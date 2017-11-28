|
Red Hat Security Advisory
Synopsis: Moderate: Red Hat OpenShift Container Platform 3.7 security,
bug, and enhancement update
Advisory ID: RHSA-2017:3188-01
Product: Red Hat OpenShift Enterprise
Advisory URL: https://access.redhat.com/errata/RHSA-2017:3188
Issue date: 2017-11-28
CVE Names: CVE-2017-12195
=====================================================================
1. Summary:
An update is now available for Red Hat OpenShift Container Platform 3.7.
Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.
2. Relevant releases/architectures:
Red Hat OpenShift Container Platform 3.7 - noarch, x86_64
3. Description:
Red Hat OpenShift Container Platform is the company's cloud computing
Platform-as-a-Service (PaaS) solution designed for on-premise or private
cloud deployments.
The OpenShift Container Platform 3.7 Release Notes, link located within the
reference section, provides information about new features, bug fixes, and
known issues.
This advisory contains the RPM packages for this release. An advisory for
the container images for this release is available at:
https://access.redhat.com/errata/RHEA-2017:3187.
Security Fix(es):
* An attacker with knowledge of the given name used to authenticate and
access Elasticsearch can later access it without the token, bypassing
authentication. This attack also requires that the Elasticsearch be
configured with an external route, and the data accessed is limited to the
indices. (CVE-2017-12195)
Red Hat would like to thank Rich Megginson for reporting this issue.
4. Solution:
For details on how to apply this update, which includes the changes
described in this advisory, refer to:
https://access.redhat.com/articles/11258
For instructions on new installations, see the following documentation:
https://docs.openshift.com/container-platform/3.7/install_config/install/pl
anning.html
For instructions on how to properly upgrade existing clusters to OpenShift
Container Platform 3.7, see the following documentation:
https://docs.openshift.com/container-platform/3.7/install_config/upgrading/
index.html
5. Bugs fixed (https://bugzilla.redhat.com/):
1270436 - Could not log in when client clock is > 5 minutes ahead of server
clock
1292507 - pod terminal does not support 3rd level characters
1316364 - Auto completion does not work normaly when command name is prefixed
with path
1328913 - Long running reliability tests show network errors on nodes
1356478 - Openshift need update the output error message when try re-format the
volume
1372059 - Dynamic provisioned volumes fail in AWS due to incorrect zone
1373418 - [atomic registry]Should give more detail info when creating Project
and Image Stream with invalid name
1375134 - Navigation bar can not roll down when user zoom in till it cross over
the screen boundary
1386917 - Deleting an image should allow references to the image to be deleted
from imagestreamtags
1395564 - Unneeded spaces when copying content from terminal in web console
1401831 - docker-registry can't fetch requested blob from a remote registry
when OpenShift is behind proxy
1410288 - DNSMasq and NetworkManager scripts cause boot issues with network
resources
1413147 - Size of the emitted data exceeds buffer_chunk_limit
1415297 - Metrics does not install with cloud-provider and dynamic storage
1420543 - The --ports flag does not modify dc environment variables
1422049 - EmptyDir could lead to memory exhaustion
1427227 - Fix controller panic in creating pod event
1427992 - replicationcontrollers - not yet ready to handle request; Current
resource version
1428991 - Reordering issue on environment tab dc/bc page
1430484 - Upgrade from 3.3 to 3.4, Insufficient Pods
1430651 - Not able to set elasticsearch minimum heap size
1430661 - RFE: Add metricsPublicURL into master-config during ansible
deployment for metrics
1432607 - Elasticsearch no longer logging to a local file in a pod
1433236 - [vSphere] Unable to restart atomic-openshift-node, node ip conflicts
with cluster network
1435144 - [Intservice_public_324] Logging upgrade from 3.4.1 to 3.5.0 failed
because "No Elasticsearch pods found running. Cannot update common data model."
1435781 - Router Metrics needs to use image shipped by Red Hat
1436093 - oc binary for MAC is not signed
1436841 - Concurrent build registry push hangs - baremetal cluster with CNS
Gluster registry storage
1440620 - The help info of clear route status script need to be more specific
1441028 - Can't prune the external image
1441062 - Image Identifier is null
1442875 - Build stuck in Running status
1443163 - Failed to push image error at the end of the build when creating an
application from a template
1444367 - ansible doesn't allow to set challenge true for Openid and gitlab
1445053 - Fluentd logger is unable to keep up with high amounts of logs from
containers running on node.
1445425 - Visualization errors with multiple indices
1445797 - journald docker driver, rate limiting across all containers is
silently dropping messages.
1448595 - oadm prune command fails with TLS issues after adding --confirm
1448816 - Should add 'projected' in scc/restricted volume policy by
default
1449608 - Got error message when using `oc get storageclass storageclass_name`
1449812 - Update installer example hosts file
1449820 - Pod STATUS field is showing actual error message
1450337 - [platformmanagement_public_788]Can't remove any signature from
the image
1451023 - Changes to the default clusterNetworkCIDR & hostSubnetLength via
installer does not take in account old default value when adding new master.
