gather event logs. References: https://access.redhat.com/security/cve/CVE-2018-14718 https://access.redhat.com/security/cve/CVE-2018-14719 https://access.redhat.com/security/cve/CVE-2018-14720 https://access.redhat.com/security/cve/CVE-2018-14721 https://access.redhat.com/security/cve/CVE-2018-19360 https://access.redhat.com/security/cve/CVE-2018-19361 https://access.redhat.com/security/cve/CVE-2018-19362 https://access.redhat.com/security/cve/CVE-2019-14379 https://access.redhat.com/security/cve/CVE-2020-24750 https://access.redhat.com/security/cve/CVE-2020-35490 https://access.redhat.com/security/cve/CVE-2020-35491 https://access.redhat.com/security/cve/CVE-2020-35728 https://access.redhat.com/security/cve/CVE-2020-36179 https://access.redhat.com/security/cve/CVE-2020-36180 https://access.redhat.com/security/cve/CVE-2020-36181 https://access.redhat.com/security/cve/CVE-2020-36182 https://access.redhat.com/security/cve/CVE-2020-36183 https://access.redhat.com/security/cve/CVE-2020-36184 https://access.redhat.com/security/cve/CVE-2020-36185 https://access.redhat.com/security/cve/CVE-2020-36186 https://access.redhat.com/security/cve/CVE-2020-36187 https://access.redhat.com/security/cve/CVE-2020-36188 https://access.redhat.com/security/cve/CVE-2020-36189 https://access.redhat.com/security/cve/CVE-2021-3449 https://access.redhat.com/security/cve/CVE-2021-20190 https://access.redhat.com/security/updates/classification/#important 6. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2021 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBYIfTktzjgjWX9erEAQg+8A//QGo1YBtlmSC7RqagNERfByPYx5YNGlfi 2RIAMqi0QrGUVuvnQxQUs5Zm9sLF559qyH56geUi2q4ICVr+rgAeUhLtsx6GLuJC xe9w4Gz8ozN6jIvTGKPx9lnTafIvR+ddgUPk389Eqo6PDPWlw7PHvaBlNHa8hGF7 6rUnTdED/G+JnXANJnAkvc+gW0BLeAYaOI+1wTOx1neicwfa+POqC8rCzYl8ESjD 8NlVG3+wu0pZK9zRTBg67TcPi+bsdyh4R6w4Uxg0w1vJkN6IdUHd+CDhqJzNDpNe pDHqPm5zAwe4iTDrV1+FJQYpx6iy9oeSPiAD/+L/JRGZ51ij5eLHpxbeL8SzpcH6 JtOpYrxVktvihnVydP1ALYlQpQvAUkmY3EcE7flNujebJNlG1MFwctaxHtDarXTL 2m4mlI4ccX2kHPYt/t0GYchRf2e7kA6Ph12SpV3tNC3zCn9JGZva4OXpyyQmvmHi 9PMifX/XTU5k4k6xXZE5ljo0YOnnKlM/4mDGBxGFiNGcsQSZhnhCALI1W6U6oGK0 uef8BrOrEFx9UHENIEqoRYp2T7d6EO3oA/mTfl3H8Ddi1qyg/U1mwJw2aE5hOTVO xkXaBb1nCb2SxcW6kMbcCeSJX9qSclcNetQI9/HrF3lxC/eCpNk5B4F6Q2AztXbL zm97KOYD3LQ= =CKcx -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://listman.redhat.com/mailman/listinfo/rhsa-announce . JIRA issues fixed (https://issues.jboss.org/): LOG-1224 - Release 5.0 - ClusterLogForwarder namespace-specific log forwarding does not work as expected LOG-1232 - 5.0 - Bug 1859004 - Sometimes the eventrouter couldn't gather event logs. LOG-1234 - CVE-2020-15586 CVE-2020-16845 openshift-eventrouter: various flaws [openshift-4] LOG-1299 - Release 5.0 Forwarding logs to Kafka using Chained certificates fails with error "state=error: certificate verify failed (unable to get local issuer certificate)" 5

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to com.newrelic.agent.deps.ch.qos.logback.core.db.DriverManagerConnectionSource. FasterXML jackson-databind There is a vulnerability in deserialization of untrusted data.Information is obtained, information is tampered with, and service is disrupted (DoS) It may be put into a state. Pillow is a Python-based image processing library. There is currently no information about this vulnerability, please feel free to follow CNNVD or manufacturer announcements. FasterXML jackson-databind is a library based on JAVA that can convert data formats such as XML and JSON to JAVA objects. Jackson can easily convert Java objects into json objects and xml documents, as well as convert json and xml into Java objects. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Important: OpenShift Container Platform 4.6.26 security and extras update Advisory ID: RHSA-2021:1230-01 Product: Red Hat OpenShift Enterprise Advisory URL: https://access.redhat.com/errata/RHSA-2021:1230 Issue date: 2021-04-27 CVE Names: CVE-2018-14718 CVE-2018-14719 CVE-2018-14720 CVE-2018-14721 CVE-2018-19360 CVE-2018-19361 CVE-2018-19362 CVE-2019-14379 CVE-2020-24750 CVE-2020-35490 CVE-2020-35491 CVE-2020-35728 CVE-2020-36179 CVE-2020-36180 CVE-2020-36181 CVE-2020-36182 CVE-2020-36183 CVE-2020-36184 CVE-2020-36185 CVE-2020-36186 CVE-2020-36187 CVE-2020-36188 CVE-2020-36189 CVE-2021-3449 CVE-2021-20190 ===================================================================== 1. Summary: Red Hat OpenShift Container Platform release 4.6.26 is now available with updates to packages and images that fix several bugs and add enhancements. This release includes a security update for Red Hat OpenShift Container Platform 4.6. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Description: Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. 3. Solution: This advisory contains the RPM packages for Red Hat OpenShift Container Platform 4.6.26. See the following advisory for the container images for this release: https://access.redhat.com/errata/RHBA-2021:1232 All OpenShift Container Platform 4.6 users are advised to upgrade to these updated packages and images when they are available in the appropriate release channel. To check for available updates, use the OpenShift Console or the CLI oc command. Instructions for upgrading a cluster are available at https://docs.openshift.com/container-platform/4.6/updating/updating-cluster - -between-minor.html#understanding-upgrade-channels_updating-cluster-between - -minor For OpenShift Container Platform 4.6 see the following documentation, which will be updated shortly for this release, for important instructions on how to upgrade your cluster and fully apply this asynchronous errata update: https://docs.openshift.com/container-platform/4.6/release_notes/ocp-4-6-rel ease-notes.html Details on how to access this content are available at https://docs.openshift.com/container-platform/4.6/updating/updating-cluster - -cli.html 4. Bugs fixed (https://bugzilla.redhat.com/): 1666415 - CVE-2018-14718 jackson-databind: arbitrary code execution in slf4j-ext class 1666418 - CVE-2018-14719 jackson-databind: arbitrary code execution in blaze-ds-opt and blaze-ds-core classes 1666423 - CVE-2018-14720 jackson-databind: exfiltration/XXE in some JDK classes 1666428 - CVE-2018-14721 jackson-databind: server-side request forgery (SSRF) in axis2-jaxws class 1666482 - CVE-2018-19360 jackson-databind: improper polymorphic deserialization in axis2-transport-jms class 1666484 - CVE-2018-19361 jackson-databind: improper polymorphic deserialization in openjpa class 1666489 - CVE-2018-19362 jackson-databind: improper polymorphic deserialization in jboss-common-core class 1737517 - CVE-2019-14379 jackson-databind: default typing mishandling leading to remote code execution 1859004 - Sometimes the eventrouter couldn't gather event logs. References: https://access.redhat.com/security/cve/CVE-2018-14718 https://access.redhat.com/security/cve/CVE-2018-14719 https://access.redhat.com/security/cve/CVE-2018-14720 https://access.redhat.com/security/cve/CVE-2018-14721 https://access.redhat.com/security/cve/CVE-2018-19360 https://access.redhat.com/security/cve/CVE-2018-19361 https://access.redhat.com/security/cve/CVE-2018-19362 https://access.redhat.com/security/cve/CVE-2019-14379 https://access.redhat.com/security/cve/CVE-2020-24750 https://access.redhat.com/security/cve/CVE-2020-35490 https://access.redhat.com/security/cve/CVE-2020-35491 https://access.redhat.com/security/cve/CVE-2020-35728 https://access.redhat.com/security/cve/CVE-2020-36179 https://access.redhat.com/security/cve/CVE-2020-36180 https://access.redhat.com/security/cve/CVE-2020-36181 https://access.redhat.com/security/cve/CVE-2020-36182 https://access.redhat.com/security/cve/CVE-2020-36183 https://access.redhat.com/security/cve/CVE-2020-36184 https://access.redhat.com/security/cve/CVE-2020-36185 https://access.redhat.com/security/cve/CVE-2020-36186 https://access.redhat.com/security/cve/CVE-2020-36187 https://access.redhat.com/security/cve/CVE-2020-36188 https://access.redhat.com/security/cve/CVE-2020-36189 https://access.redhat.com/security/cve/CVE-2021-3449 https://access.redhat.com/security/cve/CVE-2021-20190 https://access.redhat.com/security/updates/classification/#important 6. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2021 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBYIfTktzjgjWX9erEAQg+8A//QGo1YBtlmSC7RqagNERfByPYx5YNGlfi 2RIAMqi0QrGUVuvnQxQUs5Zm9sLF559qyH56geUi2q4ICVr+rgAeUhLtsx6GLuJC xe9w4Gz8ozN6jIvTGKPx9lnTafIvR+ddgUPk389Eqo6PDPWlw7PHvaBlNHa8hGF7 6rUnTdED/G+JnXANJnAkvc+gW0BLeAYaOI+1wTOx1neicwfa+POqC8rCzYl8ESjD 8NlVG3+wu0pZK9zRTBg67TcPi+bsdyh4R6w4Uxg0w1vJkN6IdUHd+CDhqJzNDpNe pDHqPm5zAwe4iTDrV1+FJQYpx6iy9oeSPiAD/+L/JRGZ51ij5eLHpxbeL8SzpcH6 JtOpYrxVktvihnVydP1ALYlQpQvAUkmY3EcE7flNujebJNlG1MFwctaxHtDarXTL 2m4mlI4ccX2kHPYt/t0GYchRf2e7kA6Ph12SpV3tNC3zCn9JGZva4OXpyyQmvmHi 9PMifX/XTU5k4k6xXZE5ljo0YOnnKlM/4mDGBxGFiNGcsQSZhnhCALI1W6U6oGK0 uef8BrOrEFx9UHENIEqoRYp2T7d6EO3oA/mTfl3H8Ddi1qyg/U1mwJw2aE5hOTVO xkXaBb1nCb2SxcW6kMbcCeSJX9qSclcNetQI9/HrF3lxC/eCpNk5B4F6Q2AztXbL zm97KOYD3LQ= =CKcx -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://listman.redhat.com/mailman/listinfo/rhsa-announce . JIRA issues fixed (https://issues.jboss.org/): LOG-1224 - Release 5.0 - ClusterLogForwarder namespace-specific log forwarding does not work as expected LOG-1232 - 5.0 - Bug 1859004 - Sometimes the eventrouter couldn't gather event logs. LOG-1234 - CVE-2020-15586 CVE-2020-16845 openshift-eventrouter: various flaws [openshift-4] LOG-1299 - Release 5.0 Forwarding logs to Kafka using Chained certificates fails with error "state=error: certificate verify failed (unable to get local issuer certificate)" 5

