Synopsis

Important: ansible and openshift-ansible security and bug fix update

Type/Severity

Security Advisory: Important

Topic

An update for ansible and openshift-ansible is now available for Red Hat OpenShift Container Platform 3.2, Red Hat OpenShift Container Platform 3.3, and Red Hat OpenShift Container Platform 3.4.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

Red Hat OpenShift Container Platform is the company's cloud computing Platform-as-a-Service (PaaS) solution designed for on-premise or private cloud deployments.

Ansible is a SSH-based configuration management, deployment, and task execution system. The openshift-ansible packages contain Ansible code and playbooks for installing and upgrading OpenShift Container Platform 3.

Security Fix(es):

• An input validation vulnerability was found in Ansible's handling of data sent from client systems. An attacker with control over a client system being managed by Ansible and the ability to send facts back to the Ansible server could use this flaw to execute arbitrary code on the Ansible server using the Ansible server privileges. (CVE-2016-9587)
  

Bug Fix(es):

Space precludes documenting all of the non-security bug fixes in this advisory. See the relevant OpenShift Container Platform Release Notes linked to in the References section, which will be updated shortly for this release.

Solution

Before applying this update, make sure all previously released errata relevant to your system have been applied.

To apply this update, run the following on all hosts where you intend to initiate Ansible-based installation or upgrade procedures:

# yum update atomic-openshift-utils

This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at:

https://access.redhat.com/articles/11258

Affected Products

• Red Hat OpenShift Container Platform 3.4 x86_64
• Red Hat OpenShift Container Platform 3.3 x86_64

Fixes

• BZ - 1379189 - [3.2] ansible sometimes gets UNREACHABLE error after iptables restarted
• BZ - 1388016 - [3.3] The insecure-registry address was removed during upgrade
• BZ - 1389263 - [3.4] the summary of json report should include total/ok number after certificate expiry check
• BZ - 1393000 - [3.3] Ansible upgrade from 3.2 to 3.3 fails
• BZ - 1404378 - CVE-2016-9587 Ansible: Compromised remote hosts can lead to running commands on the Ansible controller
• BZ - 1414276 - [3.3] Installer is failing when `ansible_user` is set to Windows Login which requires dom\user format
• BZ - 1415067 - [3.2]Installer should persist net.ipv4.ip_forward
• BZ - 1416926 - [3.3] ansible sometimes gets UNREACHABLE error after iptables restarted
• BZ - 1416927 - [3.4] ansible sometimes gets UNREACHABLE error after iptables restarted
• BZ - 1417680 - [3.2] Backport openshift_certificate_expiry role
• BZ - 1417681 - [3.4] Backport openshift_certificate_expiry role
• BZ - 1417682 - [3.3] Backport openshift_certificate_expiry role
• BZ - 1419493 - [3.4] Installer pulls in 3.3 registry-console image
• BZ - 1419533 - [3.2]Installation on node failed when creating node config
• BZ - 1419654 - [3.4] Containerized advanced installation fails due to missing CA certificate /etc/origin/master/ca.crt
• BZ - 1420393 - [3.4] conntrack executable not found on $PATH during cluster horizontal run
• BZ - 1420395 - [3.3] conntrack executable not found on $PATH during cluster horizontal run
• BZ - 1421053 - [quick installer 3.4] quick installer failed due to a python method failure
• BZ - 1421059 - [quick installer 3.2]quick installer failed due to a python method failure
• BZ - 1421061 - [quick installer 3.3]quick installer failed due to a python method failure
• BZ - 1421860 - [3.4] Metrics Resolution of Heapster Image Should be 30s to Match cAdvisor
• BZ - 1422361 - [3.4] Advanced installer fails if python-six not available
• BZ - 1426705 - [3.4] Installer is failing when `ansible_user` is set to Windows Login which requires dom\user format

CVEs

• CVE-2016-9587

References

• https://access.redhat.com/security/updates/classification/#important
• https://docs.openshift.com/enterprise/3.2/release_notes/ose_3_2_release_notes.html
• https://docs.openshift.com/container-platform/3.3/release_notes/ocp_3_3_release_notes.html
• https://docs.openshift.com/container-platform/3.4/release_notes/ocp_3_4_release_notes.html