1451209 - [Performance issue]hawkular-cassandra pool is busy, there is no
available connection and the queue has reached its max size 256
1451403 - Integrate .Net Core 2.0 Jenkins slave
1451769 - Image and Container GC failing at set thresholds
1451881 - headless services causes SDN initialization failure for
master-controllers when network change.
1451910 - [doc] Service is not blocked by dns egress policy rule
1452206 - Constant short buffer/very short watch error messages for
ClusterRoleBinding, ClusterRole and Role
1452214 - registry-console not starting - dc points to
openshift3/registry-console:3.6, actual image is openshift3/registry-console:v3.6
1453113 - all veth cannot be recovered after restarting openvswitch service
1453190 - Isolate the network still can be accessed for the project which
already make network global
1454239 - golang 1.8 performance regression in net/http affecting kubernetes
scale
1454535 - modifying project name in template doesn't work
1454550 - After create imagestream the usage num of
'openshift.io/imagestreams' will double counted
1454601 - Provision PV in zone other than master failed with error "disk is
not found" while disk exists
1454858 - [paid][free][online-int][starter-us-east-1] Registry liveness probe
failures for http2: no cached connection was available
1455115 - oc run valid image by dry run flag raises mess error
1455650 - If authentication receives an error it overwrites the message with
simply "State is Invalid"
1455836 - Upgrades fail due to slow reboots causing timeouts
1456584 - EFK fails when used with Active Directory authentication user with
slashes and comma
1457092 - [3.6][Cinder] Dynamic provision failed when zone is not specified in
the StorageClass
1458663 - HPA V1 unable to get metrics for resource cpu
1458849 - Deny 0.0.0.0/0 blocks all DNS resolution to local nameserver
1459430 - ES Pod failed to start up if set openshift_logging_es_cluster_size as
non-default value
1459826 - init-containers with resource requests/limits got error
1459960 - ipfailover keepalived image lacks IP Address validation
1460145 - [ursxF5mB]The message of forbidden without assign permission to
create templateinstance could be more friendly
1460153 - Overview page Application's drop-down menu partly hides when
deployment is running
1460167 - [free-int] Access 'View Quota' link will prompt error
1460564 - Change the Elasticsearch setting
"node.max_local_storage_nodes" to 1 to prevent sharing EBS volumes
1460749 - Data loss of logs can occur if fluentd pod is terminated/restarted
when Elasticsearch is unavailable
1460930 - docker is using a new configure file to defined registries
1461208 - [RFE] Allow project administrators to manage networkpolicies in their
own projects
1461466 - The router does not do a case-insensitive match of a hostname
1462397 - EnsureLoadBalancer is spammy in large clusters
1462445 - Useless log messages from AWS API calls
1462781 - [trello RXZJJKAK] "From" shows "pushed image" for
tagged image in imagestream page
1463499 - app's dc is pulling image from registry by IP but not by DNS.
1463570 - [PFfBJOsO]Only one annotation returns when both expose and
base64-expose annotations are defined in template per bind request
1463574 - Node system container failed to start due to "failed to run
Kubelet: failed to create kubelet: mkdir /var/lib/dockershim: read-only file system"
1463798 - Stale APBs present in ASB after bootstrap
1464020 - Kibana-proxy gets OOMKilled
1464025 - pre_upgrade checking failed for upgrades/etcd/noop.yml does not exist
1464222 - Ansible Service Broker requiring environment variables which should
be optional
1464349 - Kibana deployment config error
1464653 - Nodes becomes NotReady, when status update connection is
dropped/severed to master, causing node to wait on 15min default net/http timeout before trying again.
1464871 - hawkular-openshift-agent-configmap.yaml should be changed since there
is no hawkular-metrics-certificate secret in Metrics 3.6.0
1465168 - mux doesn't recognize ansible boolean parameters correctly
1465304 - [trello EVOHdIMU] avoid to add path (sub-folder) in front of the
vserver name if have specified custom partition and path
1465361 - Failed to watch networking object api errors appear in the master log
1465572 - [RFE] allow to set TLS cipher suite for the router
1465713 - Traceback info in curator pod's log
1465722 - Master is enforced to find neutron LBaaS extension when openstack
cloud provider is enabled
1465801 - Some events record in ocp36 is different from ocp35
1465987 - [RFE] Change preemption strategy for keepalived failover ip
1466031 - Ansible Service Broker does not work against pulp crane 2.13
1466133 - router pod cannot be running when set the stats-port to 0
1466152 - Json-file log driver: Neither
"openshift_logging_fluentd_use_journal=false" nor omitted collects the log entries
1466239 - Restart master service could not fix the invalid hostip in hostsubnet
1466249 - [glusterfs] Improve error messaging for failed volume mount
1466403 - Prevent internet connections by default
1466636 - node can not be started for Unit kubepods-burstable.slice already
exists
1466671 - oc patch always returns "patched" even if it doesn't do
anything
1466933 - Spam to API server is causing too many etcd writes
1467006 - Merge tests for router doing a case-insensitive match of a hostname
1467257 - stats disappeared in haproxy router
1467265 - Logging uninstall does not remove PVC
1467776 - .svc should be added to no_proxy list by default
1467790 - Start and enable node failed due to node has 64 characters hostname
1467905 - Null pointer dereference when we get bad data
1467948 - Service Broker Installer not setting correct config values
1467963 - There are no Kibana dashboards for container admins
1468173 - asb need auto bootstrap apb image spec from container catalog
1468420 - LoadBalancerRR: Removing log spam
1468579 - Missing Kubernetes Cluster ID tag from openshift cluster resources
1469001 - [RFE] Allow to specify global default FSType for volumes
1469401 - Help info of asbd is duplicate and has error
1469445 - Can't scale up elasticsearch by ansible deployment
1469448 - Need provide method to update broker status not only recreate
1469485 - Need to update service account Ansible Service Broker is using for
proper permissions
1469654 - image pruning doesn't work from outside the cluster
1469918 - The searchguard plugin script is missing in the latest elasticsearch
image
1470003 - oc adm top doesn't work out of the box
1470350 - A/B deployment seems to round-robin across all pods in multiple
services, instead of proportional routing to services
1470622 - When provision mediawiki success/failed there is no return in catalog
console
1470623 - Need create default tsb-broker if enable service-catalog and
template-service-broker in openshift-ansible
1470628 - service-catalog can't access the template-service-broker by auth
1470824 - Revisit privileges granted to Service Accounts used by Ansible
Service Broker
1470860 - Ansible Service Broker: Do not create a project if it does not
exist.
1470861 - Ansible Service Broker: Change ServiceAccount to use 'admin'
role
1470976 - Edit Autoscaler page does not show scale up/down button in the input
fields in iPad Pro & iPhone Safari.
1471033 - Sometime get "Failed to list templates/v1(undefined)" error
in catalog console
1471155 - clarify route CA certifiate edit field
1471239 - Cassandra Java heap parameters can configured incorrectly
1471255 - X-Forwarded-For and related headers send the IPv6 form of the source
IPv4 address
1471630 - [vSphere][containerized] VMDK not unmounted after deleting Pod
1471707 - exposing docker-registry with a non tls-passthrough route does not
work
1471717 - oc version cannot get openshift version against ansible deployed
service catalog env
1471899 - Addition of new routes slows down considerably with high numbers of
routes.
1471973 - Ansible Service Broker: config needs to specify
bootstrap_on_startup: true
1472224 - AD LDAP sync only users within group with oadm sync command
1473013 - Metrics can't recover when the commit log is too big
1473027 - /etc/etcd/etcd.conf file has ETCD_SNAPSHOT_COUNTER but should be
ETCD_SNAPSHOT_COUNT
1473031 - fatal error: concurrent map read and map write
1473329 - Jobs from Jenkins are not stopped when jenkins build pod is killed
1473352 - DNSSearchForming: Event Spam
1473370 - ResourceQuota controller observed making excessive LIST calls at
scale
1473512 - Pod chart display was out of the border on overviewpage in IE 11
1473523 - Got "500 Internal Server Error" when watch bindings and
instances of apigroup servicecatalog.k8s.io
1473538 - Failed to deploy jenkins pod on an Overlay2 openshift cluster
1473589 - Install CRS failed due to installer change the iptables rules of
external glusterfs cluster
1473615 - Catalog items icons display too much spacing on web console homepage
in IE
1473770 - Cinder volume not attaching to the Pod
1473777 - Hang during oadm drain node
1473858 - Installer does not configure flannel correctly for openstack
installs.
1474441 - controller-manager panic/crash on volume verification
1474599 - Default value of openshift_storageclass_provisioner is wrong
1474630 - Install CRS as docker registry storage failed due to
AnsibleUndefinedVariable error
1474715 - Failed to start Kibana pod, permission denied to run run.sh
1475242 - Device busy - pod volumes not cleaned up and stuck in
"Terminating" state
1475251 - Mediawiki123 deprovision failed.
1475558 - controller manager spam about PVCs
1475867 - Running Jenkins Builds Write to API every second
1475949 - Service Catalog does not poll on async deprovision
1476134 - The version of service-catalog is UNKNOWN
1476166 - CLI returned the clusterrole was created, but actually it did not
1476173 - Delete project can't delete the instance/bindings and other user
can get it if have same name project
1476195 - Deploy metrics via ansible was failed due to clusterrole
"hawkular-metrics" was not found
1477043 - OpenShift Registry console shows duplicate image layers
1477110 - [trello zoxUAO2w] Cannot place cursor in terminal when text are
selected outside
1477518 - The neighbor cache should be also updated for atomic host env
1477685 - A/B deployment seems to round-robin across all pods in multiple
services, instead of proportional routing to services
1477716 - SDN should not set net.ipv4.ip_forward
1477718 - Install mixed CRS environment failed due to
glusterfs_heketi_ssh_keyfile didn't copy to first master host
1477956 - Creating a rolebinding doesn't find the local role due to missing
policybinding
1479289 - Error message failed to show up the first time typing invalid char in
input box
1479533 - [starter-us-east-1] error from yum module during upgrade
1480312 - Directory permissions are incorrect when using Image Source input
1480442 - registry-console points to wrong image tag
1480453 - oc describe cronjobs <name> : Error could not find the
requested resource
1481010 - Jenkins server image, declarative pipeline fails due to missing
plugin
1481147 - oc adm diagnostics gets stuck in disconnected environment
1481354 - fluentd log is filled up with KubeClient messages when using journal
and output queue is full
1481359 - Cockpit not showing details in the Topology View east panel after you
click on one of the diagram nodes. For example, services, containers, routes, replication controllers.
1482239 - System container install on atomic host - push image to docker
registry fails
1482274 - Missing scaleio volume plugin in openshift
1482464 - Wrong word 'succesfully' in prompt message
1482551 - repoquery reports "Check uncompressed DB failed" during
openshift-ansible upgrade
1483923 - CNS deployment fails if default node selector is set
1483930 - [trello_He2j63p0] Registry hard prune doesn't work with aws s3
storage
1483931 - Verify_health_checks.yml is not in upgrade_nodes.yml and
upgrade_control_plane.yml
1484095 - REST request log spam is back in OCP 3.7
1484304 - The excluder packages shouldn't be updated if healthy check
failed
1484324 - The playbook should abort immediately once pre check finish if
pre_check failed
1484475 - Improve error messages for FailedMount
1484563 - You should not be able to modify metadata.generation in a DC
1484831 - oadm groups prune does not find groups when using whitelist
1484899 - Error if FLEX volume plugin doesn't support SELINUX
1486054 - Installer removes custom configuration from master-config.yaml during
upgrade
1486356 - Build stuck in Running Pod status shows Init:0/2
1486416 - [free-int] Core file generated by OCP 3.7
1486623 - Service catalog cannot be installed in v3.7 due to policy change
1486809 - backport "docker build --network=..." support
1487245 - 'oc get' with 'projectrequest' output as yaml or json
causes panic
1487408 - Prune Deleted Layer of a Valid Image due to minimum aging
1487438 - Conntrack table entry is not removed when UDP service is added after
single pod was removed and added back
1487573 - Deploy logging 3.7 via ansible, it failed at "Invalid version
specified for Elasticsearch".
1487665 - oc start-build hangs sometimes
1487672 - registry-console stuck in crash loop after upgrade from 3.4
1487959 - Service Catalog fails to install with ovs-multitenant SDN driver
enabled.
1487980 - Install OCP by ansible-2.2.3.0-1.el7 met syntax problem
1488076 - Logo and docs links on OCP all point to ORIGIN
1488283 - "oc new-app" doesn't respect git proxy for implicit git
process
1488288 - Pod logs hyperlink for replicaset on Monitoring page has no response
after click
1488366 - Installation fails with the following problem -> The
PersistentVolume "BS31369_ocp_registry-volume" is invalid: metadata.name: Invalid value: "XX11111_ocp_registry-volume": a DNS-1123 subdomain must consist of lower case alphanumeric characters, '-' or '.
1488505 - OpenID extra parameters not being added to the authorization token
request when openshift_master_identity_providers ansible variable is set
1488833 - docker_image_availability check failed when running testing against
an authenticated registry
1488941 - JOURNAL_READ_FROM_HEAD="false" not honored - pre-existing pod
logs indexed on logging-fluentd start
1488954 - oc adm router --expose-metrics fails by default
1489182 - [free-int] /var disk space exhaustion during upgrades [was: API calls
hanging with timeout]
1489709 - Creating first project still use /create-project page
1489754 - Log Tail cannot show error log when build failed
1490186 - Router pod not running after router certificates redeployment
1490246 - Install CNS failed due to template file missed
1490268 - [3.7] "when statements should not include jinja2 templating
delimiters" warning is shown when running installer with ansible-2.3.1.0-3.el7.noarch
1490304 - Etcd scale-up playbook should add new member to etcdClientInfo of
master-config.yaml
1490323 - No cri-o image
1490647 - 3.6.2: logging-fluentd deployed with openshift_logging_use_mux=false
fails to start due to missing mux secrets
1490660 - logging-fluentd 3.6.173.0.32 in non-mux mode fails to start with
ConfigParseError
1490680 - Missing 'un-saved' dialogs when navigate away the dc edit
yaml page with unsaved changes
1490738 - "'openshift_hosted_registry_storage_swift_domainid' is
undefined" error is seen when set openshift_hosted_registry_storage_provider to swift
1490739 - "Could not find the requested service iptables: host" when
scaling up etcd
1490768 - Failed to provision cinder volume, got http response code 300
1490905 - openshift-ansible CNS deployment fails when Docker storage is
overlay2
1490940 - [RFE] make the installer to use sysctl.d directorys instead of
sysctl.conf file.
1491193 - Error getting when request token from web console
1491202 - [Federation] Failed to create load balancer for service
federation-system/apiserver on GCE
1491331 - failed to provision volume for claim test/pv0001-claim with
StorageClass cinder. No suitable endpoint could be found in the service catalog
1491399 - Require AWS hosts be tagged "kubernetes.io/cluster/xxxx" in
3.7
1491405 - Fluentd logs filled with long lines of backslashes and undefined
method utc errors after updating docker and using json-file as log driver
1491495 - Storage size could not be set with decimal on web console
1491589 - Image Size Limit does not work
1491592 - Versions in doc is not correct
1491626 - service-catalog can't access the template-service-broker by token
in server via ansible installed
1491657 - openshift_storage_nfs task failed due to iptables-services rpm
package is not installed
1491850 - DNS resolution is broken when installing on host with multiple NICs
1491947 - "Unknown filter plugin 'k8s_meta_filter_for_mux_client'
error in fluentd pod log when enabled mux service
1492189 - [starter-us-east-1]Traffic passing through the router takes two
orders of magnitude longer to serve than locally
1492545 - Prometheus images are not pushed to brew and ops repo
1492576 - [trello O6MCrGUx]Can't save searches, visulizations and
dashboards in shared_ops mode
1492786 - Installer fails at Create OpenShift router step
1492891 - etcd writes being blocked when hard quota hit
1492935 - Registry console error on project creation, allows project to be
created regardless
1492949 - Template processing pane from service-catalog home page should fill
in pre-selected project
1492999 - Enabling admission plugins with configurations fails by using
DefaultAdmissionConfig
1493057 - HPA V2 cannot get services/unsafeproxy in the namespace
"openshift-infra"
1493276 - Setting servingInfo.clientCA to ca-bundle.crt can cause unwanted
client cert popups in browser when hitting console
1493347 - Wrong HPA condition - ScalingLimited while CPU usage is zero
1493368 - Code error of resources.limits.memory for prometheus prom-proxy
container
1493376 - installer is using "latest" tag of cri-o image as hardcode
1493431 - Should use less image parameters to deploy peometheus if we want to
use images from brew or ops repo
1493432 - Pod scheduled failed when it uses a local storage
1493450 - Cannot delete servicebroker/serviceinstance/serviceinstancecredential
resources
1493679 - can't get token from https://api.free-int.openshift.com/oauth/token/request
1493714 - installer removes /var/lib/docker/* when cri-o variables are passed
in inv file
1493827 - Debug Terminal's right border goes outside
1493903 - [hNhBstvg] accessTokenMaxAgeSeconds in oauthclient not override the
master default
1494201 - controller attach and detach not working for fiber channel
1494231 - oc import-image generates x509 error when trying to import an image
1494357 - containerized install failed when openshift_use_crio=true and
openshift_release=v3.7 is set
1494433 - duplicate "[OSEv3:children]" in document
1494461 - installer is trying to start cri-o service on nfs host
1494470 - Upgrade failed for AnsibleUndefinedVariable:
'l_bind_docker_reg_auth' is undefined
1494673 - Cassandra readiness probe can incorrectly fail in multi node setup
1495103 - audit log doesn't work now
1495105 - [trello:yzMWezC1] Node service could be started when set
net.ipv4.ip_forward = 0
1495107 - upgrade masters failed due to unexpected task to install pkgs on
dedicated node hosts
1495135 - Upgrade failed due to can not find atomic-openshift-master-api
service in non-ha containerized env
1495139 - device or resource busy error info in prometheus container logs after
running for an hour
1495142 - All the internal hosts should be added to NO_PROXY
1495150 - failed to install OCP when use openshift_logging_es_pvc_dynamic with
NFS
1495203 - openshift_logging_storage_volume_size is required even without
installation of logging stack
1495446 - Deploy prometheus without pv, ansible throw out 'dict object'
has no attribute 'nfs' info
1495491 - BC page should have Events tab
1495545 - Wrong setting etcd_backup_tag variable when create etcd backup file
1496174 - filter get_router_replicas is missing in Ansible 2.4.0.0
1496202 - openshift_logging_storage_volume_size does not take effect
1496352 - Failed to undeploy Metrics
1496359 - No APB dependencies in image rhscl-mysql-apb
1496391 - Pull image failed due to installer comment
"registry.access.redhat.com"
1496426 - Ansible service broker cannot be installed in v3.7 due to broker
configuration need to update
1496572 - ASB: Misleading error message when dockerhub credentials are
incorrect: V1 Schema Manifest does not exist in registry
1496593 - NetworkManager(99-origin-dns.sh) does not add cluster.local to
resolv.conf if there are no `search xxx` in resolv.conf
1496638 - mariadb-apb, mysql-apb should support for Service Plans
1496688 - [ASB_public_377] Apb sandbox will be launched in openshift.namespace
and fail to create the pod since can not find the matched secret when openshift.namespace is not the namespace which ansible-service-broker located
1496694 - cluster role need update to track current resources name of
servicecatalog api group for v3.7
1496707 - atomic-openshift-node unit file should configure container-engine
dependence instead of docker while enabling node and docker system container
1496725 - Could not find the requested service container-engine while
configuring "openshift_docker_use_system_container=false" in inventory file
1496742 - Lacking of template_service_broker templates after installing
atomic-openshift-utils
1496753 - Viewer could not get serviceinstance
1496756 - containerized haproxy fail to be started because no DOCKER chain is
existing
1496760 - openshift_health_check is doing "docker_storage" against a
NFS host
1497041 - 3.7 installer is setting default image version for service catalog
image to v3.6
1497047 - service catalog failed to be deployed due to "No matched
nodes" when setting osm_default_node_selector
1497098 - should move single quote character of login command
1497106 - Admission controller should block creating new Service Credentials
for an instance that is in the process of being deleted
1497133 - [trello HbrHhjgd]Error provisioning serviceclass in tsb server
installed by openshift ansible
1497144 - docker role is run against a standalone nfs host.
1497150 - atomic-openshift-node randomly failed on AWS due to AWS credentials
not set
1497168 - Upgrade should be blocked if etcd3 is not currently in use
1497310 - Registry-console image check states to use registry.access.redhat.com
1497325 - unable to find api field in struct Container for the json field
\"$setElementOrder/env\""
1497401 - Default image version for logging and metrics should be v3.7 in 3.7
ansible playbooks
1497403 - Should display Parameter by Ordering and Grouping when provision
1497412 - Comment old registry params are called always
1497766 - APB Pods are deleted even when an error occurs
1497819 - Broker should not rely on image field of APB yaml
1497839 - When Secrets are defined the APB Pod is not run in the transient
namespace
1497937 - logging-deployer pod never completes update
1498178 - Builds using Docker strategy attempt to pull down all tags of a base
image when tag is not specified
1498203 - Extracted Credentials were leaking to new bindings
1498213 - Increase ARP cache size on loadbalancers
1498571 - Remove image field from APB yaml
1498618 - Bind Parameters not shown in the UI
1498632 - OCP 3.7 syslog and journal filling up with looping "du and find
on following dirs took..." messages when exceeding 450 pods per node
1498897 - [free-stg] Application creation dialog does not close after pressing
"Create"
1498908 - openshift-installer image should support an inventory directory in
addition to flat files.
1498954 - Broker in developer mode must support apb push
1498992 - Ansible Service Broker template should default ENABLE_BASIC_AUTH to
false
1499172 - [3.7] Deleted in use PVCs can break the scheduler
1499177 - [3.3] Deleted in use PVCs can break the scheduler
1499178 - [3.2] Deleted in use PVCs can break the scheduler
1499616 - Unable to find originating origin header
1499622 - Get ProvisionedSuccessfully event while Provisioning
1499651 - The requested handler 'restart node' was not found while
enabling flannel
1499746 - Hpa v1 fail to get metrics
1500048 - APBs in the service broker need to have globally unique plan IDs
1500164 - "debug_level" isn't working
1500180 - Too many "no observation found for eviction signal
allocatableNodeFs.available" logs in node
1500242 - Failed to tag image via jenkin plugin in jenkins1 and jenkins2
1500519 - Logs are flooded with "unauthorized: authentication required"
errors
1500615 - should see serviceclass relist by RelistDuration setting while
setting RelistDuration greater than 5mins
1500616 - Should prevent relistDuration change to negative value in
servicebroker
1500627 - Prometheus pod in CrashLoopBackOff status, prometheus container
failed to start up
1500631 - Etcd migrate failed for an undefined variable
1500642 - [3.7] installer need provide a way to add docker auth to kubelet for
auto pulling infra image from an authenticated registry
1500650 - There is no clusterNetworks config in master config
1500661 - The default value for enum field of serviceclass is not shown
automatically when provisioning in web
1500664 - [hwivBoNF] Panic error "index out of range" on node when
adding ipv6 address to hostsubnet as egressIPs
1500667 - Fail to scale-up etcd when running as system container
1500731 - Bitbucket Server 5.4 Webhook push sends X-Event-Key
repo:refs_changed.
1500859 - Incorrect project count in My Projects
1500930 - Deleting 1 APB service instance triggers 4 deprovision pods inside of
4 temporary namespaces
1501133 - [H1FhCI1I]HSTS for the route is not working well due to the format is
not correct
1501152 - Binding take up to 400+ seconds when pvc is created before creating
pv.
1501231 - There is no outside network access for user created docker container
on Atomic-7.4.2
1501271 - ansible_ssh_user is overwritten by openshift_aws_build_ami_ssh_user
1501319 - Panic error "cap out of range" on node when deleting other
node in the cluster
1501523 - [ASB] APB provisioning fails to start when attempted directly after
"apb push"ing a new APB.
1501752 - OCP cluster does not work after migrate from etcd2 to etcd3 if no
.snap file is created before migrate
1501768 - deploy eventrouter failed when
openshift_logging_eventrouter_nodeselector was set
1501795 - servingInfo.clientCA should be updated to ca.crt during upgrade
1501807 - Missed notification drawer bell icon in IE & edge browsers
1501831 - The openshift_logging_elasticsearch_proxy_image_prefix shouldn't
be image name
1501845 - the router configuration is not reloaded in 10 minutes after adding
namespace label
1501850 - Networkpolicy plugin checks pod status too fast that there are lots
of warnings about PodIP is not set in node log
1501855 - the rules added in chain OPENSHIFT-ADMIN-OUTPUT-RULES cannot work
1501876 - [hwivBoNF] The pod on the other node will lose the outside connection
when enable the egressIP
1501986 - CVE-2017-12195 OpenShift Enterprise 3: authentication bypass for
elasticsearch with external routes
1502044 - Ansible Service Broker should report created on deprovision request
1502054 - glusterfs installation failed: parameter TOPOLOGY_PATH is required
and must be specified
1502551 - files in {{ __tsb_files_location }} doesn't existing
1502560 - Default docker parameter "--signature-enabled=false"
shouldn't be removed during the installation
1502767 - Encryption of secrets in datastore is not occurring
1502866 - 3.6 Nodes will not start with 3.7 master
1502914 - Deploymentconfig page failed to add, update, delete and move order
for environment variables
1503015 - Creating volumesnapshot does not generate volumesnapshotdata.
1503036 - The 'next' button wrongly changed to 'create' when
click image on homepage
1503091 - Need to update apiservice from v1alpha1 to v1beta1 for
servicecatalog.k8s.io
1503233 - Warning statements from `oc status` because ASB deploymentconfig has
no readiness & liveness checks
1503289 - Registry credentials are displayed in plain text in configmap for ASB
1503404 - It appears that master API service in 3.7 causes fluentd k8s metadata
plugin to kill fluentd
1503415 - Upgrade failed due to an undefined variable
oreg_auth_credentials_replace
1503450 - 3.7.1 White spaces in the cert prevents Origin Metrics from starting
1503458 - oc logs fails with unexpected stream type ""
1503860 - system container install seems broken for 3.7
1503903 - Proxy installation failed with system containers enabled
1503987 - Should prevent externalClusterServicePlanName update in
serviceinstance while PlanUpdatable=false
1503995 - Fail to pull ose image during upgrade due to docker auth token was
not updated even if oreg_auth_credentials_replace=true is set
1504001 - [trello 6zsvyyYu] A tooltip uselessly always pop up with item name
when mouse moves around
1504021 - disabledFeatures is not added into master config file when installing
standalone registry console env.
1504191 - Logging deploy configuring a bad oauth-proxy image location
1504250 - Ansible Service Broker stops listening for deprovision messages after
failure
1504511 - [trello 6zsvyyYu] Back and Next operations forget previously filled
in value in ordering template
1504515 - Upgrade failed due to installer try to stop
atomic-openshift-master-controllers on etcd host
1504525 - Upgrade failed due to masters can not finish reconciling
1504535 - Deploy cfme failed when using external NFS
1504583 - Fluent failed to gather docker event logs
1504593 - Installer doesn't report the installer status correctly if
openshift health checks failed
1504604 - Original ocp does not work after migrate an embedded etcd to a fresh
hosts
1504729 - Ansible Service Broker should log job state
1504927 - ASB Failed provision marked successful even on pod error
1504973 - Cannot unhide/confirm password parameters
1505255 - unnecessary blank shows in dc configuration page
1505266 - Node could not start due to the error:SDN node startup failed: could
not find egress network interface
1505273 - fluentd failed to load plugin when remote_syslog was enabled
1505281 - Message is confused to user when resource created by importing
template on console
1505289 - Machine error message when minpod greater than maxpod in the process
of add autoscale
1505354 - OpenShift unable to delete pods which failed ContainerCreating using
cri-o (missing CreatedAt field)
1505537 - Installer hangs at "Wait for master controller service to start
on first master"
1505671 - Failed to update status since precondition failed while
Deprovisioning
1505712 - Should disable the create button for the viewer user when ordering
template
1505782 - Should not display the delete icon in the Environment tab of pod page
1506017 - failed to start SDN plugin controller when Network CIDRS are invalid.
1506099 - [3.7]fluentd pods failed to start up,"Unknown filter plugin
'record_modifier' in fluentd pods log
1506115 - [starter-ca-central-1] web console terminal content is not cleared on
re-connect
1506128 - cri-o system container has wrong start parameter "--debug"
cause installer failure
1506141 - Upgrade failed in turn at task [Restart journald] for the first time
when run upgrade playbook on master hosts
1506149 - [hwivBoNF] Be able to access the node through the egress IP after
restart iptables service
1506153 - URL should support clusterserviceclass instead of serviceclass for
parameter
1506165 - master api&controllers did not work after split from orignal
master during upgrade
1506173 - S2I behavior change between OCP 3.4 (3.4.1.24) and 3.5 (3.5.5.31.24)
with regards to symlinks
1506332 - Reduce node iptables logging in V(2)
1506375 - API server panics while running conformance: APIServer panic'd
on GET /api/v1/namespaces/extended-test-cli-deployment-59v3j-tb8s9: multiple NewLogged calls!
1506396 - Increase iptables-restore timeout
1506399 - Installer ignores missing overlay
1506502 - [TSB] Should not show openshift/templates on Catalog after TSB
enabled
1506537 - Provisioning OCP on AWS failed due to SSLCertificateId missed
1506541 - No controller-manager and apiserver in latest(v3.7.0-0.179.0.0) image
1506713 - Update parameter types are not properly passed out on the /v2/catalog
API
1506931 - request to add some retires for "Create credentials for docker
cli registry auth"
1506971 - openshift-ansible-* packages should also be updated when updating
atomic-openshift-utils
1506976 - [TSB] Cannot see resources in webconsole after provision a template
to an un-owned project which only have view and create/list/get/delete serviceinstance role granted
1506998 - Should support to reveal secret with field .dockercfg
1507051 - Port 10010 is closed
1507061 - cockpit role is skipped
1507083 - openshift_master_etcd_hosts list get wrong in rpm install.
