Skip to navigation Skip to main content

Utilities

  • Subscriptions
  • Downloads
  • Red Hat Console
  • Get Support
Red Hat Customer Portal
  • Subscriptions
  • Downloads
  • Red Hat Console
  • Get Support
  • Products

    Top Products

    • Red Hat Enterprise Linux
    • Red Hat OpenShift
    • Red Hat Ansible Automation Platform
    All Products

    Downloads and Containers

    • Downloads
    • Packages
    • Containers

    Top Resources

    • Documentation
    • Product Life Cycles
    • Product Compliance
    • Errata
  • Knowledge

    Red Hat Knowledge Center

    • Knowledgebase Solutions
    • Knowledgebase Articles
    • Customer Portal Labs
    • Errata

    Top Product Docs

    • Red Hat Enterprise Linux
    • Red Hat OpenShift
    • Red Hat Ansible Automation Platform
    All Product Docs

    Training and Certification

    • About
    • Course Index
    • Certification Index
    • Skill Assessment
  • Security

    Red Hat Product Security Center

    • Security Updates
    • Security Advisories
    • Red Hat CVE Database
    • Errata

    References

    • Security Bulletins
    • Security Measurement
    • Severity Ratings
    • Security Data

    Top Resources

    • Security Labs
    • Backporting Policies
    • Security Blog
  • Support

    Red Hat Support

    • Support Cases
    • Troubleshoot
    • Get Support
    • Contact Red Hat Support

    Red Hat Community Support

    • Customer Portal Community
    • Community Discussions
    • Red Hat Accelerator Program

    Top Resources

    • Product Life Cycles
    • Customer Portal Labs
    • Red Hat JBoss Supported Configurations
    • Red Hat Insights
Or troubleshoot an issue.

Select Your Language

  • English
  • Français
  • 한국어
  • 日本語
  • 中文 (中国)

Infrastructure and Management

  • Red Hat Enterprise Linux
  • Red Hat Satellite
  • Red Hat Subscription Management
  • Red Hat Insights
  • Red Hat Ansible Automation Platform

Cloud Computing

  • Red Hat OpenShift
  • Red Hat OpenStack Platform
  • Red Hat OpenShift
  • Red Hat OpenShift AI
  • Red Hat OpenShift Dedicated
  • Red Hat Advanced Cluster Security for Kubernetes
  • Red Hat Advanced Cluster Management for Kubernetes
  • Red Hat Quay
  • Red Hat OpenShift Dev Spaces
  • Red Hat OpenShift Service on AWS

Storage

  • Red Hat Gluster Storage
  • Red Hat Hyperconverged Infrastructure
  • Red Hat Ceph Storage
  • Red Hat OpenShift Data Foundation

Runtimes

  • Red Hat Runtimes
  • Red Hat JBoss Enterprise Application Platform
  • Red Hat Data Grid
  • Red Hat JBoss Web Server
  • Red Hat build of Keycloak
  • Red Hat support for Spring Boot
  • Red Hat build of Node.js
  • Red Hat build of Quarkus

Integration and Automation

  • Red Hat Application Foundations
  • Red Hat Fuse
  • Red Hat AMQ
  • Red Hat 3scale API Management
All Products
Red Hat Product Errata RHSA-2017:3389 - Security Advisory
Issued:
2017-12-07
Updated:
2017-12-07

RHSA-2017:3389 - Security Advisory

  • Overview
  • Updated Packages

Synopsis

Moderate: Red Hat OpenShift Enterprise security, bug fix, and enhancement update

Type/Severity

Security Advisory: Moderate

Red Hat Insights patch analysis

Identify and remediate systems affected by this advisory.

View affected systems

Topic

An update is now available for Red Hat OpenShift Container Platform 3.4, Red Hat OpenShift Container Platform 3.5, and Red Hat OpenShift Container Platform 3.6.

Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

OpenShift Enterprise by Red Hat is the company's cloud computing Platform-as-a-Service (PaaS) solution designed for on-premise or private cloud deployments.

