Skip to navigation Skip to main content

Utilities

  • Subscriptions
  • Downloads
  • Containers
  • Support Cases
Red Hat Customer Portal
  • Subscriptions
  • Downloads
  • Containers
  • Support Cases
  • Products & Services

    Products

    Support

    • Production Support
    • Development Support
    • Product Life Cycles

    Services

    • Consulting
    • Technical Account Management
    • Training & Certifications

    Documentation

    • Red Hat Enterprise Linux
    • Red Hat JBoss Enterprise Application Platform
    • Red Hat OpenStack Platform
    • Red Hat OpenShift Container Platform
    All Documentation

    Ecosystem Catalog

    • Red Hat Partner Ecosystem
    • Partner Resources
  • Tools

    Tools

    • Troubleshoot a product issue
    • Packages
    • Errata

    Customer Portal Labs

    • Configuration
    • Deployment
    • Security
    • Troubleshoot
    All labs

    Red Hat Insights

    Increase visibility into IT operations to detect and resolve technical issues before they impact your business.

    Learn More
    Go to Insights
  • Security

    Red Hat Product Security Center

    Engage with our Red Hat Product Security team, access security updates, and ensure your environments are not exposed to any known security vulnerabilities.

    Product Security Center

    Security Updates

    • Security Advisories
    • Red Hat CVE Database
    • Security Labs

    Keep your systems secure with Red Hat's specialized responses to security vulnerabilities.

    View Responses

    Resources

    • Security Blog
    • Security Measurement
    • Severity Ratings
    • Backporting Policies
    • Product Signing (GPG) Keys
  • Community

    Customer Portal Community

    • Discussions
    • Private Groups
    Community Activity

    Customer Events

    • Red Hat Convergence
    • Red Hat Summit

    Stories

    • Red Hat Subscription Value
    • You Asked. We Acted.
    • Open Source Communities
Or troubleshoot an issue.

Select Your Language

  • English
  • 한국어
  • 日本語
  • 中文 (中国)

Infrastructure and Management

  • Red Hat Enterprise Linux
  • Red Hat Virtualization
  • Red Hat Identity Management
  • Red Hat Directory Server
  • Red Hat Certificate System
  • Red Hat Satellite
  • Red Hat Subscription Management
  • Red Hat Update Infrastructure
  • Red Hat Insights
  • Red Hat Ansible Automation Platform

Cloud Computing

  • Red Hat OpenShift
  • Red Hat CloudForms
  • Red Hat OpenStack Platform
  • Red Hat OpenShift Container Platform
  • Red Hat OpenShift Data Science
  • Red Hat OpenShift Online
  • Red Hat OpenShift Dedicated
  • Red Hat Advanced Cluster Security for Kubernetes
  • Red Hat Advanced Cluster Management for Kubernetes
  • Red Hat Quay
  • OpenShift Dev Spaces
  • Red Hat OpenShift Service on AWS

Storage

  • Red Hat Gluster Storage
  • Red Hat Hyperconverged Infrastructure
  • Red Hat Ceph Storage
  • Red Hat OpenShift Data Foundation

Runtimes

  • Red Hat Runtimes
  • Red Hat JBoss Enterprise Application Platform
  • Red Hat Data Grid
  • Red Hat JBoss Web Server
  • Red Hat Single Sign On
  • Red Hat support for Spring Boot
  • Red Hat build of Node.js
  • Red Hat build of Thorntail
  • Red Hat build of Eclipse Vert.x
  • Red Hat build of OpenJDK
  • Red Hat build of Quarkus

Integration and Automation

  • Red Hat Integration
  • Red Hat Fuse
  • Red Hat AMQ
  • Red Hat 3scale API Management
  • Red Hat JBoss Data Virtualization
  • Red Hat Process Automation
  • Red Hat Process Automation Manager
  • Red Hat Decision Manager
All Products
Red Hat Product Errata RHSA-2018:2013 - Security Advisory
Issued:
2018-06-27
Updated:
2018-06-27

RHSA-2018:2013 - Security Advisory

  • Overview
  • Updated Packages

Synopsis

Important: OpenShift Container Platform 3.9 security, bug fix, and enhancement update

Type/Severity

Security Advisory: Important

Red Hat Insights patch analysis

Identify and remediate systems affected by this advisory.

