Synopsis

Moderate: Red Hat OpenShift Enterprise 3.1 security update

Type/Severity

Security Advisory: Moderate

Topic

An update for atomic-openshift is now available for Red Hat OpenShift Enterprise 3.1. In addition, all images have been rebuilt on the new RHEL 7.2.4 base image.

Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

OpenShift Enterprise by Red Hat is the company's cloud computing Platform-as-a-Service (PaaS) solution designed for on-premise or private cloud deployments.

Security Fix(es):

• An origin validation vulnerability was found in OpenShift Enterprise. An attacker could potentially access API credentials stored in a web browser's localStorage if anonymous access was granted to a service/proxy or pod/proxy API for a specific pod, and an authorized access_token was provided in the query parameter. (CVE-2016-3703)
  

This issue was discovered by Jordan Liggitt (Red Hat).

This update includes the following images:

openshift3/ose:v3.1.1.6-21
openshift3/ose-deployer:v3.1.1.6-20
openshift3/ose-docker-builder:v3.1.1.6-19
openshift3/ose-docker-registry:v3.1.1.6-9
openshift3/ose-f5-router:v3.1.1.6-20
openshift3/ose-haproxy-router:v3.1.1.6-9
openshift3/ose-keepalived-ipfailover:v3.1.1.6-9
openshift3/ose-pod:v3.1.1.6-9
openshift3/ose-recycler:v3.1.1.6-9
openshift3/ose-sti-builder:v3.1.1.6-19
openshift3/logging-auth-proxy:3.1.1-9
openshift3/logging-deployment:3.1.1-17
openshift3/logging-elasticsearch:3.1.1-11
openshift3/logging-fluentd:3.1.1-11
openshift3/logging-kibana:3.1.1-8
openshift3/metrics-deployer:3.1.1-7
openshift3/metrics-heapster:3.1.1-7
openshift3/node:v3.1.1.6-20
openshift3/openvswitch:v3.1.1.6-10

Solution

For details on how to apply this update, which includes the changes described in this advisory, refer to:

https://access.redhat.com/articles/11258

Affected Products

• Red Hat OpenShift Container Platform 3.1 x86_64

Fixes

• BZ - 1330233 - CVE-2016-3703 OpenShift Enterprise 3: Untrusted content loaded via the API proxy can access web console credentials on the same domain

CVEs

• CVE-2016-3703

References

• http://www.redhat.com/security/updates/classification/#normal

Red Hat OpenShift Container Platform 3.1

SRPM
atomic-openshift-3.1.1.6-8.git.64.80b61da.el7aos.src.rpm	SHA-256: 3dd59d20078f9f263ef4836f9c506588a5e7bc89adaa1323f4c44cbb61329d9f
x86_64
atomic-openshift-3.1.1.6-8.git.64.80b61da.el7aos.x86_64.rpm	SHA-256: 451a7c1354220e28ca0ad17baca2da05a5a5ad93822144ab07da9de93a8f36c3
atomic-openshift-clients-3.1.1.6-8.git.64.80b61da.el7aos.x86_64.rpm	SHA-256: 0d3d6f13858ce3e8dd1bd2e131bd261ee1471b8dcdba2f91afd6f59863cab21d
atomic-openshift-clients-redistributable-3.1.1.6-8.git.64.80b61da.el7aos.x86_64.rpm	SHA-256: c8f74df01f524fd74ba211358978f3c295a0af99c467005f1d148c45cfd4ba1d
atomic-openshift-dockerregistry-3.1.1.6-8.git.64.80b61da.el7aos.x86_64.rpm	SHA-256: 85f9e0f36705d6cd0f99d325102210ca6ad5b5268110ff958505d7d1e835c25c
atomic-openshift-master-3.1.1.6-8.git.64.80b61da.el7aos.x86_64.rpm	SHA-256: d50a6119302f0e28887b78587e0dffd5befbe95c81eb0cfaadc0df5ebed2d00a
atomic-openshift-node-3.1.1.6-8.git.64.80b61da.el7aos.x86_64.rpm	SHA-256: 332a78747d0b6c911566d7600bb1a314e2d4a2ad60da4671f2f0ddd29cf5b996
atomic-openshift-pod-3.1.1.6-8.git.64.80b61da.el7aos.x86_64.rpm	SHA-256: 9009fe7941c73def51aeb47835a44818a48a3171b138094f5ba91e95ae3eb90e
atomic-openshift-recycle-3.1.1.6-8.git.64.80b61da.el7aos.x86_64.rpm	SHA-256: 76f7f663f145759e774f7bb4e1f88d9dc757f0d5f1d408a24739e7a9fca34418
atomic-openshift-sdn-ovs-3.1.1.6-8.git.64.80b61da.el7aos.x86_64.rpm	SHA-256: d8de9fe41e89b6d3a4c86ba6ffa5243dcd0a2e24fdb1e070842a7d3cda3582ab
tuned-profiles-atomic-openshift-node-3.1.1.6-8.git.64.80b61da.el7aos.x86_64.rpm	SHA-256: c93835e1cb430613ee2f57ab9b311b26e6779d0f0c5bfb219e09bf667468b800