This advisory contains the RPM packages for this release. An advisory for the container images for this release is available at: https://access.redhat.com/errata/RHBA-2017:3390.

Space precludes documenting all of the bug fixes and enhancements in this advisory. See the following Release Notes documentation, which will be updated shortly for this release, for details about these changes:

https://docs.openshift.com/container-platform/3.6/release_notes/ocp_3_6_release_notes.html

https://docs.openshift.com/container-platform/3.5/release_notes/ocp_3_5_release_notes.html

https://docs.openshift.com/container-platform/3.4/release_notes/ocp_3_4_release_notes.html

All OpenShift Container Platform 3 users are advised to upgrade to these updated packages and images.

Security Fix(es):

  • An attacker with knowledge of the given name used to authenticate and access Elasticsearch can later access it without the token, bypassing authentication. This attack also requires that the Elasticsearch be configured with an external route, and the data accessed is limited to the indices. (CVE-2017-12195)

This issue was discovered by Rich Megginson (Red Hat).

Solution

For details on how to apply this update, which includes the changes described in this advisory, refer to:

https://access.redhat.com/articles/11258

Affected Products

  • Red Hat OpenShift Container Platform 3.6 x86_64
  • Red Hat OpenShift Container Platform 3.5 x86_64
  • Red Hat OpenShift Container Platform 3.4 x86_64

Fixes

  • BZ - 1399240 - pod age is shown invalid by oc client
  • BZ - 1434942 - Symbolic link error for log file of every pod started when docker log driver is journald
  • BZ - 1441089 - oc get/describe could not work when using 3.5 client to login 3.6 server
  • BZ - 1457042 - Unable to pull through to registry.access.redhat.com
  • BZ - 1458186 - Hawkular metrics rest api responding sporadically
  • BZ - 1465532 - Heapster fails to push to Hawkular-Metrics sink starting around 4K pods in 3.6
  • BZ - 1471251 - 3.4.1 White spaces in the cert prevents Origin Metrics from starting
  • BZ - 1476026 - Service Catalog issues repeated Deprovision requests against the broker, despite a 410 response
  • BZ - 1479955 - Container ose-sti-builder is marked as deprecated
  • BZ - 1481550 - [3.5]'oadm diagnostics NetworkCheck' timeout due to image 'openshift/diagnostics-deployer' pull failed
  • BZ - 1489023 - [3.4 Backport] Can not start atomic-openshift-node if the system does not have a default route
  • BZ - 1489024 - [3.5 Backport] Can not start atomic-openshift-node if the system does not have a default route
