Synopsis

Critical: OpenShift Container Platform 3.6 security update

Type/Severity

Security Advisory: Critical

Topic

An update is now available for Red Hat OpenShift Container Platform release 3.6.

Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

OpenShift Enterprise by Red Hat is the company's cloud computing Platform-as-a-Service (PaaS) solution designed for on-premise or private cloud deployments.

Security Fix(es):

• A privilege escalation vulnerability exists in OpenShift Container Platform 3.x which allows for compromise of pods running on a compute node to which a pod is scheduled with normal user privilege. This access could include access to all secrets, pods, environment variables, running pod/container processes, and persistent volumes, including in privileged containers. Additionally, on versions 3.6 and higher of OpenShift Container Platform, this vulnerability allows cluster-admin level access to any API hosted by an aggregated API server. This includes the ‘servicecatalog’ API which is installed by default in 3.7 and later. Cluster-admin level access to the service catalog allows creation of brokered services by an unauthenticated user with escalated privileges in any namespace and on any node. This could lead to an attacker being allowed to deploy malicious code, or alter existing services. (CVE-2018-1002105)

Solution

For details on how to apply this update, which includes the changes described in this advisory, refer to:

https://access.redhat.com/articles/11258

Affected Products

• Red Hat OpenShift Container Platform 3.6 x86_64

Fixes

• BZ - 1648138 - CVE-2018-1002105 kubernetes: authentication/authorization bypass in the handling of non-101 responses
• BZ - 1650020 - hawkular-metrics pod failed to become ready, infinispan configuration is not right

CVEs

• CVE-2018-1002105

References

• https://access.redhat.com/security/updates/classification/#critical
• https://access.redhat.com/security/vulnerabilities/3716411
• https://docs.openshift.com/container-platform/3.6/release_notes/ocp_3_6_release_notes.html

