The software described in this documentation is either no longer supported or is in extended support.
Oracle recommends that you upgrade to a current supported release.
This section lists the notable changes in Release 1.1.2 of Oracle Linux Cloud Native Environment.
Kubernetes Updated: Kubernetes is updated to Release 1.17.9 to resolve the following CVEs.
CVE-2020-8559. This CVE relates to an issue where if an attacker is able to intercept certain requests to the kubelet, they can send a redirect response that may be followed by a client using the credentials from the original request. This can lead to compromise of other nodes.
CVE-2020-8557. This CVE relates to an issue where the
/etc/hostsfile mounted in a pod by kubelet is not included by the kubelet eviction manager when calculating ephemeral storage usage by a pod. If a pod writes a large amount of data to the/etc/hostsfile, it could fill the storage space of the node and cause the node to fail.
Istio Updated: Istio is updated to Release 1.4.10 to resolve the following CVEs.
CVE-2020-1764. This CVE relates to a default
signing keyto install Kiali. This can allow an attacker with access to Kiali to bypass authentication and gain administrative privileges over Istio.CVE-2020-10739. This CVE relates to an issue when sending a specially crafted packet, an attacker could trigger a Null Pointer Exception resulting in a Denial of Service. This could be sent to the ingress gateway or a sidecar.
CVE-2020-11080. This CVE relates to an issue when sending a specially crafted packet, an attacker could cause the CPU to spike at 100%. This could be sent to the ingress gateway or a sidecar.
CVE-2020-15104. This CVE relates to an issue when validating TLS certificates, Envoy incorrectly allows wildcards in DNS Subject Alternative Name (SAN) to apply to multiple subdomains.
Kata Updated: Kata security fixes have been back ported to Release 1.7.3 to resolve the following CVEs.
CVE-2020-2024. This CVE relates to an improper link resolution vulnerability when tearing down a container. A malicious guest could trick the kata-runtime into unmounting any mount point on the host and all mount points underneath it, potentiality resulting in a host Denial of Service.
CVE-2020-2025. This CVE relates to persistent guest file system changes to the underlying image file on the host. A malicious guest could overwrite the image file to gain control of all subsequent guest virtual machines.
CVE-2020-2026. This CVE relates to mounting the untrusted container file system on any host path. A malicious guest that is compromised before a container creation can trick the kata-runtime into mounting the untrusted container file system on any host path, potentially allowing for code execution on the host.
For information about updating to this errata release, see Updates and Upgrades.