SB2021011542 - Multiple vulnerabilities in Red Hat OpenShift Serverless

Description

This security bulletin contains information about 30 secuirty vulnerabilities.

1) Cross-site scripting (CVE-ID: CVE-2020-24553)

The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.

The vulnerability exists due to insufficient sanitization of user-supplied data. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.

2) Memory leak (CVE-ID: CVE-2019-20388)

The vulnerability allows a remote attacker to perform DoS attack on the target system.

The vulnerability exists due memory leak in xmlSchemaPreRun in xmlschemas.c. A remote attacker can trigger a xmlSchemaValidateStream memory leak and perform denial of service attack.

3) NULL pointer dereference (CVE-ID: CVE-2020-24659)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to a NULL pointer dereference error in GnuTLS before 3.6.15. A server can trigger a NULL pointer dereference in a TLS 1.3 client if a no_renegotiation alert is sent with unexpected timing, and then an invalid second handshake occurs. The crash happens in the application's error handling path, where the gnutls_deinit function is called after detecting a handshake failure. A remote attacker can perform a denial of service (DoS) attack.

4) NULL pointer dereference (CVE-ID: CVE-2020-13632)

The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists due to a NULL pointer dereference error in ext/fts3/fts3_snippet.c in SQLite. A local user can trigger denial of service conditions via a crafted matchinfo() query.

5) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2020-13631)

The vulnerability allows a local user to bypass certain security restrictions.

The vulnerability exists due an error in alter.c and build.c files in SQLite that allows a local user to rename a virtual table into a shadow table. A local user with permissions to create virtual tables can renamed them and gain unauthorized access to the fronted application.

6) Use-after-free (CVE-ID: CVE-2020-13630)

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to a use-after-free error within the fts3EvalNextRow() function in ext/fts3/fts3.c. A remote attacker can pass specially crafted data to application, trigger a use-after-free error and execute arbitrary code on the target system.

Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.

7) Stack-based buffer overflow (CVE-ID: CVE-2020-10029)

The vulnerability allows an attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error within "sysdeps/ieee754/ldbl-96/e_rem_pio2l.c" in GNU C Library (aka glibc or libc6). An attacker can pas specially crafted input to the application and trigger a stack-based buffer overflow.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system or denial of service conditions.

8) NULL pointer dereference (CVE-ID: CVE-2020-9327)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to a NULL pointer dereference error in SQLite 3.31.1, isAuxiliaryVtabOperator allows attackers to trigger a NULL pointer dereference and segmentation fault because of generated column optimizations. A remote attacker can perform a denial of service (DoS) attack.

9) Infinite loop (CVE-ID: CVE-2020-7595)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to infinite loop in xmlStringLenDecodeEntities in parser.c. A remote attacker can consume all available system resources and cause denial of service conditions in a certain end-of-file situation.

10) Out-of-bounds read (CVE-ID: CVE-2020-6405)

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to a boundary condition in SQLite. A remote attacker can pass specially crafted input to the application, trigger out-of-bounds read error and read contents of memory on the system.

11) NULL pointer dereference (CVE-ID: CVE-2020-1971)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to a NULL pointer dereference error. A remote attacker can trigger denial of service conditions via the API functions TS_RESP_verify_response and TS_RESP_verify_token). If an attacker can control both items being compared then that attacker could trigger a crash. For example if the attacker can trick a client or server into checking a malicious certificate against a malicious CRL then this may occur. Note that some applications automatically download CRLs based on a URL embedded in a certificate. This checking happens prior to the signatures on the certificate and CRL being verified. OpenSSL's s_server, s_client and verify tools have support for the "-crl_download" option which implements automatic CRL downloading and this attack has been demonstrated to work against those tools. Note that an unrelated bug means that affected versions of OpenSSL cannot parse or construct correct encodings of EDIPARTYNAME. However it is possible to construct a malformed EDIPARTYNAME that OpenSSL's parser will accept and hence trigger this attack.

12) Use-after-free (CVE-ID: CVE-2020-1752)

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to a use-after-free error within the glob() function in glibc in the way the tilde expansion was carried out. Directory paths containing an initial tilde followed by a valid username are affected by this issue. A local user can create a specially crafted path that, when processed by the glob() function, would potentially lead to arbitrary code execution.

13) Out-of-bounds write (CVE-ID: CVE-2020-1751)

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to a boundary error in the "backtrace" function when handling signal trampolines on PowerPC. A remote attacker can trigger out-of-bounds write and execute arbitrary code on the target system.

14) Resource management error (CVE-ID: CVE-2020-1730)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to improper resource management while cleaning the AES-CTR ciphers when closing the connection. A remote attacker can initiate a connection to the client and server that supports AES-CTR ciphers and close the connection before ciphers are initialized, triggering a denial of service condition (service crash). The vulnerability affects both client and server implementations.

15) Out-of-bounds read (CVE-ID: CVE-2019-20454)

The vulnerability allows a remote attacker to gain access to perform denial of service (DoS) attack.

