Synopsis

Important: Red Hat OpenShift Enterprise 3.2 security update and bug fix update

Type/Severity

Security Advisory: Important

Topic

An update for atomic-openshift and heapster is now available for Red Hat OpenShift Enterprise 3.2.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

OpenShift Enterprise by Red Hat is the company's cloud computing Platform-
as-a-Service (PaaS) solution designed for on-premise or private cloud
deployments.

Security Fix(es):

• When processing an archive file that contains an archive entry with type 1 (hardlink) but also having a non-zero data size a file overwrite can occur. This would allow an attacker that can pass data to an application that uses libarchive to unpack it to overwrite arbitrary files with arbitrary data. (CVE-2016-5418)
  

Red Hat would like to thank Insomnia Security for reporting this issue.

This update also fixes the following bugs:

• Previously, pods that had a resource request of 0 and specified limits were classified as BestEffort when they should have been classified as Burstable. This bug fix ensures that those pods are correctly classified as Burstable.(BZ#1357475)
  
• Future versions of docker will require containerized installations of OpenShift Container Platform to mount /var/lib/origin with the `rslave` flag. New installations of OpenShift Container Platform 3.2 have this value set. However, upgrades from 3.1 did not properly set this value. This bug fix ensures that this flag is now set during upgrades, ensuring that OpenShift Container Platform works properly under future versions of docker. (BZ#1358197)
  
• The PersistentVolumeLabel admission plug-in is now enabled by default. This plug-in labels AWS and GCE volumes with their zone so the scheduler can limit the nodes for a pod to only those in the same zone as the persistent volumes being used by the pod. (BZ#1365600)
  
• Previously, heapster incorrectly generated error messages indicating that it "Failed to find node". This bug fix corrects that error and ensures that erroneous warnings are generated.(BZ#1366367)
  
• The deployment controllers' resync interval can now be configured. The previously hard-coded 2-minute default is the likely cause of performance regressions when thousands of deploymentconfigs are present in the system. Increase the resync interval by setting deploymentControllerResyncMinute in /etc/origin/master/master-config.yaml.(BZ#1366381)
  
• Previously, AWS-related environment variables were removed from /etc/sysconfig/atomic-openshift-master files during an upgrade if these values were not included in the advanced installer's inventory file. This bug fix ensures that these variables are now preserved during upgrades. (BZ#1370641)
  
• Previously, updates to the containerized atomic-openshift-node service were not properly reloaded during upgrades. This bug fix corrects this error and ensures that the service is reloaded during upgrades. (BZ#1371708)
  
• Previously the installer did not properly configure an environment for flannel when openshift_use_flannel was set to `true`. This bug fix corrects those errors and the installer will now correctly deploy environments using flannel. (BZ#1372026)

Solution

For details on how to apply this update, which includes the changes described in this advisory, refer to:

https://access.redhat.com/articles/11258

The following images are included in this errata :
openshift3/openvswitch:v3.2.1.15
openshift3/ose-pod:v3.2.1.15
openshift3/ose:v3.2.1.15
openshift3/ose-docker-registry:v3.2.1.15
openshift3/ose-keepalived-ipfailover:v3.2.1.15
openshift3/ose-recycler:v3.2.1.15
openshift3/ose-f5-router:v3.2.1.15
openshift3/ose-deployer:v3.2.1.15
openshift3/node:v3.2.1.15
openshift3/ose-sti-builder:v3.2.1.15
openshift3/ose-docker-builder:v3.2.1.15
openshift3/ose-haproxy-router:v3.2.1.15
openshift3/metrics-heapster:3.2.1-4

Affected Products

• Red Hat OpenShift Container Platform 3.2 x86_64

Fixes

• BZ - 1357475 - Pod QoS Tier are different between OpenShift 3.2 and 3.3
• BZ - 1358197 - docker's per-mount propagation mode wasn't turn on after upgrade
• BZ - 1362601 - CVE-2016-5418 libarchive: Archive Entry with type 1 (hardlink), but has a non-zero data size file overwrite
• BZ - 1365600 - Volume affinity in OCP 3.2
• BZ - 1366367 - Heapster "Failed to find node" warning and verbose logging
• BZ - 1366381 - [ocp3.2.1] deployments and scale up/down are very, very slow
• BZ - 1370641 - Upgrade from 3.1 to 3.2 overwrites AWS variables in /etc/sysconfig/atomic-openshift-master-*
• BZ - 1371708 - atomic-openshift-node service wasn't reload on containerized env.
• BZ - 1372026 - openshift_use_flannel=true does not work properly

