Skip to navigation Skip to main content

Utilities

  • Subscriptions
  • Downloads
  • Containers
  • Support Cases
Red Hat Customer Portal
  • Subscriptions
  • Downloads
  • Containers
  • Support Cases
  • Products & Services

    Products

    Support

    • Production Support
    • Development Support
    • Product Life Cycles

    Services

    • Consulting
    • Technical Account Management
    • Training & Certifications

    Documentation

    • Red Hat Enterprise Linux
    • Red Hat JBoss Enterprise Application Platform
    • Red Hat OpenStack Platform
    • Red Hat OpenShift Container Platform
    All Documentation

    Ecosystem Catalog

    • Red Hat Partner Ecosystem
    • Partner Resources
  • Tools

    Tools

    • Troubleshoot a product issue
    • Packages
    • Errata

    Customer Portal Labs

    • Configuration
    • Deployment
    • Security
    • Troubleshoot
    All labs

    Red Hat Insights

    Increase visibility into IT operations to detect and resolve technical issues before they impact your business.

    Learn More
    Go to Insights
  • Security

    Red Hat Product Security Center

    Engage with our Red Hat Product Security team, access security updates, and ensure your environments are not exposed to any known security vulnerabilities.

    Product Security Center

    Security Updates

    • Security Advisories
    • Red Hat CVE Database
    • Security Labs

    Keep your systems secure with Red Hat's specialized responses to security vulnerabilities.

    View Responses

    Resources

    • Security Blog
    • Security Measurement
    • Severity Ratings
    • Backporting Policies
    • Product Signing (GPG) Keys
  • Community

    Customer Portal Community

    • Discussions
    • Private Groups
    Community Activity

    Customer Events

    • Red Hat Convergence
    • Red Hat Summit

    Stories

    • Red Hat Subscription Value
    • You Asked. We Acted.
    • Open Source Communities
Or troubleshoot an issue.

Select Your Language

  • English
  • 한국어
  • 日本語
  • 中文 (中国)

Infrastructure and Management

  • Red Hat Enterprise Linux
  • Red Hat Virtualization
  • Red Hat Identity Management
  • Red Hat Directory Server
  • Red Hat Certificate System
  • Red Hat Satellite
  • Red Hat Subscription Management
  • Red Hat Update Infrastructure
  • Red Hat Insights
  • Red Hat Ansible Automation Platform

Cloud Computing

  • Red Hat OpenShift
  • Red Hat CloudForms
  • Red Hat OpenStack Platform
  • Red Hat OpenShift Container Platform
  • Red Hat OpenShift Data Science
  • Red Hat OpenShift Online
  • Red Hat OpenShift Dedicated
  • Red Hat Advanced Cluster Security for Kubernetes
  • Red Hat Advanced Cluster Management for Kubernetes
  • Red Hat Quay
  • OpenShift Dev Spaces
  • Red Hat OpenShift Service on AWS

Storage

  • Red Hat Gluster Storage
  • Red Hat Hyperconverged Infrastructure
  • Red Hat Ceph Storage
  • Red Hat OpenShift Data Foundation

Runtimes

  • Red Hat Runtimes
  • Red Hat JBoss Enterprise Application Platform
  • Red Hat Data Grid
  • Red Hat JBoss Web Server
  • Red Hat Single Sign On
  • Red Hat support for Spring Boot
  • Red Hat build of Node.js
  • Red Hat build of Thorntail
  • Red Hat build of Eclipse Vert.x
  • Red Hat build of OpenJDK
  • Red Hat build of Quarkus

Integration and Automation

  • Red Hat Integration
  • Red Hat Fuse
  • Red Hat AMQ
  • Red Hat 3scale API Management
  • Red Hat JBoss Data Virtualization
  • Red Hat Process Automation
  • Red Hat Process Automation Manager
  • Red Hat Decision Manager
All Products
Red Hat Product Errata RHSA-2017:1244 - Security Advisory
Issued:
2017-05-17
Updated:
2017-05-17

RHSA-2017:1244 - Security Advisory

  • Overview
  • Updated Packages

Synopsis

Important: ansible and openshift-ansible security and bug fix update

Type/Severity

Security Advisory: Important

Red Hat Insights patch analysis

Identify and remediate systems affected by this advisory.

View affected systems

Topic

An update for ansible and openshift-ansible is now available for Red Hat OpenShift Container Platform 3.2, Red Hat OpenShift Container Platform 3.3, Red Hat OpenShift Container Platform 3.4, and Red Hat OpenShift Container Platform 3.5.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

Ansible is a simple model-driven configuration management, multi-node deployment, and remote task execution system. Ansible works over SSH and does not require any software or daemons to be installed on remote nodes.

The openshift-ansible packages contain Ansible code and playbooks for installing and upgrading OpenShift Container Platform 3.