1507111 - Add support for an adapter to the local OpenShift registry
1507257 - Messages flooded with messages like StopPodSandbox $SHA from runtime
service failed: rpc error: code = 2 desc = NetworkPlugin cni failed to teardown pod <pod-name> network: CNI failed to retrieve network namespace path: Error: No such container: $SHA
1507321 - Cannot access Mediawiki123 route after binding to MySQL
1507448 - [tsb]Can't delete templateinstance and other resoureces when
deprovision a failed serviceinstance
1507449 - osm_controller_lease_ttl setting is not honored
1507460 - [atomic registry]Could not show members on project page after add
role to other user
1507598 - Ordinary users are not able to update ServiceInstance
1507617 - Etcd should communicate over SSL and be authenticated to
1507664 - The health checks are disabled when there are multiple services
1507730 - Bug of Delete ServiceAccount Rolebinding from WebUI
1507753 - Inconsistent environment variable action link text between config
edit page and Environment tab
1507787 - default ansible_service_broker_etcd_image_prefix should use fully
qualified etcd image name
1507822 - [trello Q53Gxe4v]Plan info is not updated automatically after change
plan
1507871 - [hwivBoNF] Should not be able to access the denied network which
defined in EgressNetworkPolicy via the egressIP
1507886 - Change secret data cause ServiceInstance update fail
1507908 - Plan of ServiceInstance can still be updated with class has
spec.planUpdatable set to false
1508047 - Router reduce log output
1508049 - apb-tools container does not work
1508059 - Prometheus and AlertManager volumes grows infinitely
1508084 - Add ServiceClassID and ServiceInstanceID params during provision and
bind
1508085 - Enable the service catalog, template broker and ansible service
broker by default
1508278 - [APB] Need to use up-to-date feature rather than the one will be
removed
1508301 - OpenShift authorization objects should be checked before upgrade v3.6
to v3.7
1508374 - For better user experience, we need to put password item after user
item
1508582 - non-admin users aren't able to update ServiceInstances
1508724 - apb image from rhcc registry provision failed
1508734 - Failed to upgrade masters due to installer try to stop
atomic-openshift-master-controllers on etcd host
1508755 - Failed to upgrade nodes for non-ha containerized env
1508893 - APB's complain about missing asb ansible module
1508969 - OpenShift RestClient Python Helpers should default to Foreground
Propagation of Delete
1508994 - APBs should not display passwords as text.
1509018 - PostgreSQL APB and MariaDB APB not showing under correct tabs in UI
1509022 - Template instance provisioning via TSB fails sporadically
1509052 - Non-Developer Deployments of Ansible Service Broker should not use
log file
1509124 - Encounter node service restart failure during openshift CA
redeployment
1509142 - Should not display the "Reveal Secret" link when secrets
without 'data' field
1509158 - Mater services were not started automatically after reboot hosts for
an upgraded non-ha deployed env
1509163 - No recommended version of Open vSwitch for OCP 3.7
1509192 - `oc debug` pod does not work and shows "cannot set
blockOwnerDeletion if an ownerReference ..."
1509341 - Stop prometheus metrics growth issues
1509354 - customized router certificate files defined in
openshift_hosted_routers are not uploaded to master
1509476 - MariaDB provision failure on blank passwords
1509680 - ansible_service_broker_registry_user and
ansible_service_broker_registry_password shouldn't be required fields for dockerhub type
1509782 - openshift_prometheus_image_prefix did not use the default value if
not set it in inventory
1509819 - Environment from Secret was not shown in Hooks
1509837 - Upgrade may fail when restart master controllers
1509842 - No configmap to select when adding environment variables for hooks
1509880 - oci runtime error: permission denied while enabling docker system
container
1510172 - master controller panic during reliability long run -
TypeAssertionError during project creation/deletion
1510299 - mariadb and mysql provision failed at cannot access /etc/apb-secrets
while using rhcc registry
1510304 - mediawiki-123 still using dockerhub image althrough configured broker
with rhcc registry
1510314 - Unable to create client binaries/symlinks out of CLI image while
using insecure registry
1510346 - Secret of null key-value displays messy code when Reveal Secret
1510546 - ASB fails to install after recent etcd cert changes
1510599 - MariaDB/MySQL APB should use service name for binding
1510636 - Registry configuration for local registry missing a name
1510746 - Failed to deploy logging 3.7, ansible threw out error "[Errno 2]
No such file or directory" when restart atomic-openshift-master-controllers service
1511044 - Ansible service broker etcd certs are read using a file lookup, which
only works if the installer is running on the first master.
1511077 - Mediawiki cannot bind to MySql/MariaDB
1511186 - Keep Namespace On Error Configuration Value Should be Set For
openshift ansible
1511258 - MariaDB deprovision doesn't delete service
1511650 - Internet explorer 11 is not displaying catalogs
1512708 - vague behavior of a "corsAllowedOrigins" parameter in a
"master-config.yaml" configuration file
1513369 - Image snapshot-controller is using old api.
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/
7. References:
https://access.redhat.com/security/cve/CVE-2017-12195
https://access.redhat.com/security/updates/classification/#moderate
https://docs.openshift.com/container-platform/3.7/release_notes/ocp_3_7_release_notes.html
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2017 Red Hat, Inc.
