Synopsis

Important: OpenShift Container Platform 3.9 security, bug fix, and enhancement update

Type/Severity

Security Advisory: Important

Topic

Red Hat OpenShift Container Platform release 3.9.31 is now available with updates to packages and images that address security issues, fix several bugs, and add enhancements.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

Red Hat OpenShift Container Platform is the company's cloud computing Platform-as-a-Service (PaaS) solution designed for on-premise or private cloud deployments.

This advisory contains the RPM packages for Red Hat OpenShift Container Platform 3.9.31. See the following advisory for the container images for this release:

https://access.redhat.com/errata/RHBA-2018:2014

Security Fix(es):

• routing: Malicious Service configuration can bring down routing for an entire shard (CVE-2018-1070)
• openshift-ansible: Incorrectly quoted values in etcd.conf causes disabling of SSL client certificate authentication (CVE-2018-1085)
• source-to-image: Builder images with assembler-user LABEL set to root allows attackers to execute arbitrary code (CVE-2018-10843)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Red Hat would like to thank David Hocky (Comcast) for reporting CVE-2018-1085. The CVE-2018-1070 issue was discovered by Mark Chappell (Red Hat) and the CVE-2018-10843 issue was discovered by Jeremy Choi (Red Hat).

Space precludes documenting all of the bug fixes and enhancements in this advisory. See the following Release Notes documentation, which will be updated shortly for this release, for details about these changes:

https://docs.openshift.com/container-platform/3.9/release_notes/ocp_3_9_release_notes.html

All OpenShift Container Platform 3.9 users are advised to upgrade to these updated packages and images.

Solution

For OpenShift Container Platform 3.9 see the following documentation, which will be updated shortly for release 3.9.31, for important instructions on how to upgrade your cluster and fully apply this asynchronous errata update:

https://docs.openshift.com/container-platform/3.9/release_notes/ocp_3_9_release_notes.html

This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/articles/11258.

Affected Products

• Red Hat OpenShift Container Platform 3.9 x86_64

Fixes

• BZ - 1466390 - [RFE] add selector option to oadm drain
• BZ - 1498398 - Incomplete default configuration for secure-forward
• BZ - 1506175 - Should not meet "lookup failed" and "incorrect username or password" when new-app with public image in project having fake docker secret
• BZ - 1507429 - [tsb]Some error message shown when describe serviceinstance
• BZ - 1512042 - Local Registry Adapter should not display APBs that can't be deployed from a namespace other than 'openshift'
• BZ - 1525642 - immortal namespace are not immortal (as we claim them to be)
• BZ - 1529575 - [3.9] Updating etcd does not update the etcd config with new variables
• BZ - 1531096 - Prometheus fills up entire storage space
• BZ - 1534311 - [3.8]apiserver pod of service catalog in CrashLoopBackOff status after upgrading to v3.8
• BZ - 1534894 - apb preprare -f fail with error
• BZ - 1537872 - Azure need set virt_use_samba
• BZ - 1538215 - [DOCKER] Eviction manager erros in node logs
• BZ - 1539252 - Failed to push image to OCP internal image registry on EC2
• BZ - 1539310 - ASB bootstrap fail while using file authenticate type since failed to read registry credentials from file
• BZ - 1539529 - `oc apply --force` will delete resource when failing to apply
• BZ - 1539757 - async unbind returns 200 instead of 202
• BZ - 1540819 - Failed to unbind after deleting templateinstance with servicebinding existing
• BZ - 1541212 - prometheus fails compaction
• BZ - 1541350 - Namespace goes in "terminating" state due to unprovisioned ServiceInstance
• BZ - 1542387 - Unable to retrieve image names from rhcc(stage) registry
• BZ - 1542460 - When jenkins in one project and pipeline in other project. View log link points to wrong URL.
• BZ - 1546097 - Master controllers are using high amount of CPU after upgrade to 3.7
• BZ - 1546324 - Manifest does not match provided manifest digest
• BZ - 1546936 - Setting up of prometheus using ansible fails
• BZ - 1548677 - Upgrade failed due to ovs2.9 can not start while selinux-policy was not updated
• BZ - 1549060 - Should be correct 'openshift' link on about page
• BZ - 1549454 - Etcd scale-up failed when running as system container on RHEL
• BZ - 1550193 - openshift jenkins rhel image release to release migration not working
• BZ - 1550316 - Synchronize openvswitch 2.9 to mirror fastdatapath repo
• BZ - 1550385 - Update *sql-apb plan or version failed in 'behind proxy' env
• BZ - 1550591 - Mirror openshift3/prometheus-node-exporter on external mirror
• BZ - 1553012 - Duplicated node-labels in node-config.yaml while enabling cri-o
• BZ - 1553035 - CVE-2018-1070 Routing: Malicous Service configuration can bring down routing for an entire shard.
• BZ - 1553294 - [3.9] various auto-egress IP problems
• BZ - 1554141 - Unable to delete serviceinstance
• BZ - 1554145 - [apb] Newer version of APB tool fails with `apb remove` on a 3.7 version of broker
• BZ - 1554239 - [ASB] Delete project failed even if provision serviceinstances success
• BZ - 1557040 - Missing v.3.9 openshift3/metrics-cassandra metrics-hawkular-metrics and metrics-heapster images from registry.reg-aws.openshift.com
• BZ - 1557822 - CVE-2018-1085 openshift-ansible: Incorrectly quoted values in etcd.conf causes disabling of SSL client certificate authentication
• BZ - 1558183 - [starter-ca-central-1] builds in pending state indefinitely
• BZ - 1558997 - Issue when deploying Jenkins instances which have routes on various sharded routers
• BZ - 1560311 - [3.9] oc adm migrate storage produces error as signature annotations forbidden
• BZ - 1563150 - openshift3/ose image contains centos repository for RHEL7 based image
• BZ - 1563673 - [RFE] Add timeout when draining a node for update
• BZ - 1566238 - upgrade from v3.7 to v3.9 fails with openshift-ansible-3.9.20-1.git.0.f99fb43.el7
• BZ - 1568815 - Service Catalog does not refresh ClusterServicePlan after removing from catalog
• BZ - 1569030 - OpenShift Container Platform 3.9.z APB image refresh
• BZ - 1570065 - Ansible Service Broker fails to deploy due to missing namespace argument
• BZ - 1570581 - There is wrong version of atomic-openshift-web-console rpm within web-console image
• BZ - 1571601 - [3.9] Certificate expiry playbook couldn't work
• BZ - 1571944 - Stack trace from github.com/openshift/origin/pkg/image/trigger/deploymentconfigs.calculateDeploymentConfigTrigger
• BZ - 1572786 - [3.9] RFE - Need a way to upgrade OS during upgrade
• BZ - 1579096 - CVE-2018-10843 source-to-image: Builder images with assembler-user LABEL set to root allows attackers to execute arbitrary code
• BZ - 1580538 - Unable to disallow project creation from system:authentcated users after upgrade to 3.9
• BZ - 1583895 - [APB] mysql-apb update from 5.6 to 5.7 failed
• BZ - 1585243 - [3.9] Entire cluster goes to NotReady using a NetworkPolicy that contains an ingress ipBlock section
• BZ - 1586076 - API server crashes when using old format of webhook triggers in build Configs
• BZ - 1588009 - Deploying logging on a system where /tmp mounted with noexec option fails
• BZ - 1588768 - [3.9] Unqualified image is completed with "docker.io"

CVEs

• CVE-2018-1070
• CVE-2018-1085
• CVE-2018-10843

References