Security Fix(es):

  • An input validation vulnerability was found in Ansible's handling of data sent from client systems. An attacker with control over a client system being managed by Ansible, and the ability to send facts back to the Ansible server, could use this flaw to execute arbitrary code on the Ansible server using the Ansible server privileges. (CVE-2017-7466)
  • An input validation flaw was found in Ansible, where it fails to properly mark lookup-plugin results as unsafe. If an attacker could control the results of lookup() calls, they could inject Unicode strings to be parsed by the jinja2 templating system, resulting in code execution. By default, the jinja2 templating language is now marked as 'unsafe' and is not evaluated. (CVE-2017-7481)

These issues were discovered by Evgeni Golov (Red Hat).

Bug Fix(es):

  • The installer could fail to add iptables rules if other iptables rules were updated at the same time. The installer now waits to obtain a lock, ensuring that rules are properly created. (BZ#1445194, BZ#1445282)
  • In multi-master environments, if `ansible_host` and `openshift_hostname` values differ and Ansible sorts one of the lists differently from the other, the CA host may be the first master but it was still signing the initial certificates with the host names of the first master. By ensuring that the host names of the CA host are used when creating the certificate authority, this bug fix ensures that certificates are signed with correct host names. (BZ#1447399, BZ#1440309, BZ#1447398)
  • Running Ansible via `batch` systems like the `nohup` command caused Ansible to leak file descriptors and abort playbooks whenever the maximum number of open file descriptors was reached. Ansible 2.2.3.0 includes a fix for this problem, and OCP channels have been updated to include this version. (BZ#1439277)
  • The OCP 3.4 logging stack upgraded the schema to use the common standard logging data model. However, some of the Elasticsearch and Kibana configuration using this schema was missing, causing Kibana to show an error message upon startup. The correct Elasticsearch and Kibana configuration is now added to the logging stack, including for upgrades from OCP 3.3 to 3.4, and from 3.4.x to 3.4.y. As a result, Kibana works correctly with the new logging data schema. (BZ#1444106)
  • Because the upgrade playbooks upgraded packages in a serial manner rather than all at once, yum dependency resolution installed the latest version available in the enabled repositories rather than the requested version. This bug fix updates the playbooks to upgrade all packages to the requested version at once, which prevents yum from potentially upgrading to the latest version. (BZ#1391325, BZ#1449220, BZ#1449221)
  • In an environment utilizing mixed containerized and RPM-based installation methods, the installer failed to gather facts when a master and node used different installation methods. This bug fix updates the installer to ensure mixed installations work properly. (BZ#1408663)
  • Previously, if `enable_excluders=false` was set, playbooks still installed and upgraded the excluders during the config.yml playbook even if the excluders were never previously installed. With this bug fix, if the excluders were not previously installed, playbooks avoid installing them. (BZ#1434679)
  • Previously, playbooks aborted if a namespace had non-ASCII characters in their descriptions. This bug fix updates playbooks to properly decode Unicode characters, ensuring that upgrades to OCP 3.5 work as expected. (BZ#1444806)

Solution

For details on how to apply this update, which includes the changes described in this advisory, refer to:

https://access.redhat.com/articles/11258

Affected Products

  • Red Hat OpenShift Container Platform 3.5 x86_64
  • Red Hat OpenShift Container Platform 3.4 x86_64
  • Red Hat OpenShift Container Platform 3.3 x86_64

Fixes

  • BZ - 1391325 - [3.5] openshift_pkg_version doesn't seem to work
  • BZ - 1408663 - [3.4] facts collection for openshift.common.admin_binary does not seem to work in mixed environments
  • BZ - 1418032 - [3.2] Update router and registry certificates in the redeploy-certificates.yml
  • BZ - 1422541 - [3.5] [quick installer]Installer get stuck at "Gathering information from hosts..." if bad hostname checked
  • BZ - 1434679 - [3.5] openshift-ansible should do nothing to existed excluders when set "enable_excluders=false"
  • BZ - 1439212 - CVE-2017-7466 ansible: Arbitrary code execution on control node (incomplete fix for CVE-2016-9587)
  • BZ - 1439277 - Ansible Install is unable to complete install due to module losing issues.
  • BZ - 1440309 - [3.4] Post-install, master certs signed for wrong name
  • BZ - 1444106 - [3.4 Backport] openshift users encountered confirmation "Apply these filters?" when switching between index list populated in the left panel on kibana
  • BZ - 1444806 - [3.5] Unable to run upgrade playbook
  • BZ - 1445194 - [3.4] Installer fails to add/check iptables rule due to lock on xtables
  • BZ - 1445282 - [3.3] Installer fails to add/check iptables rule due to lock on xtables
  • BZ - 1446741 - [3.4] Redeploy certificates fails with custom openshift_hosted_router_certificate
  • BZ - 1446745 - [3.3] Redeploy certificates fails with custom openshift_hosted_router_certificate
  • BZ - 1447398 - [3.3] Post-install, master certs signed for wrong name
  • BZ - 1447399 - [3.5] Post-install, master certs signed for wrong name
  • BZ - 1448842 - Installing Openshift Container Platform 3.5 returns an error on Play 11/28 (Disable excluders)
  • BZ - 1449220 - [3.4] openshift_pkg_version doesn't seem to work
  • BZ - 1449221 - [3.3] openshift_pkg_version doesn't seem to work
  • BZ - 1450018 - CVE-2017-7481 ansible: Security issue with lookup return not tainting the jinja2 environment
  • BZ - 1450412 - [3.4] Installing containerized using the 3.4 playbooks may install other versions
  • BZ - 1450415 - [3.3] Installing containerized using the 3.3 playbooks may install other versions

