SUSE-SU-2020:1573-1: moderate: Add features for Metrics Server, Cert Status Checker, VSphere VCP, and Cilium Envoy

sle-security-updates at sle-security-updates at
Tue Jun 9 07:13:40 MDT 2020

   SUSE Security Update: Add features for Metrics Server, Cert Status Checker, VSphere VCP, and Cilium Envoy

Announcement ID:    SUSE-SU-2020:1573-1
Rating:             moderate
References:         #1041090 #1047218 #1048688 #1086909 #1094448 
                    #1095603 #1102920 #1121353 #1129568 #1138908 
                    #1144068 #1151876 #1156450 #1159002 #1159003 
                    #1159004 #1159539 #1162651 #1167073 #1169506 
Cross-References:   CVE-2019-18801 CVE-2019-18802 CVE-2019-18836
Affected Products:
                    SUSE CaaS Platform 4.0

   An update that solves four vulnerabilities and has 16 fixes
   is now available.


   Metrics Server

       * Support monitoring of *CPU* and *memory* of a pod or node.

   Cert Status Checker

       * Exposes cluster-wide certificates status and use monitoring stack
         (Prometheus and Grafana) to receives alerts by Prometheus
         Alertmanager and monitors certificate status by Grafana dashboard.

   VSphere VCP

       * Allow Kubernetes pods to use VMWare vSphere Virtual Machine Disk
         (VMDK) volumes as persistent storage.

   Cilium Envoy

       * Updated Cilium from version 1.5.3 to version 1.6.6
       * Provide Envoy-proxy support for Cilium
       * Envoy and its dependencies packaged for version 1.12.2
       * Cilium uses CRD and ConfigMap points on etcd are removed

   See release notes for installation instructions:

   Following CVE entries are relevant for the casp 4.2.1 update:


   CVE-2019-18801: An untrusted remote client might have been able to send
   HTTP/2 requests via cilium-proxyx that could have written to the heap
   outside of the request buffers when the upstream is HTTP/1. (bsc#1159002)
   CVE-2019-18802: A malformed request header may have caused bypass of route
   matchers resulting in escalation of privileges or information disclosure
   (bsc#1159003) CVE-2019-18838: A malformed HTTP request without the Host
   header may cause abnormal termination ofthe Envoy process (bsc#1159004)
   CVE-2019-18836: Excessive iteration due to listener filter timeout in
   envoy could lead to DoS (bsc#1156450)


   CVE-2018-1288: authenticated Kafka users may perform action reserved for
   the Broker via a manually created fetch request. (bsc#1102920)

Patch Instructions:

   To install this SUSE Security Update use the SUSE recommended installation methods
   like YaST online_update or "zypper patch".

   Alternatively you can run the command listed for your product:

   - SUSE CaaS Platform 4.0:

      To install this update, use the SUSE CaaS Platform Velum dashboard.
      It will inform you if it detects new updates and let you then trigger
      updating of the complete cluster in a controlled way.

Package List:

   - SUSE CaaS Platform 4.0 (x86_64):


   - SUSE CaaS Platform 4.0 (noarch):



More information about the sle-security-updates mailing list