-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: Red Hat OpenShift Enterprise security, bug fix, and enhancement update Advisory ID: RHSA-2017:3389-01 Product: Red Hat OpenShift Enterprise Advisory URL: https://access.redhat.com/errata/RHSA-2017:3389 Issue date: 2017-12-07 CVE Names: CVE-2017-12195 ===================================================================== 1. Summary: An update is now available for Red Hat OpenShift Container Platform 3.4, Red Hat OpenShift Container Platform 3.5, and Red Hat OpenShift Container Platform 3.6. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat OpenShift Container Platform 3.4 - noarch, x86_64 Red Hat OpenShift Container Platform 3.5 - noarch, x86_64 Red Hat OpenShift Container Platform 3.6 - noarch, x86_64 3. Description: OpenShift Enterprise by Red Hat is the company's cloud computing Platform-as-a-Service (PaaS) solution designed for on-premise or private cloud deployments. This advisory contains the RPM packages for this release. An advisory for the container images for this release is available at: https://access.redhat.com/errata/RHBA-2017:3390. Space precludes documenting all of the bug fixes and enhancements in this advisory. See the following Release Notes documentation, which will be updated shortly for this release, for details about these changes: https://docs.openshift.com/container-platform/3.6/release_notes/ocp_3_6_rel ease_notes.html https://docs.openshift.com/container-platform/3.5/release_notes/ocp_3_5_rel ease_notes.html https://docs.openshift.com/container-platform/3.4/release_notes/ocp_3_4_rel ease_notes.html All OpenShift Container Platform 3 users are advised to upgrade to these updated packages and images. Security Fix(es): * An attacker with knowledge of the given name used to authenticate and access Elasticsearch can later access it without the token, bypassing authentication. This attack also requires that the Elasticsearch be configured with an external route, and the data accessed is limited to the indices. (CVE-2017-12195) This issue was discovered by Rich Megginson (Red Hat). 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1399240 - pod age is shown invalid by oc client 1434942 - Symbolic link error for log file of every pod started when docker log driver is journald 1441089 - oc get/describe could not work when using 3.5 client to login 3.6 server 1457042 - Unable to pull through to registry.access.redhat.com 1458186 - Hawkular metrics rest api responding sporadically 1465532 - Heapster fails to push to Hawkular-Metrics sink starting around 4K pods in 3.6 1471251 - 3.4.1 White spaces in the cert prevents Origin Metrics from starting 1476026 - Service Catalog issues repeated Deprovision requests against the broker, despite a 410 response 1479955 - Container ose-sti-builder is marked as deprecated 1481550 - [3.5]'oadm diagnostics NetworkCheck' timeout due to image 'openshift/diagnostics-deployer' pull failed 1489023 - [3.4 Backport] Can not start atomic-openshift-node if the system does not have a default route 1489024 - [3.5 Backport] Can not start atomic-openshift-node if the system does not have a default route 1490719 - Enabled ops cluser,log in kibana-ops UI, there is no log entry under .all index, log entries only could be shown under .operations.