Red Hat OpenShift Container Platform 3.4

SRPM
ansible-2.2.1.0-2.el7.src.rpm	SHA-256: dfa13008ac2bd9d52b3a70bc3b74ebbcdd71fe45d80ab7fb9aaf91bc723ed234
openshift-ansible-3.4.67-1.git.0.14a0b4d.el7.src.rpm	SHA-256: 8cd89ebd889f25a31602e9145ee97c861eb791f5b9e293b2231a98cecc0acdc8
x86_64
ansible-2.2.1.0-2.el7.noarch.rpm	SHA-256: ab188473ff03be0b7916a8c80c17027efc1ea944b6332b04fb5d43494ef4f478
atomic-openshift-utils-3.4.67-1.git.0.14a0b4d.el7.noarch.rpm	SHA-256: 1fbd18d0a4670baeb1a17c6e757b5f059d37e1c7e37f440e1143f24dcafaeb49
openshift-ansible-3.4.67-1.git.0.14a0b4d.el7.noarch.rpm	SHA-256: 17e24b2bbba14ccf4d51a36795e94476d73ab8de714ed458db86f6bd0ab7bbc3
openshift-ansible-callback-plugins-3.4.67-1.git.0.14a0b4d.el7.noarch.rpm	SHA-256: f8efbb4e54ffb80e818387cfc802c596725be6fae911cb3195077a9e89a2cfde
openshift-ansible-docs-3.4.67-1.git.0.14a0b4d.el7.noarch.rpm	SHA-256: 5653dc3b47f2c0ed8e8f343694697b10b03e48b5803857a1eb7566374e636bce
openshift-ansible-filter-plugins-3.4.67-1.git.0.14a0b4d.el7.noarch.rpm	SHA-256: 7117e1f6d1a3db625c9493ea00478892a91a4108307e46f708abbbdf5bffb338
openshift-ansible-lookup-plugins-3.4.67-1.git.0.14a0b4d.el7.noarch.rpm	SHA-256: 8508dbe1e287771c0cf75192a3396482932c744f60157ab8739828c919c8b383
openshift-ansible-playbooks-3.4.67-1.git.0.14a0b4d.el7.noarch.rpm	SHA-256: ac00d04ce8593aa6be5b19d629578a52365f8662eca9591f93dc1defb438b383
openshift-ansible-roles-3.4.67-1.git.0.14a0b4d.el7.noarch.rpm	SHA-256: 10b24b2eded2ad0e976e658d1a5e4068f4ce227698c7c315e76f0380c71a0a41

Red Hat OpenShift Container Platform 3.3

SRPM
ansible-2.2.1.0-2.el7.src.rpm	SHA-256: dfa13008ac2bd9d52b3a70bc3b74ebbcdd71fe45d80ab7fb9aaf91bc723ed234
openshift-ansible-3.3.67-1.git.0.7c5da0c.el7.src.rpm	SHA-256: 12dc36a089e2f9ccb245f3368740a8c3664cf923bfade39a7c41e58a78d9ebd9
x86_64
ansible-2.2.1.0-2.el7.noarch.rpm	SHA-256: ab188473ff03be0b7916a8c80c17027efc1ea944b6332b04fb5d43494ef4f478
atomic-openshift-utils-3.3.67-1.git.0.7c5da0c.el7.noarch.rpm	SHA-256: 5ebcc0401b85849ad25b904bc2caa86911c9470e5eecd7dc89548a900dcad22a
openshift-ansible-3.3.67-1.git.0.7c5da0c.el7.noarch.rpm	SHA-256: 7dd7baf8a8d84e75a4c513d333e41f911f9052128d30393cc3755c0fe6811cc9
openshift-ansible-callback-plugins-3.3.67-1.git.0.7c5da0c.el7.noarch.rpm	SHA-256: 8621030b04d2b0401e785a007c8fd419b16f1e4505fa7bd652235c5d0d928cac
openshift-ansible-docs-3.3.67-1.git.0.7c5da0c.el7.noarch.rpm	SHA-256: 2c889cb34b0d414184895cdb1067733d9a29ffd895743c29610c1af392957d1d
openshift-ansible-filter-plugins-3.3.67-1.git.0.7c5da0c.el7.noarch.rpm	SHA-256: e49d67d73ed0d5bdffab1fe3b3db70e7562457080b6ef3c34877082f726b97c6
openshift-ansible-lookup-plugins-3.3.67-1.git.0.7c5da0c.el7.noarch.rpm	SHA-256: 8dfc419676ab93c3e5e2a856ecacfc2ef6cdddbf9b25c2ce931868de7a162228
openshift-ansible-playbooks-3.3.67-1.git.0.7c5da0c.el7.noarch.rpm	SHA-256: 4cf94cca9798465e4aa194aadcdf0d228b50d98e937c12e401f3391498adcc68
openshift-ansible-roles-3.3.67-1.git.0.7c5da0c.el7.noarch.rpm	SHA-256: f4abd8e950828bb6a55603a1f2122a9503af16bf6f784687596ea751b8de9a76

Red Hat OpenShift Container Platform 3.2

SRPM
ansible-2.2.1.0-2.el7.src.rpm	SHA-256: dfa13008ac2bd9d52b3a70bc3b74ebbcdd71fe45d80ab7fb9aaf91bc723ed234
openshift-ansible-3.2.53-1.git.0.2fefc17.el7.src.rpm	SHA-256: d753ae184ad57205bcd90e81f6caebf8a59b38690723482c62bdf2a0cb4d9f3d
x86_64