View affected systems

Topic

Red Hat OpenShift Container Platform release 3.9.31 is now available with updates to packages and images that address security issues, fix several bugs, and add enhancements.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

Red Hat OpenShift Container Platform is the company's cloud computing Platform-as-a-Service (PaaS) solution designed for on-premise or private cloud deployments.

This advisory contains the RPM packages for Red Hat OpenShift Container Platform 3.9.31. See the following advisory for the container images for this release:

https://access.redhat.com/errata/RHBA-2018:2014

Security Fix(es):

  • routing: Malicious Service configuration can bring down routing for an entire shard (CVE-2018-1070)
  • openshift-ansible: Incorrectly quoted values in etcd.conf causes disabling of SSL client certificate authentication (CVE-2018-1085)
  • source-to-image: Builder images with assembler-user LABEL set to root allows attackers to execute arbitrary code (CVE-2018-10843)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Red Hat would like to thank David Hocky (Comcast) for reporting CVE-2018-1085. The CVE-2018-1070 issue was discovered by Mark Chappell (Red Hat) and the CVE-2018-10843 issue was discovered by Jeremy Choi (Red Hat).

Space precludes documenting all of the bug fixes and enhancements in this advisory. See the following Release Notes documentation, which will be updated shortly for this release, for details about these changes:

https://docs.openshift.com/container-platform/3.9/release_notes/ocp_3_9_release_notes.html

All OpenShift Container Platform 3.9 users are advised to upgrade to these updated packages and images.

Solution

For OpenShift Container Platform 3.9 see the following documentation, which will be updated shortly for release 3.9.31, for important instructions on how to upgrade your cluster and fully apply this asynchronous errata update:

https://docs.openshift.com/container-platform/3.9/release_notes/ocp_3_9_release_notes.html

This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/articles/11258.

