Operating System:

[RedHat]

Published:

07 March 2017

Protect yourself against future threats.

//Service

AusCERT Education

Enhance your knowledge with our exceptional one day training offerings for individuals and organisations

Read more
Resources > Security Bulletins > ESB-2017.0588 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2017.0588
   Important: ansible and openshift-ansible security and bug fix update
                               7 March 2017

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           ansible and openshift-ansible
Publisher:         Red Hat
Operating System:  Red Hat
Impact/Access:     Execute Arbitrary Code/Commands -- Existing Account
Resolution:        Patch/Upgrade
CVE Names:         CVE-2016-9587  

Reference:         ESB-2017.0370
                   ESB-2017.0231

Original Bulletin: 
   https://access.redhat.com/errata/RHSA-2017:0448

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Important: ansible and openshift-ansible security and bug fix update
Advisory ID:       RHSA-2017:0448-01
Product:           Red Hat OpenShift Enterprise
Advisory URL:      https://access.redhat.com/errata/RHSA-2017:0448
Issue date:        2017-03-06
CVE Names:         CVE-2016-9587 
=====================================================================

1. Summary:

An update for ansible and openshift-ansible is now available for Red Hat
OpenShift Container Platform 3.2, Red Hat OpenShift Container Platform 3.3,
and Red Hat OpenShift Container Platform 3.4.

Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat OpenShift Container Platform 3.2 - noarch
Red Hat OpenShift Container Platform 3.3 - noarch
Red Hat OpenShift Container Platform 3.4 - noarch

3. Description:

Red Hat OpenShift Container Platform is the company's cloud computing
Platform-as-a-Service (PaaS) solution designed for on-premise or private
cloud deployments.

Ansible is a SSH-based configuration management, deployment, and task
execution system. The openshift-ansible packages contain Ansible code and
playbooks for installing and upgrading OpenShift Container Platform 3.

Security Fix(es):

* An input validation vulnerability was found in Ansible's handling of data
sent from client systems. An attacker with control over a client system
being managed by Ansible and the ability to send facts back to the Ansible
server could use this flaw to execute arbitrary code on the Ansible server
using the Ansible server privileges. (CVE-2016-9587)

Bug Fix(es):

Space precludes documenting all of the non-security bug fixes in this
advisory. See the relevant OpenShift Container Platform Release Notes
linked to in the References section, which will be updated shortly for this
release.

4. Solution:

Before applying this update, make sure all previously released errata
relevant to your system have been applied.
 
To apply this update, run the following on all hosts where you intend to
initiate Ansible-based installation or upgrade procedures:

# yum update atomic-openshift-utils

This update is available via the Red Hat Network. Details on how to use the
Red Hat Network to apply this update are available at:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

1379189 - [3.2] ansible sometimes gets UNREACHABLE error after iptables restarted
1388016 - [3.3] The insecure-registry address was removed during upgrade
1389263 - [3.4] the summary of json report should include total/ok number after certificate expiry check
1393000 - [3.3] Ansible upgrade from 3.2 to 3.3 fails
1404378 - CVE-2016-9587 Ansible: Compromised remote hosts can lead to running commands on the Ansible controller
1414276 - [3.3] Installer is failing when `ansible_user` is set to Windows Login which requires dom\user format
1415067 - [3.2]Installer should persist net.ipv4.ip_forward
1416926 - [3.3] ansible sometimes gets UNREACHABLE error after iptables restarted
1416927 - [3.4] ansible sometimes gets UNREACHABLE error after iptables restarted
1417680 - [3.2] Backport openshift_certificate_expiry role
1417681 - [3.4] Backport openshift_certificate_expiry role
1417682 - [3.3] Backport openshift_certificate_expiry role
1419493 - [3.4] Installer pulls in 3.3 registry-console image
1419533 - [3.2]Installation on node failed when creating node config
1419654 - [3.4] Containerized advanced installation fails due to missing CA certificate /etc/origin/master/ca.crt
1420393 - [3.4] conntrack executable not found on $PATH during cluster horizontal run
1420395 - [3.3] conntrack executable not found on $PATH during cluster horizontal run
1421053 - [quick installer 3.4] quick installer failed due to a python method failure
1421059 - [quick installer 3.2]quick installer failed due to a python method failure
1421061 - [quick installer 3.3]quick installer failed due to a python method failure
1421860 - [3.4] Metrics Resolution of Heapster Image Should be 30s to Match cAdvisor
1422361 - [3.4] Advanced installer fails if python-six not available
1426705 - [3.4] Installer is failing when `ansible_user` is set to Windows Login which requires dom\user format

6. Package List:

Red Hat OpenShift Container Platform 3.2:

Source:
ansible-2.2.1.0-2.el7.src.rpm
openshift-ansible-3.2.53-1.git.0.2fefc17.el7.src.rpm

noarch:
ansible-2.2.1.0-2.el7.noarch.rpm
atomic-openshift-utils-3.2.53-1.git.0.2fefc17.el7.noarch.rpm
openshift-ansible-3.2.53-1.git.0.2fefc17.el7.noarch.rpm
openshift-ansible-docs-3.2.53-1.git.0.2fefc17.el7.noarch.rpm
openshift-ansible-filter-plugins-3.2.53-1.git.0.2fefc17.el7.noarch.rpm
openshift-ansible-lookup-plugins-3.2.53-1.git.0.2fefc17.el7.noarch.rpm
openshift-ansible-playbooks-3.2.53-1.git.0.2fefc17.el7.noarch.rpm
openshift-ansible-roles-3.2.53-1.git.0.2fefc17.el7.noarch.rpm