  • BZ - 1490719 - Enabled ops cluser,log in kibana-ops UI, there is no log entry under .all index, log entries only could be shown under .operations.* index
  • BZ - 1492194 - [3.5] Node affinity alpha feature can cause scheduling failures across the cluster.
  • BZ - 1493213 - Builds fail with "authentication required" after upgrade
  • BZ - 1494239 - Fluentd unable to write to Elastic Search when LDAP distinguished names are used as usernames
  • BZ - 1495540 - [3.6] oc adm router --expose-metrics fails by default
  • BZ - 1496232 - "Run mount in its own systemd scope" commit breaks 3.4 build
  • BZ - 1497042 - Unable to mount dynamically provisioned persistant volumes using vSphere
  • BZ - 1497836 - default fluentd elasticsearch plugin request timeout too short by default, leads to potential log loss and stalled log flow
  • BZ - 1498635 - Openshift allows mounting RWO volumes in multiple nodes
  • BZ - 1499176 - [3.4] Deleted in use PVCs can break the scheduler
  • BZ - 1499635 - [3.4]Metrics diagrams only could be displayed for openshift-infra project in web console
  • BZ - 1499813 - Fluentd configuration file is not right on non-ops cluster
  • BZ - 1500364 - mariadb, postgresql, mysql, and mediawiki APBs should use rhcc images
  • BZ - 1500464 - 3.5.1 White spaces in the cert prevents Origin Metrics from starting
  • BZ - 1500471 - 3.6.1 White spaces in the cert prevents Origin Metrics from starting
  • BZ - 1500513 - The extensions/v1beta1 API is not updated on old successful Jobs
  • BZ - 1500644 - [3.5]Metrics diagrams only could be displayed for openshift-infra project in web console
  • BZ - 1501517 - [ocp-3.6] Reduce iptables refreshes
  • BZ - 1501948 - [3.5] default fluentd elasticsearch plugin request timeout too short by default, leads to potential log loss and stalled log flow
  • BZ - 1501960 - Remove the use of CPU limits by default
  • BZ - 1501986 - CVE-2017-12195 OpenShift Enterprise 3: authentication bypass for elasticsearch with external routes
  • BZ - 1502789 - Pod running but logs say volume not attached
  • BZ - 1503265 - Bundled Netty dependencies have incorrect version
  • BZ - 1503563 - Logging upgrade from 3.5 to 3.6 fails with "Exception in thread "main" java.lang.IllegalArgumentException: Unknown Discovery type [kubernetes]"
  • BZ - 1505683 - fluentd pods failed to start up,"Unknown filter plugin 'record_modifier' in fluentd pods log
  • BZ - 1505898 - [3.6] oadm diagnostics NetworkCheck' timeout due to image 'openshift/diagnostics-deployer' pull failed
  • BZ - 1505900 - [3.6] oc adm diagnostics gets stuck in disconnected environment
  • BZ - 1506854 - default fluentd elasticsearch plugin request timeout too short by default, leads to potential log loss and stalled log flow

