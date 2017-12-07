-----BEGIN PGP SIGNED MESSAGE-----

Hash: SHA1



Red Hat Security Advisory



Synopsis: Moderate: Red Hat OpenShift Enterprise security, bug fix,

and enhancement update

Advisory ID: RHSA-2017:3389-01

Product: Red Hat OpenShift Enterprise

Advisory URL: https://access.redhat.com/errata/RHSA-2017:3389

Issue date: 2017-12-07

CVE Names: CVE-2017-12195

1. Summary:



An update is now available for Red Hat OpenShift Container Platform 3.4,

Red Hat OpenShift Container Platform 3.5, and Red Hat OpenShift Container

Platform 3.6.



Red Hat Product Security has rated this update as having a security impact

of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which

gives a detailed severity rating, is available for each vulnerability from

the CVE link(s) in the References section.



2. Relevant releases/architectures:



Red Hat OpenShift Container Platform 3.4 - noarch, x86_64

Red Hat OpenShift Container Platform 3.5 - noarch, x86_64

Red Hat OpenShift Container Platform 3.6 - noarch, x86_64



3. Description:



OpenShift Enterprise by Red Hat is the company's cloud computing

Platform-as-a-Service (PaaS) solution designed for on-premise or private

cloud deployments.



This advisory contains the RPM packages for this release. An advisory for

the container images for this release is available at:

https://access.redhat.com/errata/RHBA-2017:3390.



Space precludes documenting all of the bug fixes and enhancements in this

advisory. See the following Release Notes documentation, which will be

updated shortly for this release, for details about these changes:



https://docs.openshift.com/container-platform/3.6/release_notes/ocp_3_6_rel

ease_notes.html



https://docs.openshift.com/container-platform/3.5/release_notes/ocp_3_5_rel

ease_notes.html



https://docs.openshift.com/container-platform/3.4/release_notes/ocp_3_4_rel

ease_notes.html



All OpenShift Container Platform 3 users are advised to upgrade to these

updated packages and images.



Security Fix(es):



* An attacker with knowledge of the given name used to authenticate and

access Elasticsearch can later access it without the token, bypassing

authentication. This attack also requires that the Elasticsearch be

configured with an external route, and the data accessed is limited to the

indices. (CVE-2017-12195)



This issue was discovered by Rich Megginson (Red Hat).



4. Solution:



For details on how to apply this update, which includes the changes

described in this advisory, refer to:



https://access.redhat.com/articles/11258



5. Bugs fixed (https://bugzilla.redhat.com/):



1399240 - pod age is shown invalid by oc client

1434942 - Symbolic link error for log file of every pod started when docker log

driver is journald

1441089 - oc get/describe could not work when using 3.5 client to login 3.6

server

1457042 - Unable to pull through to registry.access.redhat.com

1458186 - Hawkular metrics rest api responding sporadically

1465532 - Heapster fails to push to Hawkular-Metrics sink starting around 4K

pods in 3.6

1471251 - 3.4.1 White spaces in the cert prevents Origin Metrics from starting

1476026 - Service Catalog issues repeated Deprovision requests against the

broker, despite a 410 response

1479955 - Container ose-sti-builder is marked as deprecated

1481550 - [3.5]'oadm diagnostics NetworkCheck' timeout due to image

'openshift/diagnostics-deployer' pull failed

1489023 - [3.4 Backport] Can not start atomic-openshift-node if the system does

not have a default route

1489024 - [3.5 Backport] Can not start atomic-openshift-node if the system does

not have a default route

1490719 - Enabled ops cluser,log in kibana-ops UI, there is no log entry under

.all index, log entries only could be shown under .operations.* index

1492194 - [3.5] Node affinity alpha feature can cause scheduling failures

across the cluster.