Red Hat OpenShift Container Platform 3.3:

Source:
ansible-2.2.1.0-2.el7.src.rpm
openshift-ansible-3.3.67-1.git.0.7c5da0c.el7.src.rpm

noarch:
ansible-2.2.1.0-2.el7.noarch.rpm
atomic-openshift-utils-3.3.67-1.git.0.7c5da0c.el7.noarch.rpm
openshift-ansible-3.3.67-1.git.0.7c5da0c.el7.noarch.rpm
openshift-ansible-callback-plugins-3.3.67-1.git.0.7c5da0c.el7.noarch.rpm
openshift-ansible-docs-3.3.67-1.git.0.7c5da0c.el7.noarch.rpm
openshift-ansible-filter-plugins-3.3.67-1.git.0.7c5da0c.el7.noarch.rpm
openshift-ansible-lookup-plugins-3.3.67-1.git.0.7c5da0c.el7.noarch.rpm
openshift-ansible-playbooks-3.3.67-1.git.0.7c5da0c.el7.noarch.rpm
openshift-ansible-roles-3.3.67-1.git.0.7c5da0c.el7.noarch.rpm

Red Hat OpenShift Container Platform 3.4:

Source:
ansible-2.2.1.0-2.el7.src.rpm
openshift-ansible-3.4.67-1.git.0.14a0b4d.el7.src.rpm

noarch:
ansible-2.2.1.0-2.el7.noarch.rpm
atomic-openshift-utils-3.4.67-1.git.0.14a0b4d.el7.noarch.rpm
openshift-ansible-3.4.67-1.git.0.14a0b4d.el7.noarch.rpm
openshift-ansible-callback-plugins-3.4.67-1.git.0.14a0b4d.el7.noarch.rpm
openshift-ansible-docs-3.4.67-1.git.0.14a0b4d.el7.noarch.rpm
openshift-ansible-filter-plugins-3.4.67-1.git.0.14a0b4d.el7.noarch.rpm
openshift-ansible-lookup-plugins-3.4.67-1.git.0.14a0b4d.el7.noarch.rpm
openshift-ansible-playbooks-3.4.67-1.git.0.14a0b4d.el7.noarch.rpm
openshift-ansible-roles-3.4.67-1.git.0.14a0b4d.el7.noarch.rpm

These packages are GPG signed by Red Hat for security.  Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2016-9587
https://access.redhat.com/security/updates/classification/#important
https://docs.openshift.com/enterprise/3.2/release_notes/ose_3_2_release_notes.html
https://docs.openshift.com/container-platform/3.3/release_notes/ocp_3_3_release_notes.html
https://docs.openshift.com/container-platform/3.4/release_notes/ocp_3_4_release_notes.html

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2017 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iD8DBQFYvZOvXlSAg2UNWIIRAtBgAKC/a5j2ToXiQ4uD9JYy2bMKYn+9JwCeL4nh
A7ntVFTpJOYbu3M9BeVZGqk=
=mgid
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBWL3rFIx+lLeg9Ub1AQioiRAAgpbZibH5qiLZnbClhhOvjI6qdURAp2Lg
EOjD+CAH+D69FN62gaB26enThbRhoWwHMabJ0piOUMFHLsZmFGZhm3YFOupzGiUZ
9jdrbE6WqVW/8DdsFIsDKnPCnd229fuqxQW+Zu374yFWBGl9q6y6B6NskYV1NEZV
yos0VU1Q7MX2ylz8cD+pBL2AR+tScWjDrOwCpvOgRQ1HUhyjZKmxM/BGrU5ivvTd
QHYoFgcPQbceT8enxgTDUH3rK1CJAvcy7eGdi/yxPhddNCRlImGabQCXF9T0+pyc
KnHyyhIPyaI3JZFtwlD5IEkvLvomeTdj0hn6hJlA4S84VYZJ9bTPlzunWElmHc7J
lTFxiS8dxQgNcmeTq3X0N9ueZnFWbh1/SpP/y1Sm1guDfXdGLuzN2tvEv2GzLbe5
1IkThxbNqEqaIbvY6xLTRw+sDx6PmwP1VPXfW5t3jBykZNOLYkXuYUmGixnpI1hI
KlAdix33BNexDu2r8GeNyZZtbQ1AddUqkofEkzblYvVHMekBjFHk/vtmp+w8EEJg
NjJLN5m/WX9lHixtt+lFbvVEOwzv324vfwBfOO04Sr+Cuc/hxqIH+CcG83vdBY3b
+/K6apopSLQm1iFrOtO4cgmETMTaTxKSdyZQZA/3BICtrDqsNKxlzw9jwdjd9OYl
w6S/C6GH5Vw=
=xcB/
-----END PGP SIGNATURE-----