CVEs

• CVE-2016-5418

References

• http://www.redhat.com/security/updates/classification/#normal

Red Hat OpenShift Container Platform 3.2

SRPM
atomic-openshift-3.2.1.15-1.git.0.d84be7f.el7.src.rpm	SHA-256: 5cd9789b158d622843992d82025e6b55518d1caf3f2934c6efcf67b1579adb6d
heapster-1.1.0-1.beta2.el7.1.src.rpm	SHA-256: a45c89c4171509c46568642e7ba2bd5e28bc19e1880f151d3638e1dd8b6ff10d
openshift-ansible-3.2.28-1.git.0.5a85fc5.el7.src.rpm	SHA-256: 187b27e7cc755ee03a5784c0cec58b7b23da331984df881bc4e73c04bce71d1f
x86_64
atomic-openshift-3.2.1.15-1.git.0.d84be7f.el7.x86_64.rpm	SHA-256: 5560e1ae0dcf0f1cafbf54413f8cbf94c6c98650c225938742818717abb93856
atomic-openshift-clients-3.2.1.15-1.git.0.d84be7f.el7.x86_64.rpm	SHA-256: ba62c3a1ea98741b9289417a3d81227563e87b80a58c9029bcf9895d2bbf75b8
atomic-openshift-clients-redistributable-3.2.1.15-1.git.0.d84be7f.el7.x86_64.rpm	SHA-256: b7014129fa81a7acfb275eab36e7fb02d4030ac7705e4fd64903789cda40ded1
atomic-openshift-dockerregistry-3.2.1.15-1.git.0.d84be7f.el7.x86_64.rpm	SHA-256: f741a27d6a5e289bce58a7b34a95c86d522cfe0dd094205d364d5cbf9e443147
atomic-openshift-master-3.2.1.15-1.git.0.d84be7f.el7.x86_64.rpm	SHA-256: 58ef259584ae3e1d0d639c45c4ce29cf5bf193ae6052cc58c0ead6cf217c2c74
atomic-openshift-node-3.2.1.15-1.git.0.d84be7f.el7.x86_64.rpm	SHA-256: e1ff8493f6896b1a0060a1c642b1371b6fd3027c8b45410c0fe1716373497723
atomic-openshift-pod-3.2.1.15-1.git.0.d84be7f.el7.x86_64.rpm	SHA-256: fcd0eccd14dd60f6aac5ee91220e7f8cdfc6b6877ca124d2c57ab21b5e07934c
atomic-openshift-recycle-3.2.1.15-1.git.0.d84be7f.el7.x86_64.rpm	SHA-256: 388708224ac63365e104081dcd35597470c7bfb56ee849e019fe6efa9831ddde
atomic-openshift-sdn-ovs-3.2.1.15-1.git.0.d84be7f.el7.x86_64.rpm	SHA-256: 72f77df4badeb4abab22ea0c0865fd3b682a1b6dbb575e769630db86771ae190
atomic-openshift-tests-3.2.1.15-1.git.0.d84be7f.el7.x86_64.rpm	SHA-256: e258655e13dfc30bb0f808739ae01d821bc5e4ba4770ffc06e374c929e7254f3
atomic-openshift-utils-3.2.28-1.git.0.5a85fc5.el7.noarch.rpm	SHA-256: d870f84b0533233363b8c418ccf8776b42456ae34b38691d370f363a07352c7d
heapster-1.1.0-1.beta2.el7.1.x86_64.rpm	SHA-256: f96b5738229b43b291ff6dc4962cec1640c6baa9f7b98e0cfe569bec31d3e749
openshift-ansible-3.2.28-1.git.0.5a85fc5.el7.noarch.rpm	SHA-256: f8010ca7c4b7d3d09392e88f0addff3f1c3f35b03ef98045f2328b7a18c337e4
openshift-ansible-docs-3.2.28-1.git.0.5a85fc5.el7.noarch.rpm	SHA-256: af84ef817a6de8cd3ae53efdc7584bdf1938b5c686241ff82eca8111a861bf07
openshift-ansible-filter-plugins-3.2.28-1.git.0.5a85fc5.el7.noarch.rpm	SHA-256: a220403c7d8084d53ab822f2f4061709c648bd4e463e01548f612fccb77b3351
openshift-ansible-lookup-plugins-3.2.28-1.git.0.5a85fc5.el7.noarch.rpm	SHA-256: d09c0ddf2f476213840d78d0b439f4737880af769f259e807112bbf8efba2eb8
openshift-ansible-playbooks-3.2.28-1.git.0.5a85fc5.el7.noarch.rpm	SHA-256: a361a47657365e9eef0e0288251a15dbe831cea1faa9e3c94296ce5c1df75b06
openshift-ansible-roles-3.2.28-1.git.0.5a85fc5.el7.noarch.rpm	SHA-256: 9d60e499d735e9fba9de2c7aa0cf817f4f22180be8ce36fe2e57106ae2336615
tuned-profiles-atomic-openshift-node-3.2.1.15-1.git.0.d84be7f.el7.x86_64.rpm	SHA-256: 74dd5adc0696d1dee9a4b666840e2d992294fc555b40b297b3d82b17034d179f