1493213 - Builds fail with "authentication required" after upgrade

1494239 - Fluentd unable to write to Elastic Search when LDAP distinguished

names are used as usernames

1495540 - [3.6] oc adm router --expose-metrics fails by default

1496232 - "Run mount in its own systemd scope" commit breaks 3.4 build

1497042 - Unable to mount dynamically provisioned persistant volumes using

vSphere

1497836 - default fluentd elasticsearch plugin request timeout too short by

default, leads to potential log loss and stalled log flow

1498635 - Openshift allows mounting RWO volumes in multiple nodes

1499176 - [3.4] Deleted in use PVCs can break the scheduler

1499635 - [3.4]Metrics diagrams only could be displayed for openshift-infra

project in web console

1499813 - Fluentd configuration file is not right on non-ops cluster

1500364 - mariadb, postgresql, mysql, and mediawiki APBs should use rhcc images

1500464 - 3.5.1 White spaces in the cert prevents Origin Metrics from starting

1500471 - 3.6.1 White spaces in the cert prevents Origin Metrics from starting

1500513 - The extensions/v1beta1 API is not updated on old successful Jobs

1500644 - [3.5]Metrics diagrams only could be displayed for openshift-infra

project in web console

1501517 - [ocp-3.6] Reduce iptables refreshes

1501948 - [3.5] default fluentd elasticsearch plugin request timeout too short

by default, leads to potential log loss and stalled log flow

1501960 - Remove the use of CPU limits by default

1501986 - CVE-2017-12195 OpenShift Enterprise 3: authentication bypass for

elasticsearch with external routes

1502789 - Pod running but logs say volume not attached

1503265 - Bundled Netty dependencies have incorrect version

1503563 - Logging upgrade from 3.5 to 3.6 fails with "Exception in thread

"main" java.lang.IllegalArgumentException: Unknown Discovery type [kubernetes]"

1505683 - fluentd pods failed to start up,"Unknown filter plugin

'record_modifier' in fluentd pods log

1505898 - [3.6] oadm diagnostics NetworkCheck' timeout due to image

'openshift/diagnostics-deployer' pull failed

1505900 - [3.6] oc adm diagnostics gets stuck in disconnected environment

1506854 - default fluentd elasticsearch plugin request timeout too short by

default, leads to potential log loss and stalled log flow



6. Package List:



Red Hat OpenShift Container Platform 3.4:



Source:

atomic-openshift-3.4.1.44.38-1.git.0.d04b8d5.el7.src.rpm

cockpit-155-1.el7.src.rpm

openshift-elasticsearch-plugin-2.4.1.11__redhat_1-3.el7.src.rpm



noarch:

atomic-openshift-docker-excluder-3.4.1.44.38-1.git.0.d04b8d5.el7.noarch.rpm

atomic-openshift-excluder-3.4.1.44.38-1.git.0.d04b8d5.el7.noarch.rpm

openshift-elasticsearch-plugin-2.4.1.11__redhat_1-3.el7.noarch.rpm



x86_64:

atomic-openshift-3.4.1.44.38-1.git.0.d04b8d5.el7.x86_64.rpm

atomic-openshift-clients-3.4.1.44.38-1.git.0.d04b8d5.el7.x86_64.rpm

atomic-openshift-clients-redistributable-3.4.1.44.38-1.git.0.d04b8d5.el7.x86_64.rp

m

atomic-openshift-dockerregistry-3.4.1.44.38-1.git.0.d04b8d5.el7.x86_64.rpm

atomic-openshift-master-3.4.1.44.38-1.git.0.d04b8d5.el7.x86_64.rpm

atomic-openshift-node-3.4.1.44.38-1.git.0.d04b8d5.el7.x86_64.rpm

atomic-openshift-pod-3.4.1.44.38-1.git.0.d04b8d5.el7.x86_64.rpm

atomic-openshift-sdn-ovs-3.4.1.44.38-1.git.0.d04b8d5.el7.x86_64.rpm

atomic-openshift-tests-3.4.1.44.38-1.git.0.d04b8d5.el7.x86_64.rpm

cockpit-debuginfo-155-1.el7.x86_64.rpm

cockpit-kubernetes-155-1.el7.x86_64.rpm

tuned-profiles-atomic-openshift-node-3.4.1.44.38-1.git.0.d04b8d5.el7.x86_64.rpm



Red Hat OpenShift Container Platform 3.5:



Source:

atomic-openshift-3.5.5.31.47-1.git.0.25d535c.el7.src.rpm

cockpit-155-1.el7.src.rpm

openshift-elasticsearch-plugin-2.4.4.17__redhat_1-3.el7.src.rpm



noarch:

atomic-openshift-docker-excluder-3.5.5.31.47-1.git.0.25d535c.el7.noarch.rpm

atomic-openshift-excluder-3.5.5.31.47-1.git.0.25d535c.el7.noarch.rpm

openshift-elasticsearch-plugin-2.4.4.17__redhat_1-3.el7.noarch.rpm



x86_64:

atomic-openshift-3.5.5.31.47-1.git.0.25d535c.el7.x86_64.rpm

atomic-openshift-clients-3.5.5.31.47-1.git.0.25d535c.el7.x86_64.rpm

atomic-openshift-clients-redistributable-3.5.5.31.47-1.git.0.25d535c.el7.x86_64.rp

m

atomic-openshift-dockerregistry-3.5.5.31.47-1.git.0.25d535c.el7.x86_64.rpm

atomic-openshift-master-3.5.5.31.47-1.git.0.25d535c.el7.x86_64.rpm

atomic-openshift-node-3.5.5.31.47-1.git.0.25d535c.el7.x86_64.rpm

atomic-openshift-pod-3.5.5.31.47-1.git.0.25d535c.el7.x86_64.rpm

atomic-openshift-sdn-ovs-3.5.5.31.47-1.git.0.25d535c.el7.x86_64.rpm

atomic-openshift-tests-3.5.5.31.47-1.git.0.25d535c.el7.x86_64.rpm

cockpit-debuginfo-155-1.el7.x86_64.rpm

cockpit-kubernetes-155-1.el7.x86_64.rpm

tuned-profiles-atomic-openshift-node-3.5.5.31.47-1.git.0.25d535c.el7.x86_64.rpm



Red Hat OpenShift Container Platform 3.6:



Source:

atomic-openshift-3.6.173.0.63-1.git.0.855ea8b.el7.src.rpm

cockpit-155-1.el7.src.rpm

openshift-elasticsearch-plugin-2.4.4.17__redhat_1-3.el7.src.rpm



noarch:

atomic-openshift-docker-excluder-3.6.173.0.63-1.git.0.855ea8b.el7.noarch.rpm

atomic-openshift-excluder-3.6.173.0.63-1.git.0.855ea8b.el7.noarch.rpm

openshift-elasticsearch-plugin-2.4.4.17__redhat_1-3.el7.noarch.rpm



x86_64:

atomic-openshift-3.6.173.0.63-1.git.0.855ea8b.el7.x86_64.rpm

atomic-openshift-clients-3.6.173.0.63-1.git.0.855ea8b.el7.x86_64.rpm

atomic-openshift-clients-redistributable-3.6.173.0.63-1.git.0.855ea8b.el7.x86_64.rp

m

atomic-openshift-cluster-capacity-3.6.173.0.63-1.git.0.855ea8b.el7.x86_64.rpm

atomic-openshift-dockerregistry-3.6.173.0.63-1.git.0.855ea8b.el7.x86_64.rpm

atomic-openshift-federation-services-3.6.173.0.63-1.git.0.855ea8b.el7.x86_64.rp

m

atomic-openshift-master-3.6.173.0.63-1.git.0.855ea8b.el7.x86_64.rpm

atomic-openshift-node-3.6.173.0.63-1.git.0.855ea8b.el7.x86_64.rpm

atomic-openshift-pod-3.6.173.0.63-1.git.0.855ea8b.el7.x86_64.rpm

atomic-openshift-sdn-ovs-3.6.173.0.63-1.git.0.855ea8b.el7.x86_64.rpm

atomic-openshift-service-catalog-3.6.173.0.63-1.git.0.855ea8b.el7.x86_64.rpm

atomic-openshift-tests-3.6.173.0.63-1.git.0.855ea8b.el7.x86_64.rpm

cockpit-debuginfo-155-1.el7.x86_64.rpm

cockpit-kubernetes-155-1.el7.x86_64.rpm

tuned-profiles-atomic-openshift-node-3.6.173.0.63-1.git.0.855ea8b.el7.x86_64.rp

m



These packages are GPG signed by Red Hat for security. Our key and

details on how to verify the signature are available from

https://access.redhat.com/security/team/key/



7. References:



https://access.redhat.com/security/cve/CVE-2017-12195

https://access.redhat.com/security/updates/classification/#moderate



8. Contact:



The Red Hat security contact is <secalert@redhat.com>. More contact

details at https://access.redhat.com/security/team/contact/



Copyright 2017 Red Hat, Inc.

-----BEGIN PGP SIGNATURE-----

Version: GnuPG v1



iD8DBQFaKOk1XlSAg2UNWIIRAmaNAKCH1p1GgMUPywm7UwWsLR+ML5cZ2QCdFOMh

16iZ/jgy+rILRVlGeSq2A5c=

=oOgT

-----END PGP SIGNATURE-----