CVEs

  • CVE-2017-12195

References

  • https://access.redhat.com/security/updates/classification/#moderate
Note: More recent versions of these packages may be available. Click a package name for more details.

Red Hat OpenShift Container Platform 3.6

SRPM
atomic-openshift-3.6.173.0.63-1.git.0.855ea8b.el7.src.rpm SHA-256: e6297e8947d83c9088e890714e134a81f947a015b5552914d59bb33794c93dd2
cockpit-155-1.el7.src.rpm SHA-256: f517f932ed079a43925e93ee50991c9c0daa7654f1afa8abc21f9448afba24e2
openshift-elasticsearch-plugin-2.4.4.17__redhat_1-3.el7.src.rpm SHA-256: 62b21dd920936eafed060fbaf24fb17c2eea99220605ea0d513b69342fca7020
x86_64
atomic-openshift-3.6.173.0.63-1.git.0.855ea8b.el7.x86_64.rpm SHA-256: 449e408948ed00c3d733689a10079fcf8096b799f83e0bef5106f605be43eb25
atomic-openshift-clients-3.6.173.0.63-1.git.0.855ea8b.el7.x86_64.rpm SHA-256: 3df5886e0bc6d93c2c45f3e8df1543f89a96ef3a5b738dbbb70a01517a9bbd58
atomic-openshift-clients-redistributable-3.6.173.0.63-1.git.0.855ea8b.el7.x86_64.rpm SHA-256: 400e9dca4f38143fa618973de9648d3baf9dba6124ee115117f9108263f1797d
atomic-openshift-cluster-capacity-3.6.173.0.63-1.git.0.855ea8b.el7.x86_64.rpm SHA-256: 5c021e6677c85def5f6f8b4c1d0fe3e82276a9a31159833dc12b83f0b2eeaf41
atomic-openshift-docker-excluder-3.6.173.0.63-1.git.0.855ea8b.el7.noarch.rpm SHA-256: 78692520beb021952103cb13c579b624de098d595a2196502cf7c510f6f8a5bb
atomic-openshift-dockerregistry-3.6.173.0.63-1.git.0.855ea8b.el7.x86_64.rpm SHA-256: a98b30b1cce0a1d8c171ad6dc36c2bc140d11f026d9861932d5438a8b590140b
atomic-openshift-excluder-3.6.173.0.63-1.git.0.855ea8b.el7.noarch.rpm SHA-256: 5cab3de32f567a8ac9f7544ad18d24fb104199614950743e85ebf809931e72ab
atomic-openshift-federation-services-3.6.173.0.63-1.git.0.855ea8b.el7.x86_64.rpm SHA-256: 0fe17f4a0762da2b518c3c50d397a262a00b56ff9da4830978e3275499ec1b3b
atomic-openshift-master-3.6.173.0.63-1.git.0.855ea8b.el7.x86_64.rpm SHA-256: 9222b002e30dbbf21429c4166f937dfe3a10db14895c554a29944db14d7fd44f
atomic-openshift-node-3.6.173.0.63-1.git.0.855ea8b.el7.x86_64.rpm SHA-256: c880515d4c90acff25bf6213bd625e462269d75d5f330aa8b462f2995e09c7a1
atomic-openshift-pod-3.6.173.0.63-1.git.0.855ea8b.el7.x86_64.rpm SHA-256: 0f0e0d57bceea8ded0611dc3dec8921c8ad293b7293a3e29c656d9f6387ad425
atomic-openshift-sdn-ovs-3.6.173.0.63-1.git.0.855ea8b.el7.x86_64.rpm SHA-256: 7c240d0eef1ffb3182dcc96c18c9f1a5be6a4f5808a7e906e797f1497bde7414
atomic-openshift-service-catalog-3.6.173.0.63-1.git.0.855ea8b.el7.x86_64.rpm SHA-256: 772f838f9bec5a2c0e983eb005c41935d3d0b8270aafdd9feb28224141688eed
atomic-openshift-tests-3.6.173.0.63-1.git.0.855ea8b.el7.x86_64.rpm SHA-256: 0060804cec9a2b667645192d8268c6410c25f8c124de01fe84b54327d0f41f10
cockpit-debuginfo-155-1.el7.x86_64.rpm SHA-256: 49771640882ca9a86a1ca423432322cec39d4c999e5164afe6ba32390b8d4249
cockpit-kubernetes-155-1.el7.x86_64.rpm SHA-256: d755ca13b5f17f5995aefb3fe63db71446c8c190b2b62d066388c64cd969d95b
openshift-elasticsearch-plugin-2.4.4.17__redhat_1-3.el7.noarch.rpm SHA-256: a82c27d03afbd85907af7a94503d573ca26fc9934782679025f46da2a12f841f
tuned-profiles-atomic-openshift-node-3.6.173.0.63-1.git.0.855ea8b.el7.x86_64.rpm SHA-256: 4f9023f6477392e8f5fcc55772e0a516fe3992501b2c45dde37e3cb3e8d8efc8

