SUSE-SU-2019:0537-1: important: Security update for caasp-container-manifests, changelog-generator-data-sles12sp3-velum, kubernetes-salt, rubygem-aes_key_wrap, rubygem-json-jwt, sles12sp3-velum-image, velum

sle-updates at lists.suse.com sle-updates at lists.suse.com
Fri Mar 1 16:09:43 MST 2019 

   SUSE Security Update: Security update for caasp-container-manifests, changelog-generator-data-sles12sp3-velum, kubernetes-salt, rubygem-aes_key_wrap, rubygem-json-jwt, sles12sp3-velum-image, velum
______________________________________________________________________________

Announcement ID:    SUSE-SU-2019:0537-1
Rating:             important
References:         #1121145 #1121162 #1121165 #1121166 
Cross-References:   CVE-2018-1000539
Affected Products:
                    SUSE CaaS Platform 3.0
______________________________________________________________________________

   An update that solves one vulnerability and has three fixes
   is now available.

Description:


   This update for caasp-container-manifests,
   changelog-generator-data-sles12sp3-velum, kubernetes-salt,
   rubygem-aes_key_wrap, rubygem-json-jwt, sles12sp3-velum-image, velum
   provides the following fixes:

   Security issue fixed in rubygem-json-jwt and velum:

   - CVE-2018-1000539: Fixed an improper verification of cryptographic
     signatures during the decryption of encrypted with AES-GCM JSON Web
     Tokens which could lead to a forged authentication tag. (bsc#1099243,
     bsc#1121166)

   caasp-container-manifests:

   - Disable the kubelet servers on the admin node. The admin node is not
     part of a k8s cluster, so enabling the endpoints for interaction by the
     user/api-server is not needed. Instead (only on the admin node) all
     endpoints (healthz and server) that are usually exposed by the kubelet
     are disabled. (bsc#1121145)

   kubernetes-salt:

   - haproxy: Block requests to /internal-api endpoint. The internal api
     endpoints expose sensitive data and thus should not be accessed via
     internet. This internal api was developed inside the velum project and
     haproxy was allowing requests to that endpoint. Velum listens on 0.0.0.0
     and needs to block for that specific path. With this change any request
     to anything that starts with /internal-api is blocked. (bsc#1121162)

   velum:

   - Changed kubeconfig download from get to post request. The kubeconfig
     download request was previously done via GET request and the file
     content could be easily modified through url parameters. Changing from
     GET to POST method takes advantage of CSRF protection. (bsc#1121165)


Patch Instructions:

   To install this SUSE Security Update use the SUSE recommended installation methods
   like YaST online_update or "zypper patch".

   Alternatively you can run the command listed for your product:

   - SUSE CaaS Platform 3.0:

      To install this update, use the SUSE CaaS Platform Velum dashboard.
      It will inform you if it detects new updates and let you then trigger
      updating of the complete cluster in a controlled way.



Package List:

   - SUSE CaaS Platform 3.0 (x86_64):

      sles12-velum-image-3.1.10-3.36.3

   - SUSE CaaS Platform 3.0 (noarch):

      caasp-container-manifests-3.0.0+git_r297_c3bfc41-3.9.1
      kubernetes-salt-3.0.0+git_r935_34ce12d-3.50.1


References:

   https://www.suse.com/security/cve/CVE-2018-1000539.html
   https://bugzilla.suse.com/1121145
   https://bugzilla.suse.com/1121162
   https://bugzilla.suse.com/1121165
   https://bugzilla.suse.com/1121166

More information about the sle-updates mailing list