CVEs

  • CVE-2017-7466
  • CVE-2017-7481

References

  • https://access.redhat.com/security/updates/classification/#important
Note: More recent versions of these packages may be available. Click a package name for more details.

Red Hat OpenShift Container Platform 3.5

SRPM
ansible-2.2.3.0-1.el7.src.rpm SHA-256: 988c92cd44be55653d279f84a5d97d2431c86a71385371f49cbb4f3848baff48
openshift-ansible-3.5.71-1.git.0.128c2db.el7.src.rpm SHA-256: 7072e36afb768955c2eae3c1fd0bc0b6fdac64a89a9d7b48a5fe3520684d1970
x86_64
ansible-2.2.3.0-1.el7.noarch.rpm SHA-256: 9fe1329c586a25834627eecff63db5b2fec5fbe1305eff434b3155ee81cb957f
atomic-openshift-utils-3.5.71-1.git.0.128c2db.el7.noarch.rpm SHA-256: a9c98e86ee8e874620923afb237e332dc748229d5491f2ba840b93900bb97116
openshift-ansible-3.5.71-1.git.0.128c2db.el7.noarch.rpm SHA-256: 37be7b3ac39e46ae43e07b32bbadb0b39a66431463a7311c03bd45586fbec35f
openshift-ansible-callback-plugins-3.5.71-1.git.0.128c2db.el7.noarch.rpm SHA-256: 392751f8f044ed723aab6bbb6d4351792a1f9ae09b100f80bdfa33157b401a39
openshift-ansible-docs-3.5.71-1.git.0.128c2db.el7.noarch.rpm SHA-256: 1ae22cbee56abf480895920f62304ce5fd64636d2723a5dd822366b8c61115c5
openshift-ansible-filter-plugins-3.5.71-1.git.0.128c2db.el7.noarch.rpm SHA-256: acab7b9c30266fdb4b0117141ea7773b7f523446e95fe54c879162ea753d0add
openshift-ansible-lookup-plugins-3.5.71-1.git.0.128c2db.el7.noarch.rpm SHA-256: fcba26f0930deef14bb0011b991b4f5155a1dfb441922fa1acef18fdb3581122
openshift-ansible-playbooks-3.5.71-1.git.0.128c2db.el7.noarch.rpm SHA-256: 3ff38bfd65af83de74e81ecbc082a06171ae50c2a7177ba5fd67898a549bc8eb
openshift-ansible-roles-3.5.71-1.git.0.128c2db.el7.noarch.rpm SHA-256: 78eba5ca0ae40839eb156c4483c9806bb5587c3663ea3f863c19c6cbe0a49e3d

Red Hat OpenShift Container Platform 3.4

SRPM
ansible-2.2.3.0-1.el7.src.rpm SHA-256: 988c92cd44be55653d279f84a5d97d2431c86a71385371f49cbb4f3848baff48
openshift-ansible-3.4.89-1.git.0.ac29ce8.el7.src.rpm SHA-256: e6edd94419288019ef93569f6a0eddb74cf5a93b17fdffca0cabd2313813d56f
x86_64
ansible-2.2.3.0-1.el7.noarch.rpm SHA-256: 9fe1329c586a25834627eecff63db5b2fec5fbe1305eff434b3155ee81cb957f
atomic-openshift-utils-3.4.89-1.git.0.ac29ce8.el7.noarch.rpm SHA-256: 1f37982a80885b4c15152a417a9e6c20d446951107808311aba6f1d1624b3148
openshift-ansible-3.4.89-1.git.0.ac29ce8.el7.noarch.rpm SHA-256: 36db61a640533927db9a4fc57f2a594e3a711cc4489922491fcaedd0e0a5fef1
openshift-ansible-callback-plugins-3.4.89-1.git.0.ac29ce8.el7.noarch.rpm SHA-256: 15b17e88aebe82f1b8ee4a66f0ae6c4df7ef2e0883271f649413f59860f390b8
openshift-ansible-docs-3.4.89-1.git.0.ac29ce8.el7.noarch.rpm SHA-256: a1b825d5c540ce15d24a5372a2557a43a6ea4ce1fba436f5d744fd1110f06971
openshift-ansible-filter-plugins-3.4.89-1.git.0.ac29ce8.el7.noarch.rpm SHA-256: a9f2f618d36645e958d28da173c2a04202b6c8b76c58e2bf3716b8999a7604b2
openshift-ansible-lookup-plugins-3.4.89-1.git.0.ac29ce8.el7.noarch.rpm SHA-256: 70c2ff5d078f7be355952b5fe4583f7da7c6401bffcc07ec5069edd1c630b756
openshift-ansible-playbooks-3.4.89-1.git.0.ac29ce8.el7.noarch.rpm SHA-256: fc91ec9e4b13ba8811b04f582b0fbfb99bdf0f767df0ea0ea0869a9557f66ab6
openshift-ansible-roles-3.4.89-1.git.0.ac29ce8.el7.noarch.rpm SHA-256: a082eb3b744f354d3f94b8a0c36fac71f3a1e5d580b89bad0dcc909b7c3e310c