Red Hat OpenShift Container Platform 3.5

SRPM
atomic-openshift-3.5.5.31.47-1.git.0.25d535c.el7.src.rpm SHA-256: cd2d047ae49663ccf25286720a1fef76548d9b094c0956ea8d48bb39bae5af18
cockpit-155-1.el7.src.rpm SHA-256: f517f932ed079a43925e93ee50991c9c0daa7654f1afa8abc21f9448afba24e2
openshift-elasticsearch-plugin-2.4.4.17__redhat_1-3.el7.src.rpm SHA-256: 62b21dd920936eafed060fbaf24fb17c2eea99220605ea0d513b69342fca7020
x86_64
atomic-openshift-3.5.5.31.47-1.git.0.25d535c.el7.x86_64.rpm SHA-256: 53d04766d6af843b3c5aa2fc2fbd2e6370dec0e22bf97180c81f9b893ab84cd9
atomic-openshift-clients-3.5.5.31.47-1.git.0.25d535c.el7.x86_64.rpm SHA-256: 54b027b283ae73863d3bd7953e9b064bccaddea613258de2f4c4e250c3c1e071
atomic-openshift-clients-redistributable-3.5.5.31.47-1.git.0.25d535c.el7.x86_64.rpm SHA-256: 2210c2025972971c18109ee993948534cbee637a1b217d719f847557a541ed3a
atomic-openshift-docker-excluder-3.5.5.31.47-1.git.0.25d535c.el7.noarch.rpm SHA-256: 13476290980b36f9cd400bf6a5b9889f91dc4f9ff9b5bd1b4ac2f5faec56067f
atomic-openshift-dockerregistry-3.5.5.31.47-1.git.0.25d535c.el7.x86_64.rpm SHA-256: 8c73cbff3609e64de88bb19b99888aea2399742f0d28964076dc09793f6c541e
atomic-openshift-excluder-3.5.5.31.47-1.git.0.25d535c.el7.noarch.rpm SHA-256: 27e8c8d6086457a9fbcc4251a7d1c6fa47f878c882fc249eca56fb7d78d7c3bd
atomic-openshift-master-3.5.5.31.47-1.git.0.25d535c.el7.x86_64.rpm SHA-256: 31e087319b17c597d11a72accc8103cd9a4002fe188018a6f16755a74a8928aa
atomic-openshift-node-3.5.5.31.47-1.git.0.25d535c.el7.x86_64.rpm SHA-256: 87115c4664013332de9cfe2be3d7381f796589d4986b0a9cf67587b93ebc323e
atomic-openshift-pod-3.5.5.31.47-1.git.0.25d535c.el7.x86_64.rpm SHA-256: 37ff84ecca3a458948b232fc2925172cf62e70face7704186d339a52ed9a43e9
atomic-openshift-sdn-ovs-3.5.5.31.47-1.git.0.25d535c.el7.x86_64.rpm SHA-256: 269712b53d51a99d2cb69aa817d7cba09b4af1a39eb23a46b3bf88a0ef904f48
atomic-openshift-tests-3.5.5.31.47-1.git.0.25d535c.el7.x86_64.rpm SHA-256: 261d9fb0d506f2d2133caaa196cfd5091d6098990b98c39df5a644ae1a84206c
cockpit-debuginfo-155-1.el7.x86_64.rpm SHA-256: 49771640882ca9a86a1ca423432322cec39d4c999e5164afe6ba32390b8d4249
cockpit-kubernetes-155-1.el7.x86_64.rpm SHA-256: d755ca13b5f17f5995aefb3fe63db71446c8c190b2b62d066388c64cd969d95b
openshift-elasticsearch-plugin-2.4.4.17__redhat_1-3.el7.noarch.rpm SHA-256: a82c27d03afbd85907af7a94503d573ca26fc9934782679025f46da2a12f841f
tuned-profiles-atomic-openshift-node-3.5.5.31.47-1.git.0.25d535c.el7.x86_64.rpm SHA-256: 5362843712d38e65a9b253dd9da871c5bb1fded960f0b690c108e2607d68b43e