* index 1492194 - [3.5] Node affinity alpha feature can cause scheduling failures across the cluster. 1493213 - Builds fail with "authentication required" after upgrade 1494239 - Fluentd unable to write to Elastic Search when LDAP distinguished names are used as usernames 1495540 - [3.6] oc adm router --expose-metrics fails by default 1496232 - "Run mount in its own systemd scope" commit breaks 3.4 build 1497042 - Unable to mount dynamically provisioned persistant volumes using vSphere 1497836 - default fluentd elasticsearch plugin request timeout too short by default, leads to potential log loss and stalled log flow 1498635 - Openshift allows mounting RWO volumes in multiple nodes 1499176 - [3.4] Deleted in use PVCs can break the scheduler 1499635 - [3.4]Metrics diagrams only could be displayed for openshift-infra project in web console 1499813 - Fluentd configuration file is not right on non-ops cluster 1500364 - mariadb, postgresql, mysql, and mediawiki APBs should use rhcc images 1500464 - 3.5.1 White spaces in the cert prevents Origin Metrics from starting 1500471 - 3.6.1 White spaces in the cert prevents Origin Metrics from starting 1500513 - The extensions/v1beta1 API is not updated on old successful Jobs 1500644 - [3.5]Metrics diagrams only could be displayed for openshift-infra project in web console 1501517 - [ocp-3.6] Reduce iptables refreshes 1501948 - [3.5] default fluentd elasticsearch plugin request timeout too short by default, leads to potential log loss and stalled log flow 1501960 - Remove the use of CPU limits by default 1501986 - CVE-2017-12195 OpenShift Enterprise 3: authentication bypass for elasticsearch with external routes 1502789 - Pod running but logs say volume not attached 1503265 - Bundled Netty dependencies have incorrect version 1503563 - Logging upgrade from 3.5 to 3.6 fails with "Exception in thread "main" java.lang.IllegalArgumentException: Unknown Discovery type [kubernetes]" 1505683 - fluentd pods failed to start up,"Unknown filter plugin 'record_modifier' in fluentd pods log 1505898 - [3.6] oadm diagnostics NetworkCheck' timeout due to image 'openshift/diagnostics-deployer' pull failed 1505900 - [3.6] oc adm diagnostics gets stuck in disconnected environment 1506854 - default fluentd elasticsearch plugin request timeout too short by default, leads to potential log loss and stalled log flow 6. Package List: Red Hat OpenShift Container Platform 3.4: Source: atomic-openshift-3.4.1.44.38-1.git.0.d04b8d5.el7.src.rpm cockpit-155-1.el7.src.rpm openshift-elasticsearch-plugin-2.4.1.11__redhat_1-3.el7.src.rpm noarch: atomic-openshift-docker-excluder-3.4.1.44.38-1.git.0.d04b8d5.el7.noarch.rpm atomic-openshift-excluder-3.4.1.44.38-1.git.0.d04b8d5.el7.noarch.rpm openshift-elasticsearch-plugin-2.4.1.11__redhat_1-3.el7.noarch.rpm x86_64: atomic-openshift-3.4.1.44.38-1.git.0.d04b8d5.el7.x86_64.rpm atomic-openshift-clients-3.4.1.44.38-1.git.0.d04b8d5.el7.x86_64.rpm atomic-openshift-clients-redistributable-3.4.1.44.38-1.git.0.d04b8d5.el7.x86_64.rpm atomic-openshift-dockerregistry-3.4.1.44.38-1.git.0.d04b8d5.el7.x86_64.rpm atomic-openshift-master-3.4.1.44.38-1.git.0.d04b8d5.el7.x86_64.rpm atomic-openshift-node-3.4.1.44.38-1.git.0.d04b8d5.el7.x86_64.rpm atomic-openshift-pod-3.4.1.44.38-1.git.0.d04b8d5.el7.x86_64.rpm atomic-openshift-sdn-ovs-3.4.1.44.38-1.git.0.d04b8d5.el7.x86_64.rpm