Synopsis

Moderate: Red Hat OpenShift Enterprise security, bug fix, and enhancement update

Type/Severity

Security Advisory: Moderate

Topic

An update is now available for Red Hat OpenShift Container Platform 3.4, Red Hat OpenShift Container Platform 3.5, and Red Hat OpenShift Container Platform 3.6.

Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

OpenShift Enterprise by Red Hat is the company's cloud computing Platform-as-a-Service (PaaS) solution designed for on-premise or private cloud deployments.

This advisory contains the RPM packages for this release. An advisory for the container images for this release is available at: https://access.redhat.com/errata/RHBA-2017:3390.

Space precludes documenting all of the bug fixes and enhancements in this advisory. See the following Release Notes documentation, which will be updated shortly for this release, for details about these changes:

https://docs.openshift.com/container-platform/3.6/release_notes/ocp_3_6_release_notes.html

https://docs.openshift.com/container-platform/3.5/release_notes/ocp_3_5_release_notes.html

https://docs.openshift.com/container-platform/3.4/release_notes/ocp_3_4_release_notes.html

All OpenShift Container Platform 3 users are advised to upgrade to these updated packages and images.

Security Fix(es):

• An attacker with knowledge of the given name used to authenticate and access Elasticsearch can later access it without the token, bypassing authentication. This attack also requires that the Elasticsearch be configured with an external route, and the data accessed is limited to the indices. (CVE-2017-12195)
  

This issue was discovered by Rich Megginson (Red Hat).

Solution

For details on how to apply this update, which includes the changes described in this advisory, refer to:

https://access.redhat.com/articles/11258

Affected Products

• Red Hat OpenShift Container Platform 3.6 x86_64
• Red Hat OpenShift Container Platform 3.5 x86_64
• Red Hat OpenShift Container Platform 3.4 x86_64

Fixes

• BZ - 1399240 - pod age is shown invalid by oc client
• BZ - 1434942 - Symbolic link error for log file of every pod started when docker log driver is journald
• BZ - 1441089 - oc get/describe could not work when using 3.5 client to login 3.6 server
• BZ - 1457042 - Unable to pull through to registry.access.redhat.com
• BZ - 1458186 - Hawkular metrics rest api responding sporadically
• BZ - 1465532 - Heapster fails to push to Hawkular-Metrics sink starting around 4K pods in 3.6
• BZ - 1471251 - 3.4.1 White spaces in the cert prevents Origin Metrics from starting
• BZ - 1476026 - Service Catalog issues repeated Deprovision requests against the broker, despite a 410 response
• BZ - 1479955 - Container ose-sti-builder is marked as deprecated
• BZ - 1481550 - [3.5]'oadm diagnostics NetworkCheck' timeout due to image 'openshift/diagnostics-deployer' pull failed
• BZ - 1489023 - [3.4 Backport] Can not start atomic-openshift-node if the system does not have a default route
• BZ - 1489024 - [3.5 Backport] Can not start atomic-openshift-node if the system does not have a default route
• BZ - 1490719 - Enabled ops cluser,log in kibana-ops UI, there is no log entry under .all index, log entries only could be shown under .operations.* index
• BZ - 1492194 - [3.5] Node affinity alpha feature can cause scheduling failures across the cluster.
• BZ - 1493213 - Builds fail with "authentication required" after upgrade
• BZ - 1494239 - Fluentd unable to write to Elastic Search when LDAP distinguished names are used as usernames
• BZ - 1495540 - [3.6] oc adm router --expose-metrics fails by default
• BZ - 1496232 - "Run mount in its own systemd scope" commit breaks 3.4 build
• BZ - 1497042 - Unable to mount dynamically provisioned persistant volumes using vSphere
• BZ - 1497836 - default fluentd elasticsearch plugin request timeout too short by default, leads to potential log loss and stalled log flow
• BZ - 1498635 - Openshift allows mounting RWO volumes in multiple nodes
• BZ - 1499176 - [3.4] Deleted in use PVCs can break the scheduler
• BZ - 1499635 - [3.4]Metrics diagrams only could be displayed for openshift-infra project in web console
• BZ - 1499813 - Fluentd configuration file is not right on non-ops cluster
• BZ - 1500364 - mariadb, postgresql, mysql, and mediawiki APBs should use rhcc images
• BZ - 1500464 - 3.5.1 White spaces in the cert prevents Origin Metrics from starting
• BZ - 1500471 - 3.6.1 White spaces in the cert prevents Origin Metrics from starting
• BZ - 1500513 - The extensions/v1beta1 API is not updated on old successful Jobs
• BZ - 1500644 - [3.5]Metrics diagrams only could be displayed for openshift-infra project in web console
• BZ - 1501517 - [ocp-3.6] Reduce iptables refreshes
• BZ - 1501948 - [3.5] default fluentd elasticsearch plugin request timeout too short by default, leads to potential log loss and stalled log flow
• BZ - 1501960 - Remove the use of CPU limits by default
• BZ - 1501986 - CVE-2017-12195 OpenShift Enterprise 3: authentication bypass for elasticsearch with external routes
• BZ - 1502789 - Pod running but logs say volume not attached
• BZ - 1503265 - Bundled Netty dependencies have incorrect version
• BZ - 1503563 - Logging upgrade from 3.5 to 3.6 fails with "Exception in thread "main" java.lang.IllegalArgumentException: Unknown Discovery type [kubernetes]"
• BZ - 1505683 - fluentd pods failed to start up,"Unknown filter plugin 'record_modifier' in fluentd pods log
• BZ - 1505898 - [3.6] oadm diagnostics NetworkCheck' timeout due to image 'openshift/diagnostics-deployer' pull failed
• BZ - 1505900 - [3.6] oc adm diagnostics gets stuck in disconnected environment
• BZ - 1506854 - default fluentd elasticsearch plugin request timeout too short by default, leads to potential log loss and stalled log flow