Affected Products

  • Red Hat OpenShift Container Platform 3.9 x86_64

Fixes

  • BZ - 1466390 - [RFE] add selector option to oadm drain
  • BZ - 1498398 - Incomplete default configuration for secure-forward
  • BZ - 1506175 - Should not meet "lookup failed" and "incorrect username or password" when new-app with public image in project having fake docker secret
  • BZ - 1507429 - [tsb]Some error message shown when describe serviceinstance
  • BZ - 1512042 - Local Registry Adapter should not display APBs that can't be deployed from a namespace other than 'openshift'
  • BZ - 1525642 - immortal namespace are not immortal (as we claim them to be)
  • BZ - 1529575 - [3.9] Updating etcd does not update the etcd config with new variables
  • BZ - 1531096 - Prometheus fills up entire storage space
  • BZ - 1534311 - [3.8]apiserver pod of service catalog in CrashLoopBackOff status after upgrading to v3.8
  • BZ - 1534894 - apb preprare -f fail with error
  • BZ - 1537872 - Azure need set virt_use_samba
  • BZ - 1538215 - [DOCKER] Eviction manager erros in node logs
  • BZ - 1539252 - Failed to push image to OCP internal image registry on EC2
  • BZ - 1539310 - ASB bootstrap fail while using file authenticate type since failed to read registry credentials from file
  • BZ - 1539529 - `oc apply --force` will delete resource when failing to apply
  • BZ - 1539757 - async unbind returns 200 instead of 202
  • BZ - 1540819 - Failed to unbind after deleting templateinstance with servicebinding existing
  • BZ - 1541212 - prometheus fails compaction
  • BZ - 1541350 - Namespace goes in "terminating" state due to unprovisioned ServiceInstance
  • BZ - 1542387 - Unable to retrieve image names from rhcc(stage) registry
  • BZ - 1542460 - When jenkins in one project and pipeline in other project. View log link points to wrong URL.
  • BZ - 1546097 - Master controllers are using high amount of CPU after upgrade to 3.7
  • BZ - 1546324 - Manifest does not match provided manifest digest
  • BZ - 1546936 - Setting up of prometheus using ansible fails
  • BZ - 1548677 - Upgrade failed due to ovs2.9 can not start while selinux-policy was not updated
  • BZ - 1549060 - Should be correct 'openshift' link on about page
  • BZ - 1549454 - Etcd scale-up failed when running as system container on RHEL
  • BZ - 1550193 - openshift jenkins rhel image release to release migration not working
  • BZ - 1550316 - Synchronize openvswitch 2.9 to mirror fastdatapath repo
  • BZ - 1550385 - Update *sql-apb plan or version failed in 'behind proxy' env
  • BZ - 1550591 - Mirror openshift3/prometheus-node-exporter on external mirror
  • BZ - 1553012 - Duplicated node-labels in node-config.yaml while enabling cri-o
  • BZ - 1553035 - CVE-2018-1070 Routing: Malicous Service configuration can bring down routing for an entire shard.
  • BZ - 1553294 - [3.9] various auto-egress IP problems
  • BZ - 1554141 - Unable to delete serviceinstance
  • BZ - 1554145 - [apb] Newer version of APB tool fails with `apb remove` on a 3.7 version of broker
  • BZ - 1554239 - [ASB] Delete project failed even if provision serviceinstances success
  • BZ - 1557040 - Missing v.3.9 openshift3/metrics-cassandra metrics-hawkular-metrics and metrics-heapster images from registry.reg-aws.openshift.com
  • BZ - 1557822 - CVE-2018-1085 openshift-ansible: Incorrectly quoted values in etcd.conf causes disabling of SSL client certificate authentication
  • BZ - 1558183 - [starter-ca-central-1] builds in pending state indefinitely
  • BZ - 1558997 - Issue when deploying Jenkins instances which have routes on various sharded routers
  • BZ - 1560311 - [3.9] oc adm migrate storage produces error as signature annotations forbidden
  • BZ - 1563150 - openshift3/ose image contains centos repository for RHEL7 based image
  • BZ - 1563673 - [RFE] Add timeout when draining a node for update
  • BZ - 1566238 - upgrade from v3.7 to v3.9 fails with openshift-ansible-3.9.20-1.git.0.f99fb43.el7
  • BZ - 1568815 - Service Catalog does not refresh ClusterServicePlan after removing from catalog
  • BZ - 1569030 - OpenShift Container Platform 3.9.z APB image refresh
  • BZ - 1570065 - Ansible Service Broker fails to deploy due to missing namespace argument
  • BZ - 1570581 - There is wrong version of atomic-openshift-web-console rpm within web-console image
  • BZ - 1571601 - [3.9] Certificate expiry playbook couldn't work
  • BZ - 1571944 - Stack trace from github.com/openshift/origin/pkg/image/trigger/deploymentconfigs.calculateDeploymentConfigTrigger
  • BZ - 1572786 - [3.9] RFE - Need a way to upgrade OS during upgrade
  • BZ - 1579096 - CVE-2018-10843 source-to-image: Builder images with assembler-user LABEL set to root allows attackers to execute arbitrary code
  • BZ - 1580538 - Unable to disallow project creation from system:authentcated users after upgrade to 3.9
  • BZ - 1583895 - [APB] mysql-apb update from 5.6 to 5.7 failed
  • BZ - 1585243 - [3.9] Entire cluster goes to NotReady using a NetworkPolicy that contains an ingress ipBlock section
  • BZ - 1586076 - API server crashes when using old format of webhook triggers in build Configs
  • BZ - 1588009 - Deploying logging on a system where /tmp mounted with noexec option fails
  • BZ - 1588768 - [3.9] Unqualified image is completed with "docker.io"

CVEs

  • CVE-2018-1070
  • CVE-2018-1085
  • CVE-2018-10843

References

  • https://access.redhat.com/security/updates/classification/#important
  • https://docs.openshift.com/container-platform/3.9/release_notes/ocp_3_9_release_notes.html
Note: More recent versions of these packages may be available. Click a package name for more details.