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp.cpdsadapter.DriverAdapterCPDS. FasterXML jackson-databind There is a vulnerability in deserialization of untrusted data.Information is obtained, information is tampered with, and service is disrupted (DoS) It may be put into a state. Pillow is a Python-based image processing library. There is currently no information about this vulnerability, please feel free to follow CNNVD or manufacturer announcements. FasterXML jackson-databind is a library based on JAVA that can convert data formats such as XML and JSON to JAVA objects. Jackson can easily convert Java objects into json objects and xml documents, as well as convert json and xml into Java objects. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Important: OpenShift Container Platform 4.6.26 security and extras update Advisory ID: RHSA-2021:1230-01 Product: Red Hat OpenShift Enterprise Advisory URL: https://access.redhat.com/errata/RHSA-2021:1230 Issue date: 2021-04-27 CVE Names: CVE-2018-14718 CVE-2018-14719 CVE-2018-14720 CVE-2018-14721 CVE-2018-19360 CVE-2018-19361 CVE-2018-19362 CVE-2019-14379 CVE-2020-24750 CVE-2020-35490 CVE-2020-35491 CVE-2020-35728 CVE-2020-36179 CVE-2020-36180 CVE-2020-36181 CVE-2020-36182 CVE-2020-36183 CVE-2020-36184 CVE-2020-36185 CVE-2020-36186 CVE-2020-36187 CVE-2020-36188 CVE-2020-36189 CVE-2021-3449 CVE-2021-20190 ===================================================================== 1. Summary: Red Hat OpenShift Container Platform release 4.6.26 is now available with updates to packages and images that fix several bugs and add enhancements. This release includes a security update for Red Hat OpenShift Container Platform 4.6. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Description: Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. 3. Solution: This advisory contains the RPM packages for Red Hat OpenShift Container Platform 4.6.26. See the following advisory for the container images for this release: https://access.redhat.com/errata/RHBA-2021:1232 All OpenShift Container Platform 4.6 users are advised to upgrade to these updated packages and images when they are available in the appropriate release channel. To check for available updates, use the OpenShift Console or the CLI oc command. Instructions for upgrading a cluster are available at https://docs.openshift.com/container-platform/4.6/updating/updating-cluster - -between-minor.html#understanding-upgrade-channels_updating-cluster-between - -minor For OpenShift Container Platform 4.6 see the following documentation, which will be updated shortly for this release, for important instructions on how to upgrade your cluster and fully apply this asynchronous errata update: https://docs.openshift.com/container-platform/4.6/release_notes/ocp-4-6-rel ease-notes.html Details on how to access this content are available at https://docs.openshift.com/container-platform/4.6/updating/updating-cluster - -cli.html 4. Bugs fixed (https://bugzilla.redhat.com/): 1666415 - CVE-2018-14718 jackson-databind: arbitrary code execution in slf4j-ext class 1666418 - CVE-2018-14719 jackson-databind: arbitrary code execution in blaze-ds-opt and blaze-ds-core classes 1666423 - CVE-2018-14720 jackson-databind: exfiltration/XXE in some JDK classes 1666428 - CVE-2018-14721 jackson-databind: server-side request forgery (SSRF) in axis2-jaxws class 1666482 - CVE-2018-19360 jackson-databind: improper polymorphic deserialization in axis2-transport-jms class 1666484 - CVE-2018-19361 jackson-databind: improper polymorphic deserialization in openjpa class 1666489 - CVE-2018-19362 jackson-databind: improper polymorphic deserialization in jboss-common-core class 1737517 - CVE-2019-14379 jackson-databind: default typing mishandling leading to remote code execution 1859004 - Sometimes the eventrouter couldn't gather event logs. References: https://access.redhat.com/security/cve/CVE-2018-14718 https://access.redhat.com/security/cve/CVE-2018-14719 https://access.redhat.com/security/cve/CVE-2018-14720 https://access.redhat.com/security/cve/CVE-2018-14721 https://access.redhat.com/security/cve/CVE-2018-19360 https://access.redhat.com/security/cve/CVE-2018-19361 https://access.redhat.com/security/cve/CVE-2018-19362 https://access.redhat.com/security/cve/CVE-2019-14379 https://access.redhat.com/security/cve/CVE-2020-24750 https://access.redhat.com/security/cve/CVE-2020-35490 https://access.redhat.com/security/cve/CVE-2020-35491 https://access.redhat.com/security/cve/CVE-2020-35728 https://access.redhat.com/security/cve/CVE-2020-36179 https://access.redhat.com/security/cve/CVE-2020-36180 https://access.redhat.com/security/cve/CVE-2020-36181 https://access.redhat.com/security/cve/CVE-2020-36182 https://access.redhat.com/security/cve/CVE-2020-36183 https://access.redhat.com/security/cve/CVE-2020-36184 https://access.redhat.com/security/cve/CVE-2020-36185 https://access.redhat.com/security/cve/CVE-2020-36186 https://access.redhat.com/security/cve/CVE-2020-36187 https://access.redhat.com/security/cve/CVE-2020-36188 https://access.redhat.com/security/cve/CVE-2020-36189 https://access.redhat.com/security/cve/CVE-2021-3449 https://access.redhat.com/security/cve/CVE-2021-20190 https://access.redhat.com/security/updates/classification/#important 6. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2021 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBYIfTktzjgjWX9erEAQg+8A//QGo1YBtlmSC7RqagNERfByPYx5YNGlfi 2RIAMqi0QrGUVuvnQxQUs5Zm9sLF559qyH56geUi2q4ICVr+rgAeUhLtsx6GLuJC xe9w4Gz8ozN6jIvTGKPx9lnTafIvR+ddgUPk389Eqo6PDPWlw7PHvaBlNHa8hGF7 6rUnTdED/G+JnXANJnAkvc+gW0BLeAYaOI+1wTOx1neicwfa+POqC8rCzYl8ESjD 8NlVG3+wu0pZK9zRTBg67TcPi+bsdyh4R6w4Uxg0w1vJkN6IdUHd+CDhqJzNDpNe pDHqPm5zAwe4iTDrV1+FJQYpx6iy9oeSPiAD/+L/JRGZ51ij5eLHpxbeL8SzpcH6 JtOpYrxVktvihnVydP1ALYlQpQvAUkmY3EcE7flNujebJNlG1MFwctaxHtDarXTL 2m4mlI4ccX2kHPYt/t0GYchRf2e7kA6Ph12SpV3tNC3zCn9JGZva4OXpyyQmvmHi 9PMifX/XTU5k4k6xXZE5ljo0YOnnKlM/4mDGBxGFiNGcsQSZhnhCALI1W6U6oGK0 uef8BrOrEFx9UHENIEqoRYp2T7d6EO3oA/mTfl3H8Ddi1qyg/U1mwJw2aE5hOTVO xkXaBb1nCb2SxcW6kMbcCeSJX9qSclcNetQI9/HrF3lxC/eCpNk5B4F6Q2AztXbL zm97KOYD3LQ= =CKcx -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://listman.redhat.com/mailman/listinfo/rhsa-announce . JIRA issues fixed (https://issues.jboss.org/): LOG-1224 - Release 5.0 - ClusterLogForwarder namespace-specific log forwarding does not work as expected LOG-1232 - 5.0 - Bug 1859004 - Sometimes the eventrouter couldn't gather event logs. LOG-1234 - CVE-2020-15586 CVE-2020-16845 openshift-eventrouter: various flaws [openshift-4] LOG-1299 - Release 5.0 Forwarding logs to Kafka using Chained certificates fails with error "state=error: certificate verify failed (unable to get local issuer certificate)" 5

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp2.datasources.PerUserPoolDataSource. FasterXML jackson-databind There is a vulnerability in deserialization of untrusted data.Information is obtained, information is tampered with, and service is disrupted (DoS) It may be put into a state. Pillow is a Python-based image processing library. There is currently no information about this vulnerability, please feel free to follow CNNVD or manufacturer announcements. FasterXML jackson-databind is a library based on JAVA that can convert data formats such as XML and JSON to JAVA objects. Jackson can easily convert Java objects into json objects and xml documents, as well as convert json and xml into Java objects. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Important: OpenShift Container Platform 4.6.26 security and extras update Advisory ID: RHSA-2021:1230-01 Product: Red Hat OpenShift Enterprise Advisory URL: https://access.redhat.com/errata/RHSA-2021:1230 Issue date: 2021-04-27 CVE Names: CVE-2018-14718 CVE-2018-14719 CVE-2018-14720 CVE-2018-14721 CVE-2018-19360 CVE-2018-19361 CVE-2018-19362 CVE-2019-14379 CVE-2020-24750 CVE-2020-35490 CVE-2020-35491 CVE-2020-35728 CVE-2020-36179 CVE-2020-36180 CVE-2020-36181 CVE-2020-36182 CVE-2020-36183 CVE-2020-36184 CVE-2020-36185 CVE-2020-36186 CVE-2020-36187 CVE-2020-36188 CVE-2020-36189 CVE-2021-3449 CVE-2021-20190 ===================================================================== 1. Summary: Red Hat OpenShift Container Platform release 4.6.26 is now available with updates to packages and images that fix several bugs and add enhancements. This release includes a security update for Red Hat OpenShift Container Platform 4.6. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Description: Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. 3. Solution: This advisory contains the RPM packages for Red Hat OpenShift Container Platform 4.6.26. See the following advisory for the container images for this release: https://access.redhat.com/errata/RHBA-2021:1232 All OpenShift Container Platform 4.6 users are advised to upgrade to these updated packages and images when they are available in the appropriate release channel. To check for available updates, use the OpenShift Console or the CLI oc command. Instructions for upgrading a cluster are available at https://docs.openshift.com/container-platform/4.6/updating/updating-cluster - -between-minor.html#understanding-upgrade-channels_updating-cluster-between - -minor For OpenShift Container Platform 4.6 see the following documentation, which will be updated shortly for this release, for important instructions on how to upgrade your cluster and fully apply this asynchronous errata update: https://docs.openshift.com/container-platform/4.6/release_notes/ocp-4-6-rel ease-notes.html Details on how to access this content are available at https://docs.openshift.com/container-platform/4.6/updating/updating-cluster - -cli.html 4. Bugs fixed (https://bugzilla.redhat.com/): 1666415 - CVE-2018-14718 jackson-databind: arbitrary code execution in slf4j-ext class 1666418 - CVE-2018-14719 jackson-databind: arbitrary code execution in blaze-ds-opt and blaze-ds-core classes 1666423 - CVE-2018-14720 jackson-databind: exfiltration/XXE in some JDK classes 1666428 - CVE-2018-14721 jackson-databind: server-side request forgery (SSRF) in axis2-jaxws class 1666482 - CVE-2018-19360 jackson-databind: improper polymorphic deserialization in axis2-transport-jms class 1666484 - CVE-2018-19361 jackson-databind: improper polymorphic deserialization in openjpa class 1666489 - CVE-2018-19362 jackson-databind: improper polymorphic deserialization in jboss-common-core class 1737517 - CVE-2019-14379 jackson-databind: default typing mishandling leading to remote code execution 1859004 - Sometimes the eventrouter couldn't gather event logs. References: https://access.redhat.com/security/cve/CVE-2018-14718 https://access.redhat.com/security/cve/CVE-2018-14719 https://access.redhat.com/security/cve/CVE-2018-14720 https://access.redhat.com/security/cve/CVE-2018-14721 https://access.redhat.com/security/cve/CVE-2018-19360 https://access.redhat.com/security/cve/CVE-2018-19361 https://access.redhat.com/security/cve/CVE-2018-19362 https://access.redhat.com/security/cve/CVE-2019-14379 https://access.redhat.com/security/cve/CVE-2020-24750 https://access.redhat.com/security/cve/CVE-2020-35490 https://access.redhat.com/security/cve/CVE-2020-35491 https://access.redhat.com/security/cve/CVE-2020-35728 https://access.redhat.com/security/cve/CVE-2020-36179 https://access.redhat.com/security/cve/CVE-2020-36180 https://access.redhat.com/security/cve/CVE-2020-36181 https://access.redhat.com/security/cve/CVE-2020-36182 https://access.redhat.com/security/cve/CVE-2020-36183 https://access.redhat.com/security/cve/CVE-2020-36184 https://access.redhat.com/security/cve/CVE-2020-36185 https://access.redhat.com/security/cve/CVE-2020-36186 https://access.redhat.com/security/cve/CVE-2020-36187 https://access.redhat.com/security/cve/CVE-2020-36188 https://access.redhat.com/security/cve/CVE-2020-36189 https://access.redhat.com/security/cve/CVE-2021-3449 https://access.redhat.com/security/cve/CVE-2021-20190 https://access.redhat.com/security/updates/classification/#important 6. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2021 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBYIfTktzjgjWX9erEAQg+8A//QGo1YBtlmSC7RqagNERfByPYx5YNGlfi 2RIAMqi0QrGUVuvnQxQUs5Zm9sLF559qyH56geUi2q4ICVr+rgAeUhLtsx6GLuJC xe9w4Gz8ozN6jIvTGKPx9lnTafIvR+ddgUPk389Eqo6PDPWlw7PHvaBlNHa8hGF7 6rUnTdED/G+JnXANJnAkvc+gW0BLeAYaOI+1wTOx1neicwfa+POqC8rCzYl8ESjD 8NlVG3+wu0pZK9zRTBg67TcPi+bsdyh4R6w4Uxg0w1vJkN6IdUHd+CDhqJzNDpNe pDHqPm5zAwe4iTDrV1+FJQYpx6iy9oeSPiAD/+L/JRGZ51ij5eLHpxbeL8SzpcH6 JtOpYrxVktvihnVydP1ALYlQpQvAUkmY3EcE7flNujebJNlG1MFwctaxHtDarXTL 2m4mlI4ccX2kHPYt/t0GYchRf2e7kA6Ph12SpV3tNC3zCn9JGZva4OXpyyQmvmHi 9PMifX/XTU5k4k6xXZE5ljo0YOnnKlM/4mDGBxGFiNGcsQSZhnhCALI1W6U6oGK0 uef8BrOrEFx9UHENIEqoRYp2T7d6EO3oA/mTfl3H8Ddi1qyg/U1mwJw2aE5hOTVO xkXaBb1nCb2SxcW6kMbcCeSJX9qSclcNetQI9/HrF3lxC/eCpNk5B4F6Q2AztXbL zm97KOYD3LQ= =CKcx -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://listman.redhat.com/mailman/listinfo/rhsa-announce . JIRA issues fixed (https://issues.jboss.org/): LOG-1224 - Release 5.0 - ClusterLogForwarder namespace-specific log forwarding does not work as expected LOG-1232 - 5.0 - Bug 1859004 - Sometimes the eventrouter couldn't gather event logs. LOG-1234 - CVE-2020-15586 CVE-2020-16845 openshift-eventrouter: various flaws [openshift-4] LOG-1299 - Release 5.0 Forwarding logs to Kafka using Chained certificates fails with error "state=error: certificate verify failed (unable to get local issuer certificate)" 5

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp2.datasources.SharedPoolDataSource. FasterXML jackson-databind There is a vulnerability in deserialization of untrusted data.Information is obtained, information is tampered with, and service is disrupted (DoS) It may be put into a state. Pillow is a Python-based image processing library. There is currently no information about this vulnerability, please feel free to follow CNNVD or manufacturer announcements. FasterXML jackson-databind is a library based on JAVA that can convert data formats such as XML and JSON to JAVA objects. Jackson can easily convert Java objects into json objects and xml documents, as well as convert json and xml into Java objects. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Important: OpenShift Container Platform 4.6.26 security and extras update Advisory ID: RHSA-2021:1230-01 Product: Red Hat OpenShift Enterprise Advisory URL: https://access.redhat.com/errata/RHSA-2021:1230 Issue date: 2021-04-27 CVE Names: CVE-2018-14718 CVE-2018-14719 CVE-2018-14720 CVE-2018-14721 CVE-2018-19360 CVE-2018-19361 CVE-2018-19362 CVE-2019-14379 CVE-2020-24750 CVE-2020-35490 CVE-2020-35491 CVE-2020-35728 CVE-2020-36179 CVE-2020-36180 CVE-2020-36181 CVE-2020-36182 CVE-2020-36183 CVE-2020-36184 CVE-2020-36185 CVE-2020-36186 CVE-2020-36187 CVE-2020-36188 CVE-2020-36189 CVE-2021-3449 CVE-2021-20190 ===================================================================== 1. Summary: Red Hat OpenShift Container Platform release 4.6.26 is now available with updates to packages and images that fix several bugs and add enhancements. This release includes a security update for Red Hat OpenShift Container Platform 4.6. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Description: Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. 3. Solution: This advisory contains the RPM packages for Red Hat OpenShift Container Platform 4.6.26. See the following advisory for the container images for this release: https://access.redhat.com/errata/RHBA-2021:1232 All OpenShift Container Platform 4.6 users are advised to upgrade to these updated packages and images when they are available in the appropriate release channel. To check for available updates, use the OpenShift Console or the CLI oc command. Instructions for upgrading a cluster are available at https://docs.openshift.com/container-platform/4.6/updating/updating-cluster - -between-minor.html#understanding-upgrade-channels_updating-cluster-between - -minor For OpenShift Container Platform 4.6 see the following documentation, which will be updated shortly for this release, for important instructions on how to upgrade your cluster and fully apply this asynchronous errata update: https://docs.openshift.com/container-platform/4.6/release_notes/ocp-4-6-rel ease-notes.html Details on how to access this content are available at https://docs.openshift.com/container-platform/4.6/updating/updating-cluster - -cli.html 4. Bugs fixed (https://bugzilla.redhat.com/): 1666415 - CVE-2018-14718 jackson-databind: arbitrary code execution in slf4j-ext class 1666418 - CVE-2018-14719 jackson-databind: arbitrary code execution in blaze-ds-opt and blaze-ds-core classes 1666423 - CVE-2018-14720 jackson-databind: exfiltration/XXE in some JDK classes 1666428 - CVE-2018-14721 jackson-databind: server-side request forgery (SSRF) in axis2-jaxws class 1666482 - CVE-2018-19360 jackson-databind: improper polymorphic deserialization in axis2-transport-jms class 1666484 - CVE-2018-19361 jackson-databind: improper polymorphic