Red Hat OpenShift Container Platform 3.4

SRPM
atomic-openshift-3.4.1.44.38-1.git.0.d04b8d5.el7.src.rpm SHA-256: 0376f5549aecdcc5d038c3776edb19a01c46fe7f9255dd33bfec5fe90cb5729d
cockpit-155-1.el7.src.rpm SHA-256: f517f932ed079a43925e93ee50991c9c0daa7654f1afa8abc21f9448afba24e2
openshift-elasticsearch-plugin-2.4.1.11__redhat_1-3.el7.src.rpm SHA-256: 11ff2a4007d5604f548c14174b8d27c3a7f24c3dd87d667c42448ed666e01365
x86_64
atomic-openshift-3.4.1.44.38-1.git.0.d04b8d5.el7.x86_64.rpm SHA-256: 798d8f74b5d03c4961712deb1d4c81c6c258f103261616bf0b59491c0c07bf71
atomic-openshift-clients-3.4.1.44.38-1.git.0.d04b8d5.el7.x86_64.rpm SHA-256: 5b857074b52fc950d3ccf405bfb7719f8859ffb0b9f742f7b4798ac60a29a90a
atomic-openshift-clients-redistributable-3.4.1.44.38-1.git.0.d04b8d5.el7.x86_64.rpm SHA-256: c4c9634dbcf050edb783e114e4ad0ad1be5ebe0f60ccc5323e9d090f7090e1d7
atomic-openshift-docker-excluder-3.4.1.44.38-1.git.0.d04b8d5.el7.noarch.rpm SHA-256: 3f3be18ae603c9b92cabd18c646af2be65f4f9352e85d21e50c64d96374e3f5f
atomic-openshift-dockerregistry-3.4.1.44.38-1.git.0.d04b8d5.el7.x86_64.rpm SHA-256: 9e56bfcacf0568f4f17fbdd190632915353e4f014b8ae54f5e53d950d0e0b345
atomic-openshift-excluder-3.4.1.44.38-1.git.0.d04b8d5.el7.noarch.rpm SHA-256: 7705bde657dd84a34cdb37d8191e64857284b71d9465ef3b4f9a68d8d14177a6
atomic-openshift-master-3.4.1.44.38-1.git.0.d04b8d5.el7.x86_64.rpm SHA-256: 02e0be6d956e7ce531e3e6036b60d53d8e0082d55699eedd8bf33b4d09d34c01
atomic-openshift-node-3.4.1.44.38-1.git.0.d04b8d5.el7.x86_64.rpm SHA-256: 9dd7661290b9dc268332f42fbee0a035dfe9f9e1e6521914679287bd3b5c71e9
atomic-openshift-pod-3.4.1.44.38-1.git.0.d04b8d5.el7.x86_64.rpm SHA-256: 106d4f9a6f570c9dd641866a59adad388a7362cb6254a760008214b6329eae71
atomic-openshift-sdn-ovs-3.4.1.44.38-1.git.0.d04b8d5.el7.x86_64.rpm SHA-256: 60f0501d0a50a39da710bdfc3e10715065a9c1ba41155f765664e0b2b3b60beb
atomic-openshift-tests-3.4.1.44.38-1.git.0.d04b8d5.el7.x86_64.rpm SHA-256: 6000a692fd1719a9009606ecb477cf9a3a1ee6e651dbc7070c081859678c245d
cockpit-debuginfo-155-1.el7.x86_64.rpm SHA-256: 49771640882ca9a86a1ca423432322cec39d4c999e5164afe6ba32390b8d4249
cockpit-kubernetes-155-1.el7.x86_64.rpm SHA-256: d755ca13b5f17f5995aefb3fe63db71446c8c190b2b62d066388c64cd969d95b
openshift-elasticsearch-plugin-2.4.1.11__redhat_1-3.el7.noarch.rpm SHA-256: ec785df1e90b9a57845e5939e2f62285fc7a5cee1e54c0e46af80a3c5fab7810
tuned-profiles-atomic-openshift-node-3.4.1.44.38-1.git.0.d04b8d5.el7.x86_64.rpm SHA-256: f93fd631d2837cc641000e0a76c8edf8fdb5513cc512f7479e7e52dc15fc4245

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.

Red Hat LinkedIn YouTube Facebook X, formerly Twitter

Quick Links

  • Downloads
  • Subscriptions
  • Support Cases
  • Customer Service
  • Product Documentation

Help

  • Contact Us
  • Customer Portal FAQ
  • Log-in Assistance

Site Info

  • Trust Red Hat
  • Browser Support Policy
  • Accessibility
  • Awards and Recognition
  • Colophon

Related Sites

  • redhat.com
  • developers.redhat.com
  • connect.redhat.com
  • cloud.redhat.com

Red Hat legal and privacy links

  • About Red Hat
  • Jobs
  • Events
  • Locations
  • Contact Red Hat
  • Red Hat Blog
  • Inclusion at Red Hat
  • Cool Stuff Store
  • Red Hat Summit
© 2025 Red Hat, Inc.

Red Hat legal and privacy links

  • Privacy statement
  • Terms of use
  • All policies and guidelines
  • Digital accessibility