Red Hat OpenShift Container Platform 3.9

SRPM
atomic-openshift-3.9.31-1.git.0.ef9737b.el7.src.rpm SHA-256: 525c52cfe5d884acfb71d763cb8f5ee259ff48ed7072da59a0f7326835702943
atomic-openshift-descheduler-3.9.13-1.git.267.bb59a3f.el7.src.rpm SHA-256: 2c07785b176c8b10c387ecb7ae78204e8978346beac4961c8b6d5bf567f0e34c
atomic-openshift-node-problem-detector-3.9.13-1.git.167.5d6b0d4.el7.src.rpm SHA-256: 0820cb087b8336420432348cdcbfcec2b32f648836a6185e42d45accce30a9a6
atomic-openshift-web-console-3.9.31-1.git.246.bded6a4.el7.src.rpm SHA-256: 182878d605c05a962a8420f5d41a01016f9fe9430d1d05b11f73e3ad09cc029b
golang-github-prometheus-node_exporter-3.9.31-1.git.890.a55de06.el7.src.rpm SHA-256: efca14eee1e35087bf099981a1eaaf842d7d49796c56dc20df18122c92f2a69d
mysql-apb-role-1.1.11-1.el7.src.rpm SHA-256: 63e8c85474c4a0a86049b019060a081fae59d79027c4e394df3a3baf21408141
openshift-ansible-3.9.31-1.git.34.154617d.el7.src.rpm SHA-256: e044357aa03a57e4946c599f13b9044fc00563e7850c1b2a09f7445fa1822b59
x86_64
atomic-openshift-3.9.31-1.git.0.ef9737b.el7.x86_64.rpm SHA-256: 618e64f3a2dd5d296e5f85f349920272d70fd939be2a2cb2b37f0e40aea8e4a5
atomic-openshift-clients-3.9.31-1.git.0.ef9737b.el7.x86_64.rpm SHA-256: 283bdf80a3a26e095a65dab94ec698dd39cc497a910e1ed4dcee00300e62e29e
atomic-openshift-clients-redistributable-3.9.31-1.git.0.ef9737b.el7.x86_64.rpm SHA-256: 6e7e476f500d87037c4741c83bd854185ca46d2298e8bb0834ec29c5ef4b0632
atomic-openshift-cluster-capacity-3.9.31-1.git.0.ef9737b.el7.x86_64.rpm SHA-256: 1fb38f2877b31e893c5337c13177b885074caa0636c7de537eebefc73a39ba03
atomic-openshift-descheduler-3.9.13-1.git.267.bb59a3f.el7.x86_64.rpm SHA-256: 56f7d05689112256df7a4b09f494b88950e5db0e6ce80ff7ea29816c21e94e2c
atomic-openshift-docker-excluder-3.9.31-1.git.0.ef9737b.el7.noarch.rpm SHA-256: 4572a28d5a5ef7210a688510ed8490c83f847df4a16ab9572ce33626499caade
atomic-openshift-dockerregistry-3.9.31-1.git.351.1bd46ed.el7.x86_64.rpm SHA-256: 9a33b49400473fe870b2555244707b54ba4f138cc4eb6042065f9dd3405ec70e
atomic-openshift-excluder-3.9.31-1.git.0.ef9737b.el7.noarch.rpm SHA-256: 104cb3a85693cbaf7da781e61ee3d547adbd7960b160765c9596ad2722c53c23
atomic-openshift-federation-services-3.9.31-1.git.0.ef9737b.el7.x86_64.rpm SHA-256: c1aed19795642d5ccf906527ef1ee8b570c03f9c9caf17ee3647380d0d4d441b
atomic-openshift-master-3.9.31-1.git.0.ef9737b.el7.x86_64.rpm SHA-256: 4f50c3fb10b0625cd8c3ab32f8a11fb06cc3957cfec68cf4a18825472ae1b031
atomic-openshift-node-3.9.31-1.git.0.ef9737b.el7.x86_64.rpm SHA-256: 9eb4c896532a5dd98107d287e67a2175fc255a1ea778fad723a15b4f20ff4e0c