deserialization in openjpa class 1666489 - CVE-2018-19362 jackson-databind: improper polymorphic deserialization in jboss-common-core class 1737517 - CVE-2019-14379 jackson-databind: default typing mishandling leading to remote code execution 1859004 - Sometimes the eventrouter couldn't gather event logs. References: https://access.redhat.com/security/cve/CVE-2018-14718 https://access.redhat.com/security/cve/CVE-2018-14719 https://access.redhat.com/security/cve/CVE-2018-14720 https://access.redhat.com/security/cve/CVE-2018-14721 https://access.redhat.com/security/cve/CVE-2018-19360 https://access.redhat.com/security/cve/CVE-2018-19361 https://access.redhat.com/security/cve/CVE-2018-19362 https://access.redhat.com/security/cve/CVE-2019-14379 https://access.redhat.com/security/cve/CVE-2020-24750 https://access.redhat.com/security/cve/CVE-2020-35490 https://access.redhat.com/security/cve/CVE-2020-35491 https://access.redhat.com/security/cve/CVE-2020-35728 https://access.redhat.com/security/cve/CVE-2020-36179 https://access.redhat.com/security/cve/CVE-2020-36180 https://access.redhat.com/security/cve/CVE-2020-36181 https://access.redhat.com/security/cve/CVE-2020-36182 https://access.redhat.com/security/cve/CVE-2020-36183 https://access.redhat.com/security/cve/CVE-2020-36184 https://access.redhat.com/security/cve/CVE-2020-36185 https://access.redhat.com/security/cve/CVE-2020-36186 https://access.redhat.com/security/cve/CVE-2020-36187 https://access.redhat.com/security/cve/CVE-2020-36188 https://access.redhat.com/security/cve/CVE-2020-36189 https://access.redhat.com/security/cve/CVE-2021-3449 https://access.redhat.com/security/cve/CVE-2021-20190 https://access.redhat.com/security/updates/classification/#important 6. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2021 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBYIfTktzjgjWX9erEAQg+8A//QGo1YBtlmSC7RqagNERfByPYx5YNGlfi 2RIAMqi0QrGUVuvnQxQUs5Zm9sLF559qyH56geUi2q4ICVr+rgAeUhLtsx6GLuJC xe9w4Gz8ozN6jIvTGKPx9lnTafIvR+ddgUPk389Eqo6PDPWlw7PHvaBlNHa8hGF7 6rUnTdED/G+JnXANJnAkvc+gW0BLeAYaOI+1wTOx1neicwfa+POqC8rCzYl8ESjD 8NlVG3+wu0pZK9zRTBg67TcPi+bsdyh4R6w4Uxg0w1vJkN6IdUHd+CDhqJzNDpNe pDHqPm5zAwe4iTDrV1+FJQYpx6iy9oeSPiAD/+L/JRGZ51ij5eLHpxbeL8SzpcH6 JtOpYrxVktvihnVydP1ALYlQpQvAUkmY3EcE7flNujebJNlG1MFwctaxHtDarXTL 2m4mlI4ccX2kHPYt/t0GYchRf2e7kA6Ph12SpV3tNC3zCn9JGZva4OXpyyQmvmHi 9PMifX/XTU5k4k6xXZE5ljo0YOnnKlM/4mDGBxGFiNGcsQSZhnhCALI1W6U6oGK0 uef8BrOrEFx9UHENIEqoRYp2T7d6EO3oA/mTfl3H8Ddi1qyg/U1mwJw2aE5hOTVO xkXaBb1nCb2SxcW6kMbcCeSJX9qSclcNetQI9/HrF3lxC/eCpNk5B4F6Q2AztXbL zm97KOYD3LQ= =CKcx -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://listman.redhat.com/mailman/listinfo/rhsa-announce . JIRA issues fixed (https://issues.jboss.org/): LOG-1224 - Release 5.0 - ClusterLogForwarder namespace-specific log forwarding does not work as expected LOG-1232 - 5.0 - Bug 1859004 - Sometimes the eventrouter couldn't gather event logs. LOG-1234 - CVE-2020-15586 CVE-2020-16845 openshift-eventrouter: various flaws [openshift-4] LOG-1299 - Release 5.0 Forwarding logs to Kafka using Chained certificates fails with error "state=error: certificate verify failed (unable to get local issuer certificate)" 5

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp.datasources.PerUserPoolDataSource. FasterXML jackson-databind There is a vulnerability in deserialization of untrusted data.Information is obtained, information is tampered with, and service is disrupted (DoS) It may be put into a state. Pillow is a Python-based image processing library. There is currently no information about this vulnerability, please feel free to follow CNNVD or manufacturer announcements. FasterXML jackson-databind is a library based on JAVA that can convert data formats such as XML and JSON to JAVA objects. Jackson can easily convert Java objects into json objects and xml documents, as well as convert json and xml into Java objects. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Important: OpenShift Container Platform 4.6.26 security and extras update Advisory ID: RHSA-2021:1230-01 Product: Red Hat OpenShift Enterprise Advisory URL: https://access.redhat.com/errata/RHSA-2021:1230 Issue date: 2021-04-27 CVE Names: CVE-2018-14718 CVE-2018-14719 CVE-2018-14720 CVE-2018-14721 CVE-2018-19360 CVE-2018-19361 CVE-2018-19362 CVE-2019-14379 CVE-2020-24750 CVE-2020-35490 CVE-2020-35491 CVE-2020-35728 CVE-2020-36179 CVE-2020-36180 CVE-2020-36181 CVE-2020-36182 CVE-2020-36183 CVE-2020-36184 CVE-2020-36185 CVE-2020-36186 CVE-2020-36187 CVE-2020-36188 CVE-2020-36189 CVE-2021-3449 CVE-2021-20190 ===================================================================== 1. Summary: Red Hat OpenShift Container Platform release 4.6.26 is now available with updates to packages and images that fix several bugs and add enhancements. This release includes a security update for Red Hat OpenShift Container Platform 4.6. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Description: Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. 3. Solution: This advisory contains the RPM packages for Red Hat OpenShift Container Platform 4.6.26. See the following advisory for the container images for this release: https://access.redhat.com/errata/RHBA-2021:1232 All OpenShift Container Platform 4.6 users are advised to upgrade to these updated packages and images when they are available in the appropriate release channel. To check for available updates, use the OpenShift Console or the CLI oc command. Instructions for upgrading a cluster are available at https://docs.openshift.com/container-platform/4.6/updating/updating-cluster - -between-minor.html#understanding-upgrade-channels_updating-cluster-between - -minor For OpenShift Container Platform 4.6 see the following documentation, which will be updated shortly for this release, for important instructions on how to upgrade your cluster and fully apply this asynchronous errata update: https://docs.openshift.com/container-platform/4.6/release_notes/ocp-4-6-rel ease-notes.html Details on how to access this content are available at https://docs.openshift.com/container-platform/4.6/updating/updating-cluster - -cli.html 4. Bugs fixed (https://bugzilla.redhat.com/): 1666415 - CVE-2018-14718 jackson-databind: arbitrary code execution in slf4j-ext class 1666418 - CVE-2018-14719 jackson-databind: arbitrary code execution in blaze-ds-opt and blaze-ds-core classes 1666423 - CVE-2018-14720 jackson-databind: exfiltration/XXE in some JDK classes 1666428 - CVE-2018-14721 jackson-databind: server-side request forgery (SSRF) in axis2-jaxws class 1666482 - CVE-2018-19360 jackson-databind: improper polymorphic deserialization in axis2-transport-jms class 1666484 - CVE-2018-19361 jackson-databind: improper polymorphic deserialization in openjpa class 1666489 - CVE-2018-19362 jackson-databind: improper polymorphic deserialization in jboss-common-core class 1737517 - CVE-2019-14379 jackson-databind: default typing mishandling leading to remote code execution 1859004 - Sometimes the eventrouter couldn't gather event logs. References: https://access.redhat.com/security/cve/CVE-2018-14718 https://access.redhat.com/security/cve/CVE-2018-14719 https://access.redhat.com/security/cve/CVE-2018-14720 https://access.redhat.com/security/cve/CVE-2018-14721 https://access.redhat.com/security/cve/CVE-2018-19360 https://access.redhat.com/security/cve/CVE-2018-19361 https://access.redhat.com/security/cve/CVE-2018-19362 https://access.redhat.com/security/cve/CVE-2019-14379 https://access.redhat.com/security/cve/CVE-2020-24750 https://access.redhat.com/security/cve/CVE-2020-35490 https://access.redhat.com/security/cve/CVE-2020-35491 https://access.redhat.com/security/cve/CVE-2020-35728 https://access.redhat.com/security/cve/CVE-2020-36179 https://access.redhat.com/security/cve/CVE-2020-36180 https://access.redhat.com/security/cve/CVE-2020-36181 https://access.redhat.com/security/cve/CVE-2020-36182 https://access.redhat.com/security/cve/CVE-2020-36183 https://access.redhat.com/security/cve/CVE-2020-36184 https://access.redhat.com/security/cve/CVE-2020-36185 https://access.redhat.com/security/cve/CVE-2020-36186 https://access.redhat.com/security/cve/CVE-2020-36187 https://access.redhat.com/security/cve/CVE-2020-36188 https://access.redhat.com/security/cve/CVE-2020-36189 https://access.redhat.com/security/cve/CVE-2021-3449 https://access.redhat.com/security/cve/CVE-2021-20190 https://access.redhat.com/security/updates/classification/#important 6. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2021 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBYIfTktzjgjWX9erEAQg+8A//QGo1YBtlmSC7RqagNERfByPYx5YNGlfi 2RIAMqi0QrGUVuvnQxQUs5Zm9sLF559qyH56geUi2q4ICVr+rgAeUhLtsx6GLuJC xe9w4Gz8ozN6jIvTGKPx9lnTafIvR+ddgUPk389Eqo6PDPWlw7PHvaBlNHa8hGF7 6rUnTdED/G+JnXANJnAkvc+gW0BLeAYaOI+1wTOx1neicwfa+POqC8rCzYl8ESjD 8NlVG3+wu0pZK9zRTBg67TcPi+bsdyh4R6w4Uxg0w1vJkN6IdUHd+CDhqJzNDpNe pDHqPm5zAwe4iTDrV1+FJQYpx6iy9oeSPiAD/+L/JRGZ51ij5eLHpxbeL8SzpcH6 JtOpYrxVktvihnVydP1ALYlQpQvAUkmY3EcE7flNujebJNlG1MFwctaxHtDarXTL 2m4mlI4ccX2kHPYt/t0GYchRf2e7kA6Ph12SpV3tNC3zCn9JGZva4OXpyyQmvmHi 9PMifX/XTU5k4k6xXZE5ljo0YOnnKlM/4mDGBxGFiNGcsQSZhnhCALI1W6U6oGK0 uef8BrOrEFx9UHENIEqoRYp2T7d6EO3oA/mTfl3H8Ddi1qyg/U1mwJw2aE5hOTVO xkXaBb1nCb2SxcW6kMbcCeSJX9qSclcNetQI9/HrF3lxC/eCpNk5B4F6Q2AztXbL zm97KOYD3LQ= =CKcx -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://listman.redhat.com/mailman/listinfo/rhsa-announce . JIRA issues fixed (https://issues.jboss.org/): LOG-1224 - Release 5.0 - ClusterLogForwarder namespace-specific log forwarding does not work as expected LOG-1232 - 5.0 - Bug 1859004 - Sometimes the eventrouter couldn't gather event logs. LOG-1234 - CVE-2020-15586 CVE-2020-16845 openshift-eventrouter: various flaws [openshift-4] LOG-1299 - Release 5.0 Forwarding logs to Kafka using Chained certificates fails with error "state=error: certificate verify failed (unable to get local issuer certificate)" 5