The vulnerability exists due to a boundary condition in the "do_extuni_no_utf in pcre2_jit_compile.c" file when the pattern X is JIT compiled and used to match specially crafted subjects in non-UTF mode. A remote attacker can trigger out-of-bounds read error and crash the affected application.

16) Out-of-bounds read (CVE-ID: CVE-2019-20387)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to heap-based buffer over-read via a last schema whose length is less than the length of the input schema. A remote attacker can perform a denial of service attack.

17) Input validation error (CVE-ID: CVE-2020-28362)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient validation of user-supplied input in a number of math/big.Int methods (Div, Exp, DivMod, Quo, Rem, QuoRem, Mod, ModInverse, ModSqrt, Jacobi, and GCD). A remote attacker can pass large input data to the application, specifically as divisor or modulo argument larger than 3168 bits (on 32-bit architectures) or 6336 bits (on 64-bit architectures).

18) Memory leak (CVE-ID: CVE-2019-20218)

The vulnerability allows a remote attacker to gain access to sensitive information.

The vulnerability exists due memory leak within the selectExpander() function in select.c in SQLite, caused by incorrect exception handling, related to stack unwinding. A remote attacker can trigger with ability to modify the WITH SQL query can gain access to potentially sensitive information.

19) Memory leak (CVE-ID: CVE-2019-19956)

The vulnerability allows a remote attacker to perform DoS attack on the target system.

The vulnerability exists due memory leak in xmlParseBalancedChunkMemoryRecover in parser.c. A remote attacker can trigger a memory leak related to newDoc->oldNs and perform denial of service attack.

20) Out-of-bounds write (CVE-ID: CVE-2019-19906)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to an out-of-bounds write error when processing LDAP queries within the _sasl_add_string() function in common.c file in cyrus-sasl. A remote non-authenticated attacker can create a specially LDAP request to the affected server, trigger off-by-one error in OpenLDAP implementation and crash the service.

21) Out-of-bounds read (CVE-ID: CVE-2019-19221)

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to a boundary condition in "archive_wstring_append_from_mbs" in "archive_string.c" because of an incorrect "mbrtowc" or "mbtowc" call. A remote attacker can create a specially crafted archive file, trick the victim into opening it, trigger out-of-bounds read error and read contents of memory on the system.

22) Division by zero (CVE-ID: CVE-2019-16168)

The vulnerability allows a remote attacker to perform a denial of service attack.

The vulnerability exists due to a division by zero error within the whereLoopAddBtreeIndex in sqlite3.c due to improper input validation in the sqlite_stat1 sz field. A remote attacker can pass specially crafted data to the application, trigger division by zero error and crash the vulnerable application.

23) Out-of-bounds read (CVE-ID: CVE-2019-15903)

The vulnerability allows a remote attacker to gain access to potentially sensitive information or perform denial of service (DoS) attack.

The vulnerability exists due to a boundary error when processing XML documents within the expat library. A remote attacker can create a specially crafted XML file, pass it to the affected application, trigger out-of-bounds read error and read contents of memory on the system or crash the affected application.

24) OS Command Injection (CVE-ID: CVE-2019-14889)

The vulnerability allows a remote attacker to execute arbitrary shell commands on the target system.

The vulnerability exists due to incorrect handling of the SCP command parameters when initiating the connection within the ssh_scp_new() function. A remote attacker can trick victim into using a specially crafted SCP command to connect to a remote SCP server and execute arbitrary commands on the target server with privileges of the current user.

25) Cryptographic issues (CVE-ID: CVE-2019-13627)

The vulnerability allows a remote attacker to perform timing attack.

The vulnerability exists due to an error within the libgcrypt20 cryptographic library. A remote attacker can perform ECDSA timing attack.

26) Improper validation of certificate with host mismatch (CVE-ID: CVE-2019-13050)

27) Use-after-free (CVE-ID: CVE-2019-5018)

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to a use-after-free error within the window function functionality. A remote attacker can send a specially crafted SQL command to the application, trigger user-after-free error and execute arbitrary code on the system.

Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.

28) XML External Entity injection (CVE-ID: CVE-2018-20843)

The vulnerability allows a remote attacker to gain access to sensitive information.

The vulnerability exists due to insufficient validation of user-supplied XML input including XML names that contain a large number of colons. A remote attacker can pass a specially crafted XML code to the affected application and view contents of arbitrary files on the system or initiate requests to external systems.

Successful exploitation of the vulnerability may allow an attacker to view contents of arbitrary file on the server or perform network scanning of internal and external infrastructure.

29) Code Injection (CVE-ID: CVE-2020-28367)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to improper input validation at build time when cgo is in use. A remote attacker can trick the victim to build a specially crafted application and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

30) Code Injection (CVE-ID: CVE-2020-28366)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to improper input validation at build time when cgo is in use. A remote attacker can trick the victim into building a specially crafted application and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Remediation

Install update from vendor's website.

References

• https://access.redhat.com/errata/RHSA-2021:0146