Security update for caasp-container-manifests, changelog-generator-data-sles12sp3-velum, kubernetes-salt, rubygem-aes_key_wrap, rubygem-json-jwt, sles12sp3-velum-image, velum

SUSE Security Update: Security update for caasp-container-manifests, changelog-generator-data-sles12sp3-velum, kubernetes-salt, rubygem-aes_key_wrap, rubygem-json-jwt, sles12sp3-velum-image, velum
Announcement ID: SUSE-SU-2019:0537-1
Rating: important
References: #1121145 #1121162 #1121165 #1121166
Cross-References: CVE-2018-1000539
Affected Products:
  • SUSE CaaS Platform 3.0

An update that solves one vulnerability and has three fixes is now available.

Description:


This update for caasp-container-manifests, changelog-generator-data-sles12sp3-velum, kubernetes-salt, rubygem-aes_key_wrap, rubygem-json-jwt, sles12sp3-velum-image, velum provides the following fixes:
Security issue fixed in rubygem-json-jwt and velum:

  • CVE-2018-1000539: Fixed an improper verification of cryptographic signatures during the decryption of encrypted with AES-GCM JSON Web Tokens which could lead to a forged authentication tag. (bsc#1099243, bsc#1121166)

caasp-container-manifests:
  • Disable the kubelet servers on the admin node. The admin node is not part of a k8s cluster, so enabling the endpoints for interaction by the user/api-server is not needed. Instead (only on the admin node) all endpoints (healthz and server) that are usually exposed by the kubelet are disabled. (bsc#1121145)

kubernetes-salt:
  • haproxy: Block requests to /internal-api endpoint. The internal api endpoints expose sensitive data and thus should not be accessed via internet. This internal api was developed inside the velum project and haproxy was allowing requests to that endpoint. Velum listens on 0.0.0.0 and needs to block for that specific path. With this change any request to anything that starts with /internal-api is blocked. (bsc#1121162)

velum:
  • Changed kubeconfig download from get to post request. The kubeconfig download request was previously done via GET request and the file content could be easily modified through url parameters. Changing from GET to POST method takes advantage of CSRF protection. (bsc#1121165)

Patch Instructions:

To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

  • SUSE CaaS Platform 3.0:
    To install this update, use the SUSE CaaS Platform Velum dashboard. It will inform you if it detects new updates and let you then trigger updating of the complete cluster in a controlled way.

Package List:

  • SUSE CaaS Platform 3.0 (x86_64):
    • sles12-velum-image-3.1.10-3.36.3
  • SUSE CaaS Platform 3.0 (noarch):
    • caasp-container-manifests-3.0.0+git_r297_c3bfc41-3.9.1
    • kubernetes-salt-3.0.0+git_r935_34ce12d-3.50.1

References: