Red Hat Security Advisory



Synopsis: Moderate: Red Hat OpenShift Container Platform 3.7 security,

bug, and enhancement update

Advisory ID: RHSA-2017:3188-01

Product: Red Hat OpenShift Enterprise

Advisory URL: https://access.redhat.com/errata/RHSA-2017:3188

Issue date: 2017-11-28

CVE Names: CVE-2017-12195

1. Summary:



An update is now available for Red Hat OpenShift Container Platform 3.7.



Red Hat Product Security has rated this update as having a security impact

of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which

gives a detailed severity rating, is available for each vulnerability from

the CVE link(s) in the References section.



2. Relevant releases/architectures:



Red Hat OpenShift Container Platform 3.7 - noarch, x86_64



3. Description:



Red Hat OpenShift Container Platform is the company's cloud computing

Platform-as-a-Service (PaaS) solution designed for on-premise or private

cloud deployments.



The OpenShift Container Platform 3.7 Release Notes, link located within the

reference section, provides information about new features, bug fixes, and

known issues.



This advisory contains the RPM packages for this release. An advisory for

the container images for this release is available at:

https://access.redhat.com/errata/RHEA-2017:3187.



Security Fix(es):



* An attacker with knowledge of the given name used to authenticate and

access Elasticsearch can later access it without the token, bypassing

authentication. This attack also requires that the Elasticsearch be

configured with an external route, and the data accessed is limited to the

indices. (CVE-2017-12195)



Red Hat would like to thank Rich Megginson for reporting this issue.



4. Solution:



For details on how to apply this update, which includes the changes

described in this advisory, refer to:

https://access.redhat.com/articles/11258



For instructions on new installations, see the following documentation:

https://docs.openshift.com/container-platform/3.7/install_config/install/pl

anning.html



For instructions on how to properly upgrade existing clusters to OpenShift

Container Platform 3.7, see the following documentation:

https://docs.openshift.com/container-platform/3.7/install_config/upgrading/

index.html



These packages are GPG signed by Red Hat for security. Our key and

details on how to verify the signature are available from

https://access.redhat.com/security/team/key/



7. References:



https://access.redhat.com/security/cve/CVE-2017-12195

https://access.redhat.com/security/updates/classification/#moderate

https://docs.openshift.com/container-platform/3.7/release_notes/ocp_3_7_release_notes.html



8. Contact:



The Red Hat security contact is <secalert@redhat.com>. More contact

details at https://access.redhat.com/security/team/contact/



Copyright 2017 Red Hat, Inc.