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp.datasources.SharedPoolDataSource. FasterXML jackson-databind There is a vulnerability in deserialization of untrusted data.Information is obtained, information is tampered with, and service is disrupted (DoS) It may be put into a state. Pillow is a Python-based image processing library. There is currently no information about this vulnerability, please feel free to follow CNNVD or manufacturer announcements. FasterXML jackson-databind is a library based on JAVA that can convert data formats such as XML and JSON to JAVA objects. Jackson can easily convert Java objects into json objects and xml documents, as well as convert json and xml into Java objects. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Important: OpenShift Container Platform 4.6.26 security and extras update Advisory ID: RHSA-2021:1230-01 Product: Red Hat OpenShift Enterprise Advisory URL: https://access.redhat.com/errata/RHSA-2021:1230 Issue date: 2021-04-27 CVE Names: CVE-2018-14718 CVE-2018-14719 CVE-2018-14720 CVE-2018-14721 CVE-2018-19360 CVE-2018-19361 CVE-2018-19362 CVE-2019-14379 CVE-2020-24750 CVE-2020-35490 CVE-2020-35491 CVE-2020-35728 CVE-2020-36179 CVE-2020-36180 CVE-2020-36181 CVE-2020-36182 CVE-2020-36183 CVE-2020-36184 CVE-2020-36185 CVE-2020-36186 CVE-2020-36187 CVE-2020-36188 CVE-2020-36189 CVE-2021-3449 CVE-2021-20190 ===================================================================== 1. Summary: Red Hat OpenShift Container Platform release 4.6.26 is now available with updates to packages and images that fix several bugs and add enhancements. This release includes a security update for Red Hat OpenShift Container Platform 4.6. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Description: Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. 3. Solution: This advisory contains the RPM packages for Red Hat OpenShift Container Platform 4.6.26. See the following advisory for the container images for this release: https://access.redhat.com/errata/RHBA-2021:1232 All OpenShift Container Platform 4.6 users are advised to upgrade to these updated packages and images when they are available in the appropriate release channel. To check for available updates, use the OpenShift Console or the CLI oc command. Instructions for upgrading a cluster are available at https://docs.openshift.com/container-platform/4.6/updating/updating-cluster - -between-minor.html#understanding-upgrade-channels_updating-cluster-between - -minor For OpenShift Container Platform 4.6 see the following documentation, which will be updated shortly for this release, for important instructions on how to upgrade your cluster and fully apply this asynchronous errata update: https://docs.openshift.com/container-platform/4.6/release_notes/ocp-4-6-rel ease-notes.html Details on how to access this content are available at https://docs.openshift.com/container-platform/4.6/updating/updating-cluster - -cli.html 4. Bugs fixed (https://bugzilla.redhat.com/): 1666415 - CVE-2018-14718 jackson-databind: arbitrary code execution in slf4j-ext class 1666418 - CVE-2018-14719 jackson-databind: arbitrary code execution in blaze-ds-opt and blaze-ds-core classes 1666423 - CVE-2018-14720 jackson-databind: exfiltration/XXE in some JDK classes 1666428 - CVE-2018-14721 jackson-databind: server-side request forgery (SSRF) in axis2-jaxws class 1666482 - CVE-2018-19360 jackson-databind: improper polymorphic deserialization in axis2-transport-jms class 1666484 - CVE-2018-19361 jackson-databind: improper polymorphic deserialization in openjpa class 1666489 - CVE-2018-19362 jackson-databind: improper polymorphic deserialization in jboss-common-core class 1737517 - CVE-2019-14379 jackson-databind: default typing mishandling leading to remote code execution 1859004 - Sometimes the eventrouter couldn't gather event logs. References: https://access.redhat.com/security/cve/CVE-2018-14718 https://access.redhat.com/security/cve/CVE-2018-14719 https://access.redhat.com/security/cve/CVE-2018-14720 https://access.redhat.com/security/cve/CVE-2018-14721 https://access.redhat.com/security/cve/CVE-2018-19360 https://access.redhat.com/security/cve/CVE-2018-19361 https://access.redhat.com/security/cve/CVE-2018-19362 https://access.redhat.com/security/cve/CVE-2019-14379 https://access.redhat.com/security/cve/CVE-2020-24750 https://access.redhat.com/security/cve/CVE-2020-35490 https://access.redhat.com/security/cve/CVE-2020-35491 https://access.redhat.com/security/cve/CVE-2020-35728 https://access.redhat.com/security/cve/CVE-2020-36179 https://access.redhat.com/security/cve/CVE-2020-36180 https://access.redhat.com/security/cve/CVE-2020-36181 https://access.redhat.com/security/cve/CVE-2020-36182 https://access.redhat.com/security/cve/CVE-2020-36183 https://access.redhat.com/security/cve/CVE-2020-36184 https://access.redhat.com/security/cve/CVE-2020-36185 https://access.redhat.com/security/cve/CVE-2020-36186 https://access.redhat.com/security/cve/CVE-2020-36187 https://access.redhat.com/security/cve/CVE-2020-36188 https://access.redhat.com/security/cve/CVE-2020-36189 https://access.redhat.com/security/cve/CVE-2021-3449 https://access.redhat.com/security/cve/CVE-2021-20190 https://access.redhat.com/security/updates/classification/#important 6. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2021 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBYIfTktzjgjWX9erEAQg+8A//QGo1YBtlmSC7RqagNERfByPYx5YNGlfi 2RIAMqi0QrGUVuvnQxQUs5Zm9sLF559qyH56geUi2q4ICVr+rgAeUhLtsx6GLuJC xe9w4Gz8ozN6jIvTGKPx9lnTafIvR+ddgUPk389Eqo6PDPWlw7PHvaBlNHa8hGF7 6rUnTdED/G+JnXANJnAkvc+gW0BLeAYaOI+1wTOx1neicwfa+POqC8rCzYl8ESjD 8NlVG3+wu0pZK9zRTBg67TcPi+bsdyh4R6w4Uxg0w1vJkN6IdUHd+CDhqJzNDpNe pDHqPm5zAwe4iTDrV1+FJQYpx6iy9oeSPiAD/+L/JRGZ51ij5eLHpxbeL8SzpcH6 JtOpYrxVktvihnVydP1ALYlQpQvAUkmY3EcE7flNujebJNlG1MFwctaxHtDarXTL 2m4mlI4ccX2kHPYt/t0GYchRf2e7kA6Ph12SpV3tNC3zCn9JGZva4OXpyyQmvmHi 9PMifX/XTU5k4k6xXZE5ljo0YOnnKlM/4mDGBxGFiNGcsQSZhnhCALI1W6U6oGK0 uef8BrOrEFx9UHENIEqoRYp2T7d6EO3oA/mTfl3H8Ddi1qyg/U1mwJw2aE5hOTVO xkXaBb1nCb2SxcW6kMbcCeSJX9qSclcNetQI9/HrF3lxC/eCpNk5B4F6Q2AztXbL zm97KOYD3LQ= =CKcx -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://listman.redhat.com/mailman/listinfo/rhsa-announce . JIRA issues fixed (https://issues.jboss.org/): LOG-1224 - Release 5.0 - ClusterLogForwarder namespace-specific log forwarding does not work as expected LOG-1232 - 5.0 - Bug 1859004 - Sometimes the eventrouter couldn't gather event logs. LOG-1234 - CVE-2020-15586 CVE-2020-16845 openshift-eventrouter: various flaws [openshift-4] LOG-1299 - Release 5.0 Forwarding logs to Kafka using Chained certificates fails with error "state=error: certificate verify failed (unable to get local issuer certificate)" 5