CVEs

• CVE-2017-12195

References

• https://access.redhat.com/security/updates/classification/#moderate

Red Hat OpenShift Container Platform 3.6

SRPM
atomic-openshift-3.6.173.0.63-1.git.0.855ea8b.el7.src.rpm	SHA-256: e6297e8947d83c9088e890714e134a81f947a015b5552914d59bb33794c93dd2
cockpit-155-1.el7.src.rpm	SHA-256: f517f932ed079a43925e93ee50991c9c0daa7654f1afa8abc21f9448afba24e2
openshift-elasticsearch-plugin-2.4.4.17__redhat_1-3.el7.src.rpm	SHA-256: 62b21dd920936eafed060fbaf24fb17c2eea99220605ea0d513b69342fca7020
x86_64
atomic-openshift-3.6.173.0.63-1.git.0.855ea8b.el7.x86_64.rpm	SHA-256: 449e408948ed00c3d733689a10079fcf8096b799f83e0bef5106f605be43eb25
atomic-openshift-clients-3.6.173.0.63-1.git.0.855ea8b.el7.x86_64.rpm	SHA-256: 3df5886e0bc6d93c2c45f3e8df1543f89a96ef3a5b738dbbb70a01517a9bbd58
atomic-openshift-clients-redistributable-3.6.173.0.63-1.git.0.855ea8b.el7.x86_64.rpm	SHA-256: 400e9dca4f38143fa618973de9648d3baf9dba6124ee115117f9108263f1797d
atomic-openshift-cluster-capacity-3.6.173.0.63-1.git.0.855ea8b.el7.x86_64.rpm	SHA-256: 5c021e6677c85def5f6f8b4c1d0fe3e82276a9a31159833dc12b83f0b2eeaf41
atomic-openshift-docker-excluder-3.6.173.0.63-1.git.0.855ea8b.el7.noarch.rpm	SHA-256: 78692520beb021952103cb13c579b624de098d595a2196502cf7c510f6f8a5bb
atomic-openshift-dockerregistry-3.6.173.0.63-1.git.0.855ea8b.el7.x86_64.rpm	SHA-256: a98b30b1cce0a1d8c171ad6dc36c2bc140d11f026d9861932d5438a8b590140b
atomic-openshift-excluder-3.6.173.0.63-1.git.0.855ea8b.el7.noarch.rpm	SHA-256: 5cab3de32f567a8ac9f7544ad18d24fb104199614950743e85ebf809931e72ab
atomic-openshift-federation-services-3.6.173.0.63-1.git.0.855ea8b.el7.x86_64.rpm	SHA-256: 0fe17f4a0762da2b518c3c50d397a262a00b56ff9da4830978e3275499ec1b3b
atomic-openshift-master-3.6.173.0.63-1.git.0.855ea8b.el7.x86_64.rpm	SHA-256: 9222b002e30dbbf21429c4166f937dfe3a10db14895c554a29944db14d7fd44f
atomic-openshift-node-3.6.173.0.63-1.git.0.855ea8b.el7.x86_64.rpm	SHA-256: c880515d4c90acff25bf6213bd625e462269d75d5f330aa8b462f2995e09c7a1
atomic-openshift-pod-3.6.173.0.63-1.git.0.855ea8b.el7.x86_64.rpm	SHA-256: 0f0e0d57bceea8ded0611dc3dec8921c8ad293b7293a3e29c656d9f6387ad425
atomic-openshift-sdn-ovs-3.6.173.0.63-1.git.0.855ea8b.el7.x86_64.rpm	SHA-256: 7c240d0eef1ffb3182dcc96c18c9f1a5be6a4f5808a7e906e797f1497bde7414
atomic-openshift-service-catalog-3.6.173.0.63-1.git.0.855ea8b.el7.x86_64.rpm	SHA-256: 772f838f9bec5a2c0e983eb005c41935d3d0b8270aafdd9feb28224141688eed
atomic-openshift-tests-3.6.173.0.63-1.git.0.855ea8b.el7.x86_64.rpm	SHA-256: 0060804cec9a2b667645192d8268c6410c25f8c124de01fe84b54327d0f41f10
cockpit-debuginfo-155-1.el7.x86_64.rpm	SHA-256: 49771640882ca9a86a1ca423432322cec39d4c999e5164afe6ba32390b8d4249
cockpit-kubernetes-155-1.el7.x86_64.rpm	SHA-256: d755ca13b5f17f5995aefb3fe63db71446c8c190b2b62d066388c64cd969d95b
openshift-elasticsearch-plugin-2.4.4.17__redhat_1-3.el7.noarch.rpm	SHA-256: a82c27d03afbd85907af7a94503d573ca26fc9934782679025f46da2a12f841f
tuned-profiles-atomic-openshift-node-3.6.173.0.63-1.git.0.855ea8b.el7.x86_64.rpm	SHA-256: 4f9023f6477392e8f5fcc55772e0a516fe3992501b2c45dde37e3cb3e8d8efc8