Red Hat OpenShift Container Platform 3.6

SRPM
atomic-openshift-3.6.173.0.140-1.git.0.9686d52.el7.src.rpm	SHA-256: 4304ba4ac9ff15b647eb219ad446558c4c88125460805fcc7fb4bd505d798e59
openshift-ansible-3.6.173.0.140-1.git.0.0ccb19b.el7.src.rpm	SHA-256: 0a064b04881b6057005c98af186cba5908f268788166b2f4c66f3c118296935c
x86_64
atomic-openshift-3.6.173.0.140-1.git.0.9686d52.el7.x86_64.rpm	SHA-256: 35edb3fc3808bd4ccd5307d3a7edc1ddc447831544fedf1424d97ab1c332823b
atomic-openshift-clients-3.6.173.0.140-1.git.0.9686d52.el7.x86_64.rpm	SHA-256: 5434ef87ac30ed9ea77f87e77b1e3c8b13eacc4232e169f32bf37eb64d721a8c
atomic-openshift-clients-redistributable-3.6.173.0.140-1.git.0.9686d52.el7.x86_64.rpm	SHA-256: a99ee3bb3504a04d9c75048a651e0a495564be7e87cb5bfde6355ab6fd89dd9d
atomic-openshift-cluster-capacity-3.6.173.0.140-1.git.0.9686d52.el7.x86_64.rpm	SHA-256: b64d1d43ee91f67083a26fdc89b0bf60ce653a1aef4d8237483895c0162013c7
atomic-openshift-docker-excluder-3.6.173.0.140-1.git.0.9686d52.el7.noarch.rpm	SHA-256: 5016b1682d6cb0668c00ab0a756d2f17e431cb61132d62911561c1e61b452332
atomic-openshift-dockerregistry-3.6.173.0.140-1.git.0.9686d52.el7.x86_64.rpm	SHA-256: 89e879dcf04c2051612fa159cb6a2579b4432d21eab337233c2ff142e95b9ce0
atomic-openshift-excluder-3.6.173.0.140-1.git.0.9686d52.el7.noarch.rpm	SHA-256: 04da82b31c4cf84ddd2e2b7c706324a684ae1cbd86160c24daf4ee5ae5ae76bb
atomic-openshift-federation-services-3.6.173.0.140-1.git.0.9686d52.el7.x86_64.rpm	SHA-256: 35bc12cf1d751a017e64f37f54f4ede6c25c0d829fbe180c0a5f45bdef632010
atomic-openshift-master-3.6.173.0.140-1.git.0.9686d52.el7.x86_64.rpm	SHA-256: a68397a86c250a0a399d8e38f10cff353fe303fd536e89994a94f9293f3c1172
atomic-openshift-node-3.6.173.0.140-1.git.0.9686d52.el7.x86_64.rpm	SHA-256: cc9262570bd2ac2a19bb7e26b68afddc932df889061fdc3c8ee62faf7b426104
atomic-openshift-pod-3.6.173.0.140-1.git.0.9686d52.el7.x86_64.rpm	SHA-256: 57256747f7f919a8b2ae9eea91f274c97456cedc10f7a52bf1a76472ae44d7cb
atomic-openshift-sdn-ovs-3.6.173.0.140-1.git.0.9686d52.el7.x86_64.rpm	SHA-256: c687bee50424ad131be2dae29a2b788a625275ff0dabe8a67b3c9214fb40a305
atomic-openshift-service-catalog-3.6.173.0.140-1.git.0.9686d52.el7.x86_64.rpm	SHA-256: 9b4428b70d92b732e3166c621d9984cce80406675d89209de1460cec0bc1ed9d
atomic-openshift-tests-3.6.173.0.140-1.git.0.9686d52.el7.x86_64.rpm	SHA-256: 7d2a6fc8359c1464e11cdbdd6ea0e65c88fca297ce45f9f601151593b610c46b
atomic-openshift-utils-3.6.173.0.140-1.git.0.0ccb19b.el7.noarch.rpm	SHA-256: 9ed4966dce9a22081a845da5d483d5bb4d95c80bc259db4d8629af4a093e2165
openshift-ansible-3.6.173.0.140-1.git.0.0ccb19b.el7.noarch.rpm	SHA-256: c1a76da13038e5807d4b2305420e9f5f51aead8f08c16840052ce4ca1fb139a0
openshift-ansible-callback-plugins-3.6.173.0.140-1.git.0.0ccb19b.el7.noarch.rpm	SHA-256: d62fe6937ff10d7effe2da3eb30642f771fb582295ae908cab18360e12996619
openshift-ansible-docs-3.6.173.0.140-1.git.0.0ccb19b.el7.noarch.rpm	SHA-256: 8c3fd61d92e6cf4605f0c88a152af72407a4a22abd6801318778e9be3532e7b8
openshift-ansible-filter-plugins-3.6.173.0.140-1.git.0.0ccb19b.el7.noarch.rpm	SHA-256: 534b2f198004a2e869d6ebd15e34b753a6346dab1ad6cfeb1f2b18a00858f9eb
openshift-ansible-lookup-plugins-3.6.173.0.140-1.git.0.0ccb19b.el7.noarch.rpm	SHA-256: ec0800c60f01263bc47f589e043115855feb4b953d9d613c4bd04064102594a4
openshift-ansible-playbooks-3.6.173.0.140-1.git.0.0ccb19b.el7.noarch.rpm	SHA-256: 157acc207627cdcfc061fa792b8a1066083412da4cca18618afb73c738e10064
openshift-ansible-roles-3.6.173.0.140-1.git.0.0ccb19b.el7.noarch.rpm	SHA-256: aba0d091d6279377bfe1c9d47f40f695e5f3d04e77f03ea41d9627f7bb056fd7
tuned-profiles-atomic-openshift-node-3.6.173.0.140-1.git.0.9686d52.el7.x86_64.rpm	SHA-256: 7c6316ba2f4aceff0289418e66a12cc9dbe76dd6975e9860a62beef05684c337