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to com.newrelic.agent.deps.ch.qos.logback.core.db.JNDIConnectionSource. FasterXML jackson-databind There is a vulnerability in deserialization of untrusted data.Information is obtained, information is tampered with, and service is disrupted (DoS) It may be put into a state. Pillow is a Python-based image processing library. There is currently no information about this vulnerability, please feel free to follow CNNVD or manufacturer announcements. FasterXML jackson-databind is a library based on JAVA that can convert data formats such as XML and JSON to JAVA objects. Jackson can easily convert Java objects into json objects and xml documents, as well as convert json and xml into Java objects. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Important: OpenShift Container Platform 4.6.26 security and extras update Advisory ID: RHSA-2021:1230-01 Product: Red Hat OpenShift Enterprise Advisory URL: https://access.redhat.com/errata/RHSA-2021:1230 Issue date: 2021-04-27 CVE Names: CVE-2018-14718 CVE-2018-14719 CVE-2018-14720 CVE-2018-14721 CVE-2018-19360 CVE-2018-19361 CVE-2018-19362 CVE-2019-14379 CVE-2020-24750 CVE-2020-35490 CVE-2020-35491 CVE-2020-35728 CVE-2020-36179 CVE-2020-36180 CVE-2020-36181 CVE-2020-36182 CVE-2020-36183 CVE-2020-36184 CVE-2020-36185 CVE-2020-36186 CVE-2020-36187 CVE-2020-36188 CVE-2020-36189 CVE-2021-3449 CVE-2021-20190 ===================================================================== 1. Summary: Red Hat OpenShift Container Platform release 4.6.26 is now available with updates to packages and images that fix several bugs and add enhancements. This release includes a security update for Red Hat OpenShift Container Platform 4.6. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Description: Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. 3. Solution: This advisory contains the RPM packages for Red Hat OpenShift Container Platform 4.6.26. See the following advisory for the container images for this release: https://access.redhat.com/errata/RHBA-2021:1232 All OpenShift Container Platform 4.6 users are advised to upgrade to these updated packages and images when they are available in the appropriate release channel. To check for available updates, use the OpenShift Console or the CLI oc command. Instructions for upgrading a cluster are available at https://docs.openshift.com/container-platform/4.6/updating/updating-cluster - -between-minor.html#understanding-upgrade-channels_updating-cluster-between - -minor For OpenShift Container Platform 4.6 see the following documentation, which will be updated shortly for this release, for important instructions on how to upgrade your cluster and fully apply this asynchronous errata update: https://docs.openshift.com/container-platform/4.6/release_notes/ocp-4-6-rel ease-notes.html Details on how to access this content are available at https://docs.openshift.com/container-platform/4.6/updating/updating-cluster - -cli.html 4. Bugs fixed (https://bugzilla.redhat.com/): 1666415 - CVE-2018-14718 jackson-databind: arbitrary code execution in slf4j-ext class 1666418 - CVE-2018-14719 jackson-databind: arbitrary code execution in blaze-ds-opt and blaze-ds-core classes 1666423 - CVE-2018-14720 jackson-databind: exfiltration/XXE in some JDK classes 1666428 - CVE-2018-14721 jackson-databind: server-side request forgery (SSRF) in axis2-jaxws class 1666482 - CVE-2018-19360 jackson-databind: improper polymorphic deserialization in axis2-transport-jms class 1666484 - CVE-2018-19361 jackson-databind: improper polymorphic deserialization in openjpa class 1666489 - CVE-2018-19362 jackson-databind: improper polymorphic deserialization in jboss-common-core class 1737517 - CVE-2019-14379 jackson-databind: default typing mishandling leading to remote code execution 1859004 - Sometimes the eventrouter couldn't gather event logs. References: https://access.redhat.com/security/cve/CVE-2018-14718 https://access.redhat.com/security/cve/CVE-2018-14719 https://access.redhat.com/security/cve/CVE-2018-14720 https://access.redhat.com/security/cve/CVE-2018-14721 https://access.redhat.com/security/cve/CVE-2018-19360 https://access.redhat.com/security/cve/CVE-2018-19361 https://access.redhat.com/security/cve/CVE-2018-19362 https://access.redhat.com/security/cve/CVE-2019-14379 https://access.redhat.com/security/cve/CVE-2020-24750 https://access.redhat.com/security/cve/CVE-2020-35490 https://access.redhat.com/security/cve/CVE-2020-35491 https://access.redhat.com/security/cve/CVE-2020-35728 https://access.redhat.com/security/cve/CVE-2020-36179 https://access.redhat.com/security/cve/CVE-2020-36180 https://access.redhat.com/security/cve/CVE-2020-36181 https://access.redhat.com/security/cve/CVE-2020-36182 https://access.redhat.com/security/cve/CVE-2020-36183 https://access.redhat.com/security/cve/CVE-2020-36184 https://access.redhat.com/security/cve/CVE-2020-36185 https://access.redhat.com/security/cve/CVE-2020-36186 https://access.redhat.com/security/cve/CVE-2020-36187 https://access.redhat.com/security/cve/CVE-2020-36188 https://access.redhat.com/security/cve/CVE-2020-36189 https://access.redhat.com/security/cve/CVE-2021-3449 https://access.redhat.com/security/cve/CVE-2021-20190 https://access.redhat.com/security/updates/classification/#important 6. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2021 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBYIfTktzjgjWX9erEAQg+8A//QGo1YBtlmSC7RqagNERfByPYx5YNGlfi 2RIAMqi0QrGUVuvnQxQUs5Zm9sLF559qyH56geUi2q4ICVr+rgAeUhLtsx6GLuJC xe9w4Gz8ozN6jIvTGKPx9lnTafIvR+ddgUPk389Eqo6PDPWlw7PHvaBlNHa8hGF7 6rUnTdED/G+JnXANJnAkvc+gW0BLeAYaOI+1wTOx1neicwfa+POqC8rCzYl8ESjD 8NlVG3+wu0pZK9zRTBg67TcPi+bsdyh4R6w4Uxg0w1vJkN6IdUHd+CDhqJzNDpNe pDHqPm5zAwe4iTDrV1+FJQYpx6iy9oeSPiAD/+L/JRGZ51ij5eLHpxbeL8SzpcH6 JtOpYrxVktvihnVydP1ALYlQpQvAUkmY3EcE7flNujebJNlG1MFwctaxHtDarXTL 2m4mlI4ccX2kHPYt/t0GYchRf2e7kA6Ph12SpV3tNC3zCn9JGZva4OXpyyQmvmHi 9PMifX/XTU5k4k6xXZE5ljo0YOnnKlM/4mDGBxGFiNGcsQSZhnhCALI1W6U6oGK0 uef8BrOrEFx9UHENIEqoRYp2T7d6EO3oA/mTfl3H8Ddi1qyg/U1mwJw2aE5hOTVO xkXaBb1nCb2SxcW6kMbcCeSJX9qSclcNetQI9/HrF3lxC/eCpNk5B4F6Q2AztXbL zm97KOYD3LQ= =CKcx -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://listman.redhat.com/mailman/listinfo/rhsa-announce . JIRA issues fixed (https://issues.jboss.org/): LOG-1224 - Release 5.0 - ClusterLogForwarder namespace-specific log forwarding does not work as expected LOG-1232 - 5.0 - Bug 1859004 - Sometimes the eventrouter couldn't gather event logs. LOG-1234 - CVE-2020-15586 CVE-2020-16845 openshift-eventrouter: various flaws [openshift-4] LOG-1299 - Release 5.0 Forwarding logs to Kafka using Chained certificates fails with error "state=error: certificate verify failed (unable to get local issuer certificate)" 5

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to oadd.org.apache.commons.dbcp.cpdsadapter.DriverAdapterCPDS. FasterXML jackson-databind There is a vulnerability in deserialization of untrusted data.Information is obtained, information is tampered with, and service is disrupted (DoS) It may be put into a state. Pillow is a Python-based image processing library. There is currently no information about this vulnerability, please feel free to follow CNNVD or manufacturer announcements. FasterXML jackson-databind is a library based on JAVA that can convert data formats such as XML and JSON to JAVA objects. Jackson can easily convert Java objects into json objects and xml documents, as well as convert json and xml into Java objects. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Important: OpenShift Container Platform 4.6.26 security and extras update Advisory ID: RHSA-2021:1230-01 Product: Red Hat OpenShift Enterprise Advisory URL: https://access.redhat.com/errata/RHSA-2021:1230 Issue date: 2021-04-27 CVE Names: CVE-2018-14718 CVE-2018-14719 CVE-2018-14720 CVE-2018-14721 CVE-2018-19360 CVE-2018-19361 CVE-2018-19362 CVE-2019-14379 CVE-2020-24750 CVE-2020-35490 CVE-2020-35491 CVE-2020-35728 CVE-2020-36179 CVE-2020-36180 CVE-2020-36181 CVE-2020-36182 CVE-2020-36183 CVE-2020-36184 CVE-2020-36185 CVE-2020-36186 CVE-2020-36187 CVE-2020-36188 CVE-2020-36189 CVE-2021-3449 CVE-2021-20190 ===================================================================== 1. Summary: Red Hat OpenShift Container Platform release 4.6.26 is now available with updates to packages and images that fix several bugs and add enhancements. This release includes a security update for Red Hat OpenShift Container Platform 4.6. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Description: Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. 3. Solution: This advisory contains the RPM packages for Red Hat OpenShift Container Platform 4.6.26. See the following advisory for the container images for this release: https://access.redhat.com/errata/RHBA-2021:1232 All OpenShift Container Platform 4.6 users are advised to upgrade to these updated packages and images when they are available in the appropriate release channel. To check for available updates, use the OpenShift Console or the CLI oc command. Instructions for upgrading a cluster are available at https://docs.openshift.com/container-platform/4.6/updating/updating-cluster - -between-minor.html#understanding-upgrade-channels_updating-cluster-between - -minor For OpenShift Container Platform 4.6 see the following documentation, which will be updated shortly for this release, for important instructions on how to upgrade your cluster and fully apply this asynchronous errata update: https://docs.openshift.com/container-platform/4.6/release_notes/ocp-4-6-rel ease-notes.html Details on how to access this content are available at https://docs.openshift.com/container-platform/4.6/updating/updating-cluster - -cli.html 4. Bugs fixed (https://bugzilla.redhat.com/): 1666415 - CVE-2018-14718 jackson-databind: arbitrary code execution in slf4j-ext class 1666418 - CVE-2018-14719 jackson-databind: arbitrary code execution in blaze-ds-opt and blaze-ds-core classes 1666423 - CVE-2018-14720 jackson-databind: exfiltration/XXE in some JDK classes 1666428 - CVE-2018-14721 jackson-databind: server-side request forgery (SSRF) in axis2-jaxws class 1666482 - CVE-2018-19360 jackson-databind: improper polymorphic deserialization in axis2-transport-jms class 1666484 - CVE-2018-19361 jackson-databind: improper polymorphic deserialization in openjpa class 1666489 - CVE-2018-19362 jackson-databind: improper polymorphic deserialization in jboss-common-core class 1737517 - CVE-2019-14379 jackson-databind: default typing mishandling leading to remote code execution 1859004 - Sometimes the eventrouter couldn't gather event logs. References: https://access.redhat.com/security/cve/CVE-2018-14718 https://access.redhat.com/security/cve/CVE-2018-14719 https://access.redhat.com/security/cve/CVE-2018-14720 https://access.redhat.com/security/cve/CVE-2018-14721 https://access.redhat.com/security/cve/CVE-2018-19360 https://access.redhat.com/security/cve/CVE-2018-19361 https://access.redhat.com/security/cve/CVE-2018-19362 https://access.redhat.com/security/cve/CVE-2019-14379 https://access.redhat.com/security/cve/CVE-2020-24750 https://access.redhat.com/security/cve/CVE-2020-35490 https://access.redhat.com/security/cve/CVE-2020-35491 https://access.redhat.com/security/cve/CVE-2020-35728 https://access.redhat.com/security/cve/CVE-2020-36179 https://access.redhat.com/security/cve/CVE-2020-36180 https://access.redhat.com/security/cve/CVE-2020-36181 https://access.redhat.com/security/cve/CVE-2020-36182 https://access.redhat.com/security/cve/CVE-2020-36183 https://access.redhat.com/security/cve/CVE-2020-36184 https://access.redhat.com/security/cve/CVE-2020-36185 https://access.redhat.com/security/cve/CVE-2020-36186 https://access.redhat.com/security/cve/CVE-2020-36187 https://access.redhat.com/security/cve/CVE-2020-36188 https://access.redhat.com/security/cve/CVE-2020-36189 https://access.redhat.com/security/cve/CVE-2021-3449 https://access.redhat.com/security/cve/CVE-2021-20190 https://access.redhat.com/security/updates/classification/#important 6. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2021 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBYIfTktzjgjWX9erEAQg+8A//QGo1YBtlmSC7RqagNERfByPYx5YNGlfi 2RIAMqi0QrGUVuvnQxQUs5Zm9sLF559qyH56geUi2q4ICVr+rgAeUhLtsx6GLuJC xe9w4Gz8ozN6jIvTGKPx9lnTafIvR+ddgUPk389Eqo6PDPWlw7PHvaBlNHa8hGF7 6rUnTdED/G+JnXANJnAkvc+gW0BLeAYaOI+1wTOx1neicwfa+POqC8rCzYl8ESjD 8NlVG3+wu0pZK9zRTBg67TcPi+bsdyh4R6w4Uxg0w1vJkN6IdUHd+CDhqJzNDpNe pDHqPm5zAwe4iTDrV1+FJQYpx6iy9oeSPiAD/+L/JRGZ51ij5eLHpxbeL8SzpcH6 JtOpYrxVktvihnVydP1ALYlQpQvAUkmY3EcE7flNujebJNlG1MFwctaxHtDarXTL 2m4mlI4ccX2kHPYt/t0GYchRf2e7kA6Ph12SpV3tNC3zCn9JGZva4OXpyyQmvmHi 9PMifX/XTU5k4k6xXZE5ljo0YOnnKlM/4mDGBxGFiNGcsQSZhnhCALI1W6U6oGK0 uef8BrOrEFx9UHENIEqoRYp2T7d6EO3oA/mTfl3H8Ddi1qyg/U1mwJw2aE5hOTVO xkXaBb1nCb2SxcW6kMbcCeSJX9qSclcNetQI9/HrF3lxC/eCpNk5B4F6Q2AztXbL zm97KOYD3LQ= =CKcx -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://listman.redhat.com/mailman/listinfo/rhsa-announce . JIRA issues fixed (https://issues.jboss.org/): LOG-1224 - Release 5.0 - ClusterLogForwarder namespace-specific log forwarding does not work as expected LOG-1232 - 5.0 - Bug 1859004 - Sometimes the eventrouter couldn't gather event logs. LOG-1234 - CVE-2020-15586 CVE-2020-16845 openshift-eventrouter: various flaws [openshift-4] LOG-1299 - Release 5.0 Forwarding logs to Kafka using Chained certificates fails with error "state=error: certificate verify failed (unable to get local issuer certificate)" 5

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.dbcp2.cpdsadapter.DriverAdapterCPDS. FasterXML jackson-databind There is a vulnerability in deserialization of untrusted data.Information is obtained, information is tampered with, and service is disrupted (DoS) It may be put into a state. Pillow is a Python-based image processing library. There is currently no information about this vulnerability, please feel free to follow CNNVD or manufacturer announcements. FasterXML jackson-databind is a library based on JAVA that can convert data formats such as XML and JSON to JAVA objects. Jackson can easily convert Java objects into json objects and xml documents, as well as convert json and xml into Java objects. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Important: OpenShift Container Platform 4.6.26 security and extras update Advisory ID: RHSA-2021:1230-01 Product: Red Hat OpenShift Enterprise Advisory URL: https://access.redhat.com/errata/RHSA-2021:1230 Issue date: 2021-04-27 CVE Names: CVE-2018-14718 CVE-2018-14719 CVE-2018-14720 CVE-2018-14721 CVE-2018-19360 CVE-2018-19361 CVE-2018-19362 CVE-2019-14379 CVE-2020-24750 CVE-2020-35490 CVE-2020-35491 CVE-2020-35728 CVE-2020-36179 CVE-2020-36180 CVE-2020-36181 CVE-2020-36182 CVE-2020-36183 CVE-2020-36184 CVE-2020-36185 CVE-2020-36186 CVE-2020-36187 CVE-2020-36188 CVE-2020-36189 CVE-2021-3449 CVE-2021-20190 ===================================================================== 1. Summary: Red Hat OpenShift Container Platform release 4.6.26 is now available with updates to packages and images that fix several bugs and add enhancements. This release includes a security update for Red Hat OpenShift Container Platform 4.6. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Description: Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. 3. Solution: This advisory contains the RPM packages for Red Hat OpenShift Container Platform 4.6.26. See the following advisory for the container images for this release: https://access.redhat.com/errata/RHBA-2021:1232 All OpenShift Container Platform 4.6 users are advised to upgrade to these updated packages and images when they are available in the appropriate release channel. To check for available updates, use the OpenShift Console or the CLI oc command. Instructions for upgrading a cluster are available at https://docs.openshift.com/container-platform/4.6/updating/updating-cluster - -between-minor.html#understanding-upgrade-channels_updating-cluster-between - -minor For OpenShift Container Platform 4.6 see the following documentation, which will be updated shortly for this release, for important instructions on how to upgrade your cluster and fully apply this asynchronous errata update: https://docs.openshift.com/container-platform/4.6/release_notes/ocp-4-6-rel ease-notes.html Details on how to access this content are available at https://docs.openshift.com/container-platform/4.6/updating/updating-cluster - -cli.html 4. Bugs fixed (https://bugzilla.redhat.com/): 1666415 - CVE-2018-14718 jackson-databind: arbitrary code execution in slf4j-ext class 1666418 - CVE-2018-14719 jackson-databind: arbitrary code execution in blaze-ds-opt and blaze-ds-core classes 1666423 - CVE-2018-14720 jackson-databind: exfiltration/XXE in some JDK classes 1666428 - CVE-2018-14721 jackson-databind: server-side request forgery (SSRF) in axis2-jaxws class 1666482 - CVE-2018-19360 jackson-databind: improper polymorphic deserialization in axis2-transport-jms class 1666484 - CVE-2018-19361 jackson-databind: improper polymorphic deserialization in openjpa class 1666489 - CVE-2018-19362 jackson-databind: improper polymorphic deserialization in jboss-common-core class 1737517 - CVE-2019-14379 jackson-databind: default typing mishandling leading to remote code execution 1859004 - Sometimes the eventrouter couldn't gather event logs. References: https://access.redhat.com/security/cve/CVE-2018-14718 https://access.redhat.com/security/cve/CVE-2018-14719 https://access.redhat.com/security/cve/CVE-2018-14720 https://access.redhat.com/security/cve/CVE-2018-14721 https://access.redhat.com/security/cve/CVE-2018-19360 https://access.redhat.com/security/cve/CVE-2018-19361 https://access.redhat.com/security/cve/CVE-2018-19362 https://access.redhat.com/security/cve/CVE-2019-14379 https://access.redhat.com/security/cve/CVE-2020-24750 https://access.redhat.com/security/cve/CVE-2020-35490 https://access.redhat.com/security/cve/CVE-2020-35491 https://access.redhat.com/security/cve/CVE-2020-35728 https://access.redhat.com/security/cve/CVE-2020-36179 https://access.redhat.com/security/cve/CVE-2020-36180 https://access.redhat.com/security/cve/CVE-2020-36181 https://access.redhat.com/security/cve/CVE-2020-36182 https://access.redhat.com/security/cve/CVE-2020-36183 https://access.redhat.com/security/cve/CVE-2020-36184 https://access.redhat.com/security/cve/CVE-2020-36185 https://access.redhat.com/security/cve/CVE-2020-36186 https://access.redhat.com/security/cve/CVE-2020-36187 https://access.redhat.com/security/cve/CVE-2020-36188 https://access.redhat.com/security/cve/CVE-2020-36189 https://access.redhat.com/security/cve/CVE-2021-3449 https://access.redhat.com/security/cve/CVE-2021-20190 https://access.redhat.com/security/updates/classification/#important 6. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2021 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBYIfTktzjgjWX9erEAQg+8A//QGo1YBtlmSC7RqagNERfByPYx5YNGlfi 2RIAMqi0QrGUVuvnQxQUs5Zm9sLF559qyH56geUi2q4ICVr+rgAeUhLtsx6GLuJC xe9w4Gz8ozN6jIvTGKPx9lnTafIvR+ddgUPk389Eqo6PDPWlw7PHvaBlNHa8hGF7 6rUnTdED/G+JnXANJnAkvc+gW0BLeAYaOI+1wTOx1neicwfa+POqC8rCzYl8ESjD 8NlVG3+wu0pZK9zRTBg67TcPi+bsdyh4R6w4Uxg0w1vJkN6IdUHd+CDhqJzNDpNe pDHqPm5zAwe4iTDrV1+FJQYpx6iy9oeSPiAD/+L/JRGZ51ij5eLHpxbeL8SzpcH6 JtOpYrxVktvihnVydP1ALYlQpQvAUkmY3EcE7flNujebJNlG1MFwctaxHtDarXTL 2m4mlI4ccX2kHPYt/t0GYchRf2e7kA6Ph12SpV3tNC3zCn9JGZva4OXpyyQmvmHi 9PMifX/XTU5k4k6xXZE5ljo0YOnnKlM/4mDGBxGFiNGcsQSZhnhCALI1W6U6oGK0 uef8BrOrEFx9UHENIEqoRYp2T7d6EO3oA/mTfl3H8Ddi1qyg/U1mwJw2aE5hOTVO xkXaBb1nCb2SxcW6kMbcCeSJX9qSclcNetQI9/HrF3lxC/eCpNk5B4F6Q2AztXbL zm97KOYD3LQ= =CKcx -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://listman.redhat.com/mailman/listinfo/rhsa-announce . JIRA issues fixed (https://issues.jboss.org/): LOG-1224 - Release 5.0 - ClusterLogForwarder namespace-specific log forwarding does not work as expected LOG-1232 - 5.0 - Bug 1859004 - Sometimes the eventrouter couldn't gather event logs. LOG-1234 - CVE-2020-15586 CVE-2020-16845 openshift-eventrouter: various flaws [openshift-4] LOG-1299 - Release 5.0 Forwarding logs to Kafka using Chained certificates fails with error "state=error: certificate verify failed (unable to get local issuer certificate)" 5