Red Hat OpenShift Container Platform 3.5

SRPM
atomic-openshift-3.5.5.31.47-1.git.0.25d535c.el7.src.rpm	SHA-256: cd2d047ae49663ccf25286720a1fef76548d9b094c0956ea8d48bb39bae5af18
cockpit-155-1.el7.src.rpm	SHA-256: f517f932ed079a43925e93ee50991c9c0daa7654f1afa8abc21f9448afba24e2
openshift-elasticsearch-plugin-2.4.4.17__redhat_1-3.el7.src.rpm	SHA-256: 62b21dd920936eafed060fbaf24fb17c2eea99220605ea0d513b69342fca7020
x86_64
atomic-openshift-3.5.5.31.47-1.git.0.25d535c.el7.x86_64.rpm	SHA-256: 53d04766d6af843b3c5aa2fc2fbd2e6370dec0e22bf97180c81f9b893ab84cd9
atomic-openshift-clients-3.5.5.31.47-1.git.0.25d535c.el7.x86_64.rpm	SHA-256: 54b027b283ae73863d3bd7953e9b064bccaddea613258de2f4c4e250c3c1e071
atomic-openshift-clients-redistributable-3.5.5.31.47-1.git.0.25d535c.el7.x86_64.rpm	SHA-256: 2210c2025972971c18109ee993948534cbee637a1b217d719f847557a541ed3a
atomic-openshift-docker-excluder-3.5.5.31.47-1.git.0.25d535c.el7.noarch.rpm	SHA-256: 13476290980b36f9cd400bf6a5b9889f91dc4f9ff9b5bd1b4ac2f5faec56067f
atomic-openshift-dockerregistry-3.5.5.31.47-1.git.0.25d535c.el7.x86_64.rpm	SHA-256: 8c73cbff3609e64de88bb19b99888aea2399742f0d28964076dc09793f6c541e
atomic-openshift-excluder-3.5.5.31.47-1.git.0.25d535c.el7.noarch.rpm	SHA-256: 27e8c8d6086457a9fbcc4251a7d1c6fa47f878c882fc249eca56fb7d78d7c3bd
atomic-openshift-master-3.5.5.31.47-1.git.0.25d535c.el7.x86_64.rpm	SHA-256: 31e087319b17c597d11a72accc8103cd9a4002fe188018a6f16755a74a8928aa
atomic-openshift-node-3.5.5.31.47-1.git.0.25d535c.el7.x86_64.rpm	SHA-256: 87115c4664013332de9cfe2be3d7381f796589d4986b0a9cf67587b93ebc323e
atomic-openshift-pod-3.5.5.31.47-1.git.0.25d535c.el7.x86_64.rpm	SHA-256: 37ff84ecca3a458948b232fc2925172cf62e70face7704186d339a52ed9a43e9
atomic-openshift-sdn-ovs-3.5.5.31.47-1.git.0.25d535c.el7.x86_64.rpm	SHA-256: 269712b53d51a99d2cb69aa817d7cba09b4af1a39eb23a46b3bf88a0ef904f48
atomic-openshift-tests-3.5.5.31.47-1.git.0.25d535c.el7.x86_64.rpm	SHA-256: 261d9fb0d506f2d2133caaa196cfd5091d6098990b98c39df5a644ae1a84206c
cockpit-debuginfo-155-1.el7.x86_64.rpm	SHA-256: 49771640882ca9a86a1ca423432322cec39d4c999e5164afe6ba32390b8d4249
cockpit-kubernetes-155-1.el7.x86_64.rpm	SHA-256: d755ca13b5f17f5995aefb3fe63db71446c8c190b2b62d066388c64cd969d95b
openshift-elasticsearch-plugin-2.4.4.17__redhat_1-3.el7.noarch.rpm	SHA-256: a82c27d03afbd85907af7a94503d573ca26fc9934782679025f46da2a12f841f
tuned-profiles-atomic-openshift-node-3.5.5.31.47-1.git.0.25d535c.el7.x86_64.rpm	SHA-256: 5362843712d38e65a9b253dd9da871c5bb1fded960f0b690c108e2607d68b43e