Red Hat OpenShift Container Platform 3.3

SRPM
ansible-2.2.3.0-1.el7.src.rpm SHA-256: 988c92cd44be55653d279f84a5d97d2431c86a71385371f49cbb4f3848baff48
openshift-ansible-3.3.82-1.git.0.af0c922.el7.src.rpm SHA-256: 33938512c015d682f233fdf03f967c2158a0ff1bff45bbaad53c3aaefefe5eb5
x86_64
ansible-2.2.3.0-1.el7.noarch.rpm SHA-256: 9fe1329c586a25834627eecff63db5b2fec5fbe1305eff434b3155ee81cb957f
atomic-openshift-utils-3.3.82-1.git.0.af0c922.el7.noarch.rpm SHA-256: bb935752127fefdb945caad3319d0eee7f9c67c3d3a944e29065b3cdbdd67a17
openshift-ansible-3.3.82-1.git.0.af0c922.el7.noarch.rpm SHA-256: a72cb607abb4322b8b3c8511c8920ad4c46df3d64f7213f552950f10e216f89a
openshift-ansible-callback-plugins-3.3.82-1.git.0.af0c922.el7.noarch.rpm SHA-256: 334bd466dac0cb262969b556d0c3b581c4772dbd2d6b33290be5e469dc783c01
openshift-ansible-docs-3.3.82-1.git.0.af0c922.el7.noarch.rpm SHA-256: 9bbff60357c2c86f520f5e2bb5d16ce385c5b80c97a7781b37bea2a2dc0c8c68
openshift-ansible-filter-plugins-3.3.82-1.git.0.af0c922.el7.noarch.rpm SHA-256: 12c2ad25beff0cde04f84e68525bb95d31b1f053e35913bd50c290614fe869c4
openshift-ansible-lookup-plugins-3.3.82-1.git.0.af0c922.el7.noarch.rpm SHA-256: c4646860b3f4b3fee49fceaca3f5147e68fb4b2e37edb171898a98bb22ec3f1e
openshift-ansible-playbooks-3.3.82-1.git.0.af0c922.el7.noarch.rpm SHA-256: 02664ac20e869cb4f9c82246670d3e002161e2ebd3041046715277cebc3996f3
openshift-ansible-roles-3.3.82-1.git.0.af0c922.el7.noarch.rpm SHA-256: 2261624540dab20d18ea7222b83dcaaf4724fb704a0e041bde5283d0d4529314

Red Hat OpenShift Container Platform 3.2

SRPM
ansible-2.2.3.0-1.el7.src.rpm SHA-256: 988c92cd44be55653d279f84a5d97d2431c86a71385371f49cbb4f3848baff48
openshift-ansible-3.2.56-1.git.0.b844ab7.el7.src.rpm SHA-256: 4c1ae1c92b00251b3c2ccfb208efb639d8656101f854b07648364f20dbc2b251
x86_64

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.

Red Hat

Quick Links

  • Downloads
  • Subscriptions
  • Support Cases
  • Customer Service
  • Product Documentation

Help

  • Contact Us
  • Customer Portal FAQ
  • Log-in Assistance

Site Info

  • Trust Red Hat
  • Browser Support Policy
  • Accessibility
  • Awards and Recognition
  • Colophon

Related Sites

  • redhat.com
  • developers.redhat.com
  • connect.redhat.com
  • cloud.redhat.com

About

  • Red Hat Subscription Value
  • About Red Hat
  • Red Hat Jobs
Copyright © 2023 Red Hat, Inc.
  • Privacy Statement
  • Customer Portal Terms of Use
  • All Policies and Guidelines
Red Hat Summit
Twitter