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.docx4j.org.apache.xalan.lib.sql.JNDIConnectionPool. FasterXML jackson-databind There is a vulnerability in deserialization of untrusted data.Information is obtained, information is tampered with, and service is disrupted (DoS) It may be put into a state. Pillow is a Python-based image processing library. There is currently no information about this vulnerability, please feel free to follow CNNVD or manufacturer announcements. FasterXML jackson-databind is a library based on JAVA that can convert data formats such as XML and JSON to JAVA objects. Jackson can easily convert Java objects into json objects and xml documents, as well as convert json and xml into Java objects. A code issue vulnerability exists in FasterXML jackson-databind versions 2.x through 2.9.10.8 due to the software's failure to handle interactions with org.docx4j.org.apache.xalan.lib.sql.JNDIConnectionPool. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Important: OpenShift Container Platform 4.6.26 security and extras update Advisory ID: RHSA-2021:1230-01 Product: Red Hat OpenShift Enterprise Advisory URL: https://access.redhat.com/errata/RHSA-2021:1230 Issue date: 2021-04-27 CVE Names: CVE-2018-14718 CVE-2018-14719 CVE-2018-14720 CVE-2018-14721 CVE-2018-19360 CVE-2018-19361 CVE-2018-19362 CVE-2019-14379 CVE-2020-24750 CVE-2020-35490 CVE-2020-35491 CVE-2020-35728 CVE-2020-36179 CVE-2020-36180 CVE-2020-36181 CVE-2020-36182 CVE-2020-36183 CVE-2020-36184 CVE-2020-36185 CVE-2020-36186 CVE-2020-36187 CVE-2020-36188 CVE-2020-36189 CVE-2021-3449 CVE-2021-20190 ===================================================================== 1. Summary: Red Hat OpenShift Container Platform release 4.6.26 is now available with updates to packages and images that fix several bugs and add enhancements. This release includes a security update for Red Hat OpenShift Container Platform 4.6. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Description: Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. 3. Solution: This advisory contains the RPM packages for Red Hat OpenShift Container Platform 4.6.26. See the following advisory for the container images for this release: https://access.redhat.com/errata/RHBA-2021:1232 All OpenShift Container Platform 4.6 users are advised to upgrade to these updated packages and images when they are available in the appropriate release channel. To check for available updates, use the OpenShift Console or the CLI oc command. Instructions for upgrading a cluster are available at https://docs.openshift.com/container-platform/4.6/updating/updating-cluster - -between-minor.html#understanding-upgrade-channels_updating-cluster-between - -minor For OpenShift Container Platform 4.6 see the following documentation, which will be updated shortly for this release, for important instructions on how to upgrade your cluster and fully apply this asynchronous errata update: https://docs.openshift.com/container-platform/4.6/release_notes/ocp-4-6-rel ease-notes.html Details on how to access this content are available at https://docs.openshift.com/container-platform/4.6/updating/updating-cluster - -cli.html 4. Bugs fixed (https://bugzilla.redhat.com/): 1666415 - CVE-2018-14718 jackson-databind: arbitrary code execution in slf4j-ext class 1666418 - CVE-2018-14719 jackson-databind: arbitrary code execution in blaze-ds-opt and blaze-ds-core classes 1666423 - CVE-2018-14720 jackson-databind: exfiltration/XXE in some JDK classes 1666428 - CVE-2018-14721 jackson-databind: server-side request forgery (SSRF) in axis2-jaxws class 1666482 - CVE-2018-19360 jackson-databind: improper polymorphic deserialization in axis2-transport-jms class 1666484 - CVE-2018-19361 jackson-databind: improper polymorphic deserialization in openjpa class 1666489 - CVE-2018-19362 jackson-databind: improper polymorphic deserialization in jboss-common-core class 1737517 - CVE-2019-14379 jackson-databind: default typing mishandling leading to remote code execution 1859004 - Sometimes the eventrouter couldn't gather event logs. References: https://access.redhat.com/security/cve/CVE-2018-14718 https://access.redhat.com/security/cve/CVE-2018-14719 https://access.redhat.com/security/cve/CVE-2018-14720 https://access.redhat.com/security/cve/CVE-2018-14721 https://access.redhat.com/security/cve/CVE-2018-19360 https://access.redhat.com/security/cve/CVE-2018-19361 https://access.redhat.com/security/cve/CVE-2018-19362 https://access.redhat.com/security/cve/CVE-2019-14379 https://access.redhat.com/security/cve/CVE-2020-24750 https://access.redhat.com/security/cve/CVE-2020-35490 https://access.redhat.com/security/cve/CVE-2020-35491 https://access.redhat.com/security/cve/CVE-2020-35728 https://access.redhat.com/security/cve/CVE-2020-36179 https://access.redhat.com/security/cve/CVE-2020-36180 https://access.redhat.com/security/cve/CVE-2020-36181 https://access.redhat.com/security/cve/CVE-2020-36182 https://access.redhat.com/security/cve/CVE-2020-36183 https://access.redhat.com/security/cve/CVE-2020-36184 https://access.redhat.com/security/cve/CVE-2020-36185 https://access.redhat.com/security/cve/CVE-2020-36186 https://access.redhat.com/security/cve/CVE-2020-36187 https://access.redhat.com/security/cve/CVE-2020-36188 https://access.redhat.com/security/cve/CVE-2020-36189 https://access.redhat.com/security/cve/CVE-2021-3449 https://access.redhat.com/security/cve/CVE-2021-20190 https://access.redhat.com/security/updates/classification/#important 6. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2021 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBYIfTktzjgjWX9erEAQg+8A//QGo1YBtlmSC7RqagNERfByPYx5YNGlfi 2RIAMqi0QrGUVuvnQxQUs5Zm9sLF559qyH56geUi2q4ICVr+rgAeUhLtsx6GLuJC xe9w4Gz8ozN6jIvTGKPx9lnTafIvR+ddgUPk389Eqo6PDPWlw7PHvaBlNHa8hGF7 6rUnTdED/G+JnXANJnAkvc+gW0BLeAYaOI+1wTOx1neicwfa+POqC8rCzYl8ESjD 8NlVG3+wu0pZK9zRTBg67TcPi+bsdyh4R6w4Uxg0w1vJkN6IdUHd+CDhqJzNDpNe pDHqPm5zAwe4iTDrV1+FJQYpx6iy9oeSPiAD/+L/JRGZ51ij5eLHpxbeL8SzpcH6 JtOpYrxVktvihnVydP1ALYlQpQvAUkmY3EcE7flNujebJNlG1MFwctaxHtDarXTL 2m4mlI4ccX2kHPYt/t0GYchRf2e7kA6Ph12SpV3tNC3zCn9JGZva4OXpyyQmvmHi 9PMifX/XTU5k4k6xXZE5ljo0YOnnKlM/4mDGBxGFiNGcsQSZhnhCALI1W6U6oGK0 uef8BrOrEFx9UHENIEqoRYp2T7d6EO3oA/mTfl3H8Ddi1qyg/U1mwJw2aE5hOTVO xkXaBb1nCb2SxcW6kMbcCeSJX9qSclcNetQI9/HrF3lxC/eCpNk5B4F6Q2AztXbL zm97KOYD3LQ= =CKcx -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://listman.redhat.com/mailman/listinfo/rhsa-announce . JIRA issues fixed (https://issues.jboss.org/): LOG-1224 - Release 5.0 - ClusterLogForwarder namespace-specific log forwarding does not work as expected LOG-1232 - 5.0 - Bug 1859004 - Sometimes the eventrouter couldn't gather event logs. LOG-1234 - CVE-2020-15586 CVE-2020-16845 openshift-eventrouter: various flaws [openshift-4] LOG-1299 - Release 5.0 Forwarding logs to Kafka using Chained certificates fails with error "state=error: certificate verify failed (unable to get local issuer certificate)" 5

FPWIN Pro is vulnerable to an out-of-bounds read vulnerability when a user opens a maliciously crafted project file, which may allow an attacker to remotely execute arbitrary code. FPWIN Pro Is provided by Panasonic Corporation PLC Programming software for. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.The specific flaw exists within the parsing of PRO files. The issue results from the lack of proper validation of user-supplied data, which can result in a read past the end of an allocated data structure. An attacker can leverage this vulnerability to execute code in the context of the current process