-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Important: OpenShift Container Platform 3.9 security, bug fix, and enhancement update Advisory ID: RHSA-2018:2013-01 Product: Red Hat OpenShift Enterprise Advisory URL: https://access.redhat.com/errata/RHSA-2018:2013 Issue date: 2018-06-27 CVE Names: CVE-2018-1070 CVE-2018-1085 CVE-2018-10843 ===================================================================== 1. Summary: Red Hat OpenShift Container Platform release 3.9.31 is now available with updates to packages and images that address security issues, fix several bugs, and add enhancements. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat OpenShift Container Platform 3.9 - noarch, x86_64 3. Description: Red Hat OpenShift Container Platform is the company's cloud computing Platform-as-a-Service (PaaS) solution designed for on-premise or private cloud deployments. This advisory contains the RPM packages for Red Hat OpenShift Container Platform 3.9.31. See the following advisory for the container images for this release: https://access.redhat.com/errata/RHBA-2018:2014 Security Fix(es): * routing: Malicious Service configuration can bring down routing for an entire shard (CVE-2018-1070) * openshift-ansible: Incorrectly quoted values in etcd.conf causes disabling of SSL client certificate authentication (CVE-2018-1085) * source-to-image: Builder images with assembler-user LABEL set to root allows attackers to execute arbitrary code (CVE-2018-10843) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Red Hat would like to thank David Hocky (Comcast) for reporting CVE-2018-1085. The CVE-2018-1070 issue was discovered by Mark Chappell (Red Hat) and the CVE-2018-10843 issue was discovered by Jeremy Choi (Red Hat). Space precludes documenting all of the bug fixes and enhancements in this advisory. See the following Release Notes documentation, which will be updated shortly for this release, for details about these changes: https://docs.openshift.com/container-platform/3.9/release_notes/ocp_3_9_rel ease_notes.html All OpenShift Container Platform 3.9 users are advised to upgrade to these updated packages and images. 4. Solution: For OpenShift Container Platform 3.9 see the following documentation, which will be updated shortly for release 3.9.31, for important instructions on how to upgrade your cluster and fully apply this asynchronous errata update: https://docs.openshift.com/container-platform/3.9/release_notes/ocp_3_9_rel ease_notes.html This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/articles/11258. 5. Bugs fixed (https://bugzilla.redhat.com/): 1466390 - [RFE] add selector option to oadm drain 1498398 - Incomplete default configuration for secure-forward 1506175 - Should not meet "lookup failed" and "incorrect username or password" when new-app with public image in project having fake docker secret 1507429 - [tsb]Some error message shown when describe serviceinstance 1512042 - Local Registry Adapter should not display APBs that can't be deployed from a namespace other than 'openshift' 1525642 - immortal namespace are not immortal (as we claim them to be) 1529575 - [3.9] Updating etcd does not update the etcd config with new variables 1531096 - Prometheus fills up entire storage space 1534311 - [3.8]apiserver pod of service catalog in CrashLoopBackOff status after upgrading to v3.8 1534894 - apb preprare -f fail with error 1537872 - Azure need set virt_use_samba 1538215 - [DOCKER] Eviction manager erros in node logs 1539252 - Failed to push image to OCP internal image registry on EC2 1539310 - ASB bootstrap fail while using file authenticate type since failed to read registry credentials from file 1539529 - `oc apply --force` will delete resource when failing to apply 1539757 - async unbind returns 200 instead of 202 1540819 - Failed to unbind after deleting templateinstance with servicebinding existing 1541212 - prometheus fails compaction 1541350 - Namespace goes in "terminating" state due to unprovisioned ServiceInstance 1542387 - Unable to retrieve image names from rhcc(stage) registry 1542460 - When jenkins in one project and pipeline in other project. View log link points to wrong URL. 1546097 - Master controllers are using high amount of CPU after upgrade to 3.7 1546324 - Manifest does not match provided manifest digest 1546936 - Setting up of prometheus using ansible fails 1548677 - Upgrade failed due to ovs2.9 can not start while selinux-policy was not updated 1549060 - Should be correct 'openshift' link on about page 1549454 - Etcd scale-up failed when running as system container on RHEL 1550193 - openshift jenkins rhel image release to release migration not working 1550316 - Synchronize openvswitch 2.9 to mirror fastdatapath repo 1550385 - Update *sql-apb plan or version failed in 'behind proxy' env 1550591 - Mirror openshift3/prometheus-node-exporter on external mirror 1553012 - Duplicated node-labels in node-config.yaml while enabling cri-o 1553035 - CVE-2018-1070 Routing: Malicous Service configuration can bring down routing for an entire shard. 1553294 - [3.9] various auto-egress IP problems 1554141 - Unable to delete serviceinstance 1554145 - [apb] Newer version of APB tool fails with `apb remove` on a 3.7 version of broker 1554239 - [ASB] Delete project failed even if provision serviceinstances success 1557040 - Missing v.3.9 openshift3/metrics-cassandra metrics-hawkular-metrics and metrics-heapster images from registry.reg-aws.openshift.com 1557822 - CVE-2018-1085 openshift-ansible: Incorrectly quoted values in etcd.conf causes disabling of SSL client certificate authentication 1558183 - [starter-ca-central-1] builds in pending state indefinitely 1558997 - Issue when deploying Jenkins instances which have routes on various sharded routers 1560311 - [3.9] oc adm migrate storage produces error as signature annotations forbidden 1563150 - openshift3/ose image contains centos repository for RHEL7 based image 1563673 - [RFE] Add timeout when draining a node for update 1566238 - upgrade from v3.7 to v3.9 fails with openshift-ansible-3.9.20-1.git.0.f99fb43.el7 1568815 - Service Catalog does not refresh ClusterServicePlan after removing from catalog 1569030 - OpenShift Container Platform 3.9.z APB image refresh 1570065 - Ansible Service Broker fails to deploy due to missing namespace argument 1570581 - There is wrong version of atomic-openshift-web-console rpm within web-console image 1571601 - [3.9] Certificate expiry playbook couldn't work 1571944 - Stack trace from github.com/openshift/origin/pkg/image/trigger/deploymentconfigs.calculateDeploymentConfigTrigger 1572786 - [3.9] RFE - Need a way to upgrade OS during upgrade 1579096 - CVE-2018-10843 source-to-image: Builder images with assembler-user LABEL set to root allows attackers to execute arbitrary code 1580538 - Unable to disallow project creation from system:authentcated users after upgrade to 3.9 1583895 - [APB] mysql-apb update from 5.6 to 5.7 failed 1585243 - [3.9] Entire cluster goes to NotReady using a NetworkPolicy that contains an ingress ipBlock section 1586076 - API server crashes when using old format of webhook triggers