Red Hat OpenShift Container Platform 3.4

SRPM
atomic-openshift-3.4.1.44.38-1.git.0.d04b8d5.el7.src.rpm	SHA-256: 0376f5549aecdcc5d038c3776edb19a01c46fe7f9255dd33bfec5fe90cb5729d
cockpit-155-1.el7.src.rpm	SHA-256: f517f932ed079a43925e93ee50991c9c0daa7654f1afa8abc21f9448afba24e2
openshift-elasticsearch-plugin-2.4.1.11__redhat_1-3.el7.src.rpm	SHA-256: 11ff2a4007d5604f548c14174b8d27c3a7f24c3dd87d667c42448ed666e01365
x86_64
atomic-openshift-3.4.1.44.38-1.git.0.d04b8d5.el7.x86_64.rpm	SHA-256: 798d8f74b5d03c4961712deb1d4c81c6c258f103261616bf0b59491c0c07bf71
atomic-openshift-clients-3.4.1.44.38-1.git.0.d04b8d5.el7.x86_64.rpm	SHA-256: 5b857074b52fc950d3ccf405bfb7719f8859ffb0b9f742f7b4798ac60a29a90a
atomic-openshift-clients-redistributable-3.4.1.44.38-1.git.0.d04b8d5.el7.x86_64.rpm	SHA-256: c4c9634dbcf050edb783e114e4ad0ad1be5ebe0f60ccc5323e9d090f7090e1d7
atomic-openshift-docker-excluder-3.4.1.44.38-1.git.0.d04b8d5.el7.noarch.rpm	SHA-256: 3f3be18ae603c9b92cabd18c646af2be65f4f9352e85d21e50c64d96374e3f5f
atomic-openshift-dockerregistry-3.4.1.44.38-1.git.0.d04b8d5.el7.x86_64.rpm	SHA-256: 9e56bfcacf0568f4f17fbdd190632915353e4f014b8ae54f5e53d950d0e0b345
atomic-openshift-excluder-3.4.1.44.38-1.git.0.d04b8d5.el7.noarch.rpm	SHA-256: 7705bde657dd84a34cdb37d8191e64857284b71d9465ef3b4f9a68d8d14177a6
atomic-openshift-master-3.4.1.44.38-1.git.0.d04b8d5.el7.x86_64.rpm	SHA-256: 02e0be6d956e7ce531e3e6036b60d53d8e0082d55699eedd8bf33b4d09d34c01
atomic-openshift-node-3.4.1.44.38-1.git.0.d04b8d5.el7.x86_64.rpm	SHA-256: 9dd7661290b9dc268332f42fbee0a035dfe9f9e1e6521914679287bd3b5c71e9
atomic-openshift-pod-3.4.1.44.38-1.git.0.d04b8d5.el7.x86_64.rpm	SHA-256: 106d4f9a6f570c9dd641866a59adad388a7362cb6254a760008214b6329eae71
atomic-openshift-sdn-ovs-3.4.1.44.38-1.git.0.d04b8d5.el7.x86_64.rpm	SHA-256: 60f0501d0a50a39da710bdfc3e10715065a9c1ba41155f765664e0b2b3b60beb
atomic-openshift-tests-3.4.1.44.38-1.git.0.d04b8d5.el7.x86_64.rpm	SHA-256: 6000a692fd1719a9009606ecb477cf9a3a1ee6e651dbc7070c081859678c245d
cockpit-debuginfo-155-1.el7.x86_64.rpm	SHA-256: 49771640882ca9a86a1ca423432322cec39d4c999e5164afe6ba32390b8d4249
cockpit-kubernetes-155-1.el7.x86_64.rpm	SHA-256: d755ca13b5f17f5995aefb3fe63db71446c8c190b2b62d066388c64cd969d95b
openshift-elasticsearch-plugin-2.4.1.11__redhat_1-3.el7.noarch.rpm	SHA-256: ec785df1e90b9a57845e5939e2f62285fc7a5cee1e54c0e46af80a3c5fab7810
tuned-profiles-atomic-openshift-node-3.4.1.44.38-1.git.0.d04b8d5.el7.x86_64.rpm	SHA-256: f93fd631d2837cc641000e0a76c8edf8fdb5513cc512f7479e7e52dc15fc4245