atomic-openshift-node-problem-detector-3.9.13-1.git.167.5d6b0d4.el7.x86_64.rpm SHA-256: c4799de7b32a47be9d028e4fc0fe447bafd469f3b051ab9fe331e51165b2dffa
atomic-openshift-pod-3.9.31-1.git.0.ef9737b.el7.x86_64.rpm SHA-256: 355a32747a02d6563c5401a1ac49f649d836d8e1dfb1c5e7f57b21588f6304a5
atomic-openshift-sdn-ovs-3.9.31-1.git.0.ef9737b.el7.x86_64.rpm SHA-256: d9116aa70cd4c5fe9d1a3ebe0a338439bcba658f82788f16835d0f9d30ee1fa3
atomic-openshift-service-catalog-3.9.31-1.git.0.ef9737b.el7.x86_64.rpm SHA-256: b2d9722c23003bada97c0aafccefc1b7ef0df7a0825c84a3a902218739873472
atomic-openshift-template-service-broker-3.9.31-1.git.0.ef9737b.el7.x86_64.rpm SHA-256: 79496b6cd83d5a57eaa9f6eedae0d9f06397660a55ac6cab4edf53c1d947b1dc
atomic-openshift-tests-3.9.31-1.git.0.ef9737b.el7.x86_64.rpm SHA-256: bce504765ab8183f192a2bce84eecd06b1e251aa2cb0662b9b89253351b55141
atomic-openshift-utils-3.9.31-1.git.34.154617d.el7.noarch.rpm SHA-256: cc0443a847d63215deee13a190f21719ffbd5ba9bba1d9cf9825dd91637d560c
atomic-openshift-web-console-3.9.31-1.git.246.bded6a4.el7.x86_64.rpm SHA-256: a8218c30982571f011466654fa3eff6b85c17aa0bc9b43a10997a419e42f89cc
mysql-apb-role-1.1.11-1.el7.noarch.rpm SHA-256: 697ac7f3628c9d4dc72ab87cc60441b0066cbb256ed113937b9ebd9a30f1e8ba
openshift-ansible-3.9.31-1.git.34.154617d.el7.noarch.rpm SHA-256: 831a5e8780f21d6f621ad8423d144b1a4c84bc0c6e0c27412fef5215f7281260
openshift-ansible-docs-3.9.31-1.git.34.154617d.el7.noarch.rpm SHA-256: fefaf4f71f305099c7d4554e7c46b2cca04be653ade7c7ee3d383e69a49f138e
openshift-ansible-playbooks-3.9.31-1.git.34.154617d.el7.noarch.rpm SHA-256: a64c7d46cb3f237d832c2cf00a17421fccc32131a1370827012b7028e588c924
openshift-ansible-roles-3.9.31-1.git.34.154617d.el7.noarch.rpm SHA-256: c744b01ec41c26055a0979a433e270b8ff512184a0611f507d0300a6f2b16250
prometheus-node-exporter-3.9.31-1.git.890.a55de06.el7.x86_64.rpm SHA-256: fd3875f1eab118cf1685d1c35fe57f1fb09b5721f229e833ebb1bf09ddb875b6

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.

Red Hat

Quick Links

  • Downloads
  • Subscriptions
  • Support Cases
  • Customer Service
  • Product Documentation

Help

  • Contact Us
  • Customer Portal FAQ
  • Log-in Assistance

Site Info

  • Trust Red Hat
  • Browser Support Policy
  • Accessibility
  • Awards and Recognition
  • Colophon

Related Sites

  • redhat.com
  • developers.redhat.com
  • connect.redhat.com
  • cloud.redhat.com

About

  • Red Hat Subscription Value
  • About Red Hat
  • Red Hat Jobs
Copyright © 2023 Red Hat, Inc.
  • Privacy Statement
  • Customer Portal Terms of Use
  • All Policies and Guidelines
Red Hat Summit
Twitter