in build Configs 1588009 - Deploying logging on a system where /tmp mounted with noexec option fails 1588768 - [3.9] Unqualified image is completed with "docker.io" 6. Package List: Red Hat OpenShift Container Platform 3.9: Source: atomic-openshift-3.9.31-1.git.0.ef9737b.el7.src.rpm atomic-openshift-descheduler-3.9.13-1.git.267.bb59a3f.el7.src.rpm atomic-openshift-node-problem-detector-3.9.13-1.git.167.5d6b0d4.el7.src.rpm atomic-openshift-web-console-3.9.31-1.git.246.bded6a4.el7.src.rpm golang-github-prometheus-node_exporter-3.9.31-1.git.890.a55de06.el7.src.rpm mysql-apb-role-1.1.11-1.el7.src.rpm openshift-ansible-3.9.31-1.git.34.154617d.el7.src.rpm noarch: atomic-openshift-docker-excluder-3.9.31-1.git.0.ef9737b.el7.noarch.rpm atomic-openshift-excluder-3.9.31-1.git.0.ef9737b.el7.noarch.rpm atomic-openshift-utils-3.9.31-1.git.34.154617d.el7.noarch.rpm mysql-apb-role-1.1.11-1.el7.noarch.rpm openshift-ansible-3.9.31-1.git.34.154617d.el7.noarch.rpm openshift-ansible-docs-3.9.31-1.git.34.154617d.el7.noarch.rpm openshift-ansible-playbooks-3.9.31-1.git.34.154617d.el7.noarch.rpm openshift-ansible-roles-3.9.31-1.git.34.154617d.el7.noarch.rpm x86_64: atomic-openshift-3.9.31-1.git.0.ef9737b.el7.x86_64.rpm atomic-openshift-clients-3.9.31-1.git.0.ef9737b.el7.x86_64.rpm atomic-openshift-clients-redistributable-3.9.31-1.git.0.ef9737b.el7.x86_64.rpm atomic-openshift-cluster-capacity-3.9.31-1.git.0.ef9737b.el7.x86_64.rpm atomic-openshift-descheduler-3.9.13-1.git.267.bb59a3f.el7.x86_64.rpm atomic-openshift-dockerregistry-3.9.31-1.git.351.1bd46ed.el7.x86_64.rpm atomic-openshift-federation-services-3.9.31-1.git.0.ef9737b.el7.x86_64.rpm atomic-openshift-master-3.9.31-1.git.0.ef9737b.el7.x86_64.rpm atomic-openshift-node-3.9.31-1.git.0.ef9737b.el7.x86_64.rpm atomic-openshift-node-problem-detector-3.9.13-1.git.167.5d6b0d4.el7.x86_64.rpm atomic-openshift-pod-3.9.31-1.git.0.ef9737b.el7.x86_64.rpm atomic-openshift-sdn-ovs-3.9.31-1.git.0.ef9737b.el7.x86_64.rpm atomic-openshift-service-catalog-3.9.31-1.git.0.ef9737b.el7.x86_64.rpm atomic-openshift-template-service-broker-3.9.31-1.git.0.ef9737b.el7.x86_64.rpm atomic-openshift-tests-3.9.31-1.git.0.ef9737b.el7.x86_64.rpm atomic-openshift-web-console-3.9.31-1.git.246.bded6a4.el7.x86_64.rpm prometheus-node-exporter-3.9.31-1.git.890.a55de06.el7.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2018-1070 https://access.redhat.com/security/cve/CVE-2018-1085 https://access.redhat.com/security/cve/CVE-2018-10843 https://access.redhat.com/security/updates/classification/#important https://docs.openshift.com/container-platform/3.9/release_notes/ocp_3_9_release_notes.html 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2018 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBWzPRJNzjgjWX9erEAQhcwQ//SFaB/SelgMjCurJyqTaY1IZLq4HKAbjt K9IQwJc5tWWgzr7OBBZET/ircOW7dwtM1i4JZbjqhhr+81X9Wnyxc4V8NTLsR4hL wvFw/r780dvfMbjz5Cm3sxRw8FGY8qNpq6XxhO+iTmolJXC9QYtpvKZC0At72/iu wmlM6H8Z4M4njO4DDlPKgGDajegKkMaOjjigXct+/T8L+azyK1cU/HC9ty2plM3O ztJqQmwiyelLUPsQm+34oE9obCQ0oqK24EySxjZYQz8FmerBX/MUkk1RSGM0Pfh2 lGp710pbTMLu0bxPwGOyQFMO/ECyliU6/T2MlL8Rl0Sb0d9wFfsYkDUkhb7dkAaM Oj58gfNGEjpkLCbLHF9xXwwkUBDSUh/7kQRIKnl1nneaL4sae/BEkGsFTUJofMV3 d8kz8a9Myjojk4D9ZfYRv6MrmYV881NBquCCXyaSkD9q8TvWDnR7JClMW9j/WfEA RH+Aj4FspZhzWXZVbtmLzNXf1AvVqHogO+GtRhl4RS25ilU54UTPshuKCPCNyryM QyZ9fvoomGq6f0nzbhXcCbbDzVkfLQPeyDR0cq+hJylE57sJ6C2DJfjojODhKNFV BYsI5kIpRFe0jvu+V8IGiRfjqBbCutnI58ElgYd0/WFIhTYuW0Vc7htHkobJ6Ohm PCPBXrvdOZI= =JjBO -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://www.redhat.com/mailman/listinfo/rhsa-announce