RHSA-2017:3389 - Security Advisory

Topic

An update is now available for Red Hat OpenShift Container Platform 3.4, Red Hat OpenShift Container Platform 3.5, and Red Hat OpenShift Container Platform 3.6.

Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

OpenShift Enterprise by Red Hat is the company's cloud computing Platform-as-a-Service (PaaS) solution designed for on-premise or private cloud deployments.

This advisory contains the RPM packages for this release. An advisory for the container images for this release is available at: https://access.redhat.com/errata/RHBA-2017:3390.

Space precludes documenting all of the bug fixes and enhancements in this advisory. See the following Release Notes documentation, which will be updated shortly for this release, for details about these changes:

https://docs.openshift.com/container-platform/3.6/release_notes/ocp_3_6_release_notes.html

https://docs.openshift.com/container-platform/3.5/release_notes/ocp_3_5_release_notes.html

https://docs.openshift.com/container-platform/3.4/release_notes/ocp_3_4_release_notes.html

All OpenShift Container Platform 3 users are advised to upgrade to these updated packages and images.

Security Fix(es):

• An attacker with knowledge of the given name used to authenticate and access Elasticsearch can later access it without the token, bypassing authentication. This attack also requires that the Elasticsearch be configured with an external route, and the data accessed is limited to the indices. (CVE-2017-12195)

This issue was discovered by Rich Megginson (Red Hat).

Solution

For details on how to apply this update, which includes the changes described in this advisory, refer to:

https://access.redhat.com/articles/11258

Affected Products

• Red Hat OpenShift Container Platform 3.6 x86_64
• Red Hat OpenShift Container Platform 3.5 x86_64
• Red Hat OpenShift Container Platform 3.4 x86_64

Fixes

• BZ - 1399240 - pod age is shown invalid by oc client
• BZ - 1434942 - Symbolic link error for log file of every pod started when docker log driver is journald
• BZ - 1441089 - oc get/describe could not work when using 3.5 client to login 3.6 server
• BZ - 1457042 - Unable to pull through to registry.access.redhat.com
• BZ - 1458186 - Hawkular metrics rest api responding sporadically
• BZ - 1465532 - Heapster fails to push to Hawkular-Metrics sink starting around 4K pods in 3.6
• BZ - 1471251 - 3.4.1 White spaces in the cert prevents Origin Metrics from starting
• BZ - 1476026 - Service Catalog issues repeated Deprovision requests against the broker, despite a 410 response
• BZ - 1479955 - Container ose-sti-builder is marked as deprecated
• BZ - 1481550 - [3.5]'oadm diagnostics NetworkCheck' timeout due to image 'openshift/diagnostics-deployer' pull failed
• BZ - 1489023 - [3.4 Backport] Can not start atomic-openshift-node if the system does not have a default route
• BZ - 1489024 - [3.5 Backport] Can not start atomic-openshift-node if the system does not have a default route
• BZ - 1490719 - Enabled ops cluser,log in kibana-ops UI, there is no log entry under .all index, log entries only could be shown under .operations.* index
• BZ - 1492194 - [3.5] Node affinity alpha feature can cause scheduling failures across the cluster.
• BZ - 1493213 - Builds fail with "authentication required" after upgrade
• BZ - 1494239 - Fluentd unable to write to Elastic Search when LDAP distinguished names are used as usernames
• BZ - 1495540 - [3.6] oc adm router --expose-metrics fails by default
• BZ - 1496232 - "Run mount in its own systemd scope" commit breaks 3.4 build
• BZ - 1497042 - Unable to mount dynamically provisioned persistant volumes using vSphere
• BZ - 1497836 - default fluentd elasticsearch plugin request timeout too short by default, leads to potential log loss and stalled log flow
• BZ - 1498635 - Openshift allows mounting RWO volumes in multiple nodes
• BZ - 1499176 - [3.4] Deleted in use PVCs can break the scheduler
• BZ - 1499635 - [3.4]Metrics diagrams only could be displayed for openshift-infra project in web console
• BZ - 1499813 - Fluentd configuration file is not right on non-ops cluster
• BZ - 1500364 - mariadb, postgresql, mysql, and mediawiki APBs should use rhcc images
• BZ - 1500464 - 3.5.1 White spaces in the cert prevents Origin Metrics from starting
• BZ - 1500471 - 3.6.1 White spaces in the cert prevents Origin Metrics from starting
• BZ - 1500513 - The extensions/v1beta1 API is not updated on old successful Jobs
• BZ - 1500644 - [3.5]Metrics diagrams only could be displayed for openshift-infra project in web console
• BZ - 1501517 - [ocp-3.6] Reduce iptables refreshes
• BZ - 1501948 - [3.5] default fluentd elasticsearch plugin request timeout too short by default, leads to potential log loss and stalled log flow
• BZ - 1501960 - Remove the use of CPU limits by default
• BZ - 1501986 - CVE-2017-12195 OpenShift Enterprise 3: authentication bypass for elasticsearch with external routes
• BZ - 1502789 - Pod running but logs say volume not attached
• BZ - 1503265 - Bundled Netty dependencies have incorrect version
• BZ - 1503563 - Logging upgrade from 3.5 to 3.6 fails with "Exception in thread "main" java.lang.IllegalArgumentException: Unknown Discovery type [kubernetes]"
• BZ - 1505683 - fluentd pods failed to start up,"Unknown filter plugin 'record_modifier' in fluentd pods log
• BZ - 1505898 - [3.6] oadm diagnostics NetworkCheck' timeout due to image 'openshift/diagnostics-deployer' pull failed
• BZ - 1505900 - [3.6] oc adm diagnostics gets stuck in disconnected environment
• BZ - 1506854 - default fluentd elasticsearch plugin request timeout too short by default, leads to potential log loss and stalled log flow

CVEs

• CVE-2017-12195

References

• https://access.redhat.com/security/updates/classification/#moderate