atomic-openshift-tests-3.4.1.44.38-1.git.0.d04b8d5.el7.x86_64.rpm cockpit-debuginfo-155-1.el7.x86_64.rpm cockpit-kubernetes-155-1.el7.x86_64.rpm tuned-profiles-atomic-openshift-node-3.4.1.44.38-1.git.0.d04b8d5.el7.x86_64.rpm Red Hat OpenShift Container Platform 3.5: Source: atomic-openshift-3.5.5.31.47-1.git.0.25d535c.el7.src.rpm cockpit-155-1.el7.src.rpm openshift-elasticsearch-plugin-2.4.4.17__redhat_1-3.el7.src.rpm noarch: atomic-openshift-docker-excluder-3.5.5.31.47-1.git.0.25d535c.el7.noarch.rpm atomic-openshift-excluder-3.5.5.31.47-1.git.0.25d535c.el7.noarch.rpm openshift-elasticsearch-plugin-2.4.4.17__redhat_1-3.el7.noarch.rpm x86_64: atomic-openshift-3.5.5.31.47-1.git.0.25d535c.el7.x86_64.rpm atomic-openshift-clients-3.5.5.31.47-1.git.0.25d535c.el7.x86_64.rpm atomic-openshift-clients-redistributable-3.5.5.31.47-1.git.0.25d535c.el7.x86_64.rpm atomic-openshift-dockerregistry-3.5.5.31.47-1.git.0.25d535c.el7.x86_64.rpm atomic-openshift-master-3.5.5.31.47-1.git.0.25d535c.el7.x86_64.rpm atomic-openshift-node-3.5.5.31.47-1.git.0.25d535c.el7.x86_64.rpm atomic-openshift-pod-3.5.5.31.47-1.git.0.25d535c.el7.x86_64.rpm atomic-openshift-sdn-ovs-3.5.5.31.47-1.git.0.25d535c.el7.x86_64.rpm atomic-openshift-tests-3.5.5.31.47-1.git.0.25d535c.el7.x86_64.rpm cockpit-debuginfo-155-1.el7.x86_64.rpm cockpit-kubernetes-155-1.el7.x86_64.rpm tuned-profiles-atomic-openshift-node-3.5.5.31.47-1.git.0.25d535c.el7.x86_64.rpm Red Hat OpenShift Container Platform 3.6: Source: atomic-openshift-3.6.173.0.63-1.git.0.855ea8b.el7.src.rpm cockpit-155-1.el7.src.rpm openshift-elasticsearch-plugin-2.4.4.17__redhat_1-3.el7.src.rpm noarch: atomic-openshift-docker-excluder-3.6.173.0.63-1.git.0.855ea8b.el7.noarch.rpm atomic-openshift-excluder-3.6.173.0.63-1.git.0.855ea8b.el7.noarch.rpm openshift-elasticsearch-plugin-2.4.4.17__redhat_1-3.el7.noarch.rpm x86_64: atomic-openshift-3.6.173.0.63-1.git.0.855ea8b.el7.x86_64.rpm atomic-openshift-clients-3.6.173.0.63-1.git.0.855ea8b.el7.x86_64.rpm atomic-openshift-clients-redistributable-3.6.173.0.63-1.git.0.855ea8b.el7.x86_64.rpm atomic-openshift-cluster-capacity-3.6.173.0.63-1.git.0.855ea8b.el7.x86_64.rpm atomic-openshift-dockerregistry-3.6.173.0.63-1.git.0.855ea8b.el7.x86_64.rpm atomic-openshift-federation-services-3.6.173.0.63-1.git.0.855ea8b.el7.x86_64.rpm atomic-openshift-master-3.6.173.0.63-1.git.0.855ea8b.el7.x86_64.rpm atomic-openshift-node-3.6.173.0.63-1.git.0.855ea8b.el7.x86_64.rpm atomic-openshift-pod-3.6.173.0.63-1.git.0.855ea8b.el7.x86_64.rpm atomic-openshift-sdn-ovs-3.6.173.0.63-1.git.0.855ea8b.el7.x86_64.rpm atomic-openshift-service-catalog-3.6.173.0.63-1.git.0.855ea8b.el7.x86_64.rpm atomic-openshift-tests-3.6.173.0.63-1.git.0.855ea8b.el7.x86_64.rpm cockpit-debuginfo-155-1.el7.x86_64.rpm cockpit-kubernetes-155-1.el7.x86_64.rpm tuned-profiles-atomic-openshift-node-3.6.173.0.63-1.git.0.855ea8b.el7.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2017-12195 https://access.redhat.com/security/updates/classification/#moderate 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2017 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iD8DBQFaKOk1XlSAg2UNWIIRAmaNAKCH1p1GgMUPywm7UwWsLR+ML5cZ2QCdFOMh 16iZ/jgy+rILRVlGeSq2A5c= =oOgT -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://www.redhat.com/mailman/listinfo/rhsa-announce