SB2021012138 - Multiple vulnerabilities in Red Hat OpenShift Container Platform 3.11 

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2021012138

SB2021012138 - Multiple vulnerabilities in Red Hat OpenShift Container Platform 3.11

Published: January 21, 2021

Security Bulletin ID SB2021012138
Severity
Medium
Patch available
YES
Number of vulnerabilities 3
Exploitation vector Remote access
Highest impact Information disclosure

Breakdown by Severity

Medium 100%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 3 secuirty vulnerabilities.


1) Use of insufficiently random values (CVE-ID: CVE-2019-11840)

The vulnerability allows a remote attacker to gain access to sensitive information.

The vulnerability exists in the amd64 implementation of golang.org/x/crypto/salsa20 and golang.org/x/crypto/salsa20/salsa. A remote unauthenticated attacker can trigger the vulnerability and gain access to sensitive information.


2) Improper input validation (CVE-ID: CVE-2020-8554)

The vulnerability allows a remote authenticated user to read and manipulate data.

The vulnerability exists due to improper input validation within the UDR (Kubernetes API) component in Oracle Communications Cloud Native Core Unified Data Repository. A remote authenticated user can exploit this vulnerability to read and manipulate data.


3) CRLF injection (CVE-ID: CVE-2020-26137)

The vulnerability allows a remote attacker to inject arbitrary data in server response.

The vulnerability exists due to insufficient validation of attacker-supplied data passed via the "method" parameter. A remote authenticated attacker can pass specially crafted data to the application containing CR-LF characters and modify application behavior.


Remediation

Install update from vendor's website.

References