Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2017.3136 Moderate: Red Hat OpenShift Enterprise security, bug fix, and enhancement update 8 December 2017 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: OpenShift Enterprise security Publisher: Red Hat Operating System: Red Hat Enterprise Linux AS/ES/WS 3 Impact/Access: Unauthorised Access -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2017-12195 Reference: ESB-2017.3021 Original Bulletin: https://access.redhat.com/errata/RHSA-2017:3389 - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: Red Hat OpenShift Enterprise security, bug fix, and enhancement update Advisory ID: RHSA-2017:3389-01 Product: Red Hat OpenShift Enterprise Advisory URL: https://access.redhat.com/errata/RHSA-2017:3389 Issue date: 2017-12-07 CVE Names: CVE-2017-12195 ===================================================================== 1. Summary: An update is now available for Red Hat OpenShift Container Platform 3.4, Red Hat OpenShift Container Platform 3.5, and Red Hat OpenShift Container Platform 3.6. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat OpenShift Container Platform 3.4 - noarch, x86_64 Red Hat OpenShift Container Platform 3.5 - noarch, x86_64 Red Hat OpenShift Container Platform 3.6 - noarch, x86_64 3. Description: OpenShift Enterprise by Red Hat is the company's cloud computing Platform-as-a-Service (PaaS) solution designed for on-premise or private cloud deployments. This advisory contains the RPM packages for this release. An advisory for the container images for this release is available at: https://access.redhat.com/errata/RHBA-2017:3390. Space precludes documenting all of the bug fixes and enhancements in this advisory. See the following Release Notes documentation, which will be updated shortly for this release, for details about these changes: https://docs.openshift.com/container-platform/3.6/release_notes/ocp_3_6_rel ease_notes.html https://docs.openshift.com/container-platform/3.5/release_notes/ocp_3_5_rel ease_notes.html https://docs.openshift.com/container-platform/3.4/release_notes/ocp_3_4_rel ease_notes.html All OpenShift Container Platform 3 users are advised to upgrade to these updated packages and images. Security Fix(es): * An attacker with knowledge of the given name used to authenticate and access Elasticsearch can later access it without the token, bypassing authentication. This attack also requires that the Elasticsearch be configured with an external route, and the data accessed is limited to the indices. (CVE-2017-12195) This issue was discovered by Rich Megginson (Red Hat). 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1399240 - pod age is shown invalid by oc client 1434942 - Symbolic link error for log file of every pod started when docker log driver is journald 1441089 - oc get/describe could not work when using 3.5 client to login 3.6 server 1457042 - Unable to pull through to registry.access.redhat.com 1458186 - Hawkular metrics rest api responding sporadically 1465532 - Heapster fails to push to Hawkular-Metrics sink starting around 4K pods in 3.6 1471251 - 3.4.1 White spaces in the cert prevents Origin Metrics from starting 1476026 - Service Catalog issues repeated Deprovision requests against the broker, despite a 410 response 1479955 - Container ose-sti-builder is marked as deprecated 1481550 - [3.5]'oadm diagnostics NetworkCheck' timeout due to image 'openshift/diagnostics-deployer' pull failed 1489023 - [3.4 Backport] Can not start atomic-openshift-node if the system does not have a default route 1489024 - [3.5 Backport] Can not start atomic-openshift-node if the system does not have a default route 1490719 - Enabled ops cluser,log in kibana-ops UI, there is no log entry under .all index, log entries only could be shown under .operations.* index 1492194 - [3.5] Node affinity alpha feature can cause scheduling failures across the cluster. 1493213 - Builds fail with "authentication required" after upgrade 1494239 - Fluentd unable to write to Elastic Search when LDAP distinguished names are used as usernames 1495540 - [3.6] oc adm router --expose-metrics fails by default 1496232 - "Run mount in its own systemd scope" commit breaks 3.4 build 1497042 - Unable to mount dynamically provisioned persistant volumes using vSphere 1497836 - default fluentd elasticsearch plugin request timeout too short by default, leads to potential log loss and stalled log flow 1498635 - Openshift allows mounting RWO volumes in multiple nodes 1499176 - [3.4] Deleted in use PVCs can break the scheduler 1499635 - [3.4]Metrics diagrams only could be displayed for openshift-infra project in web console 1499813 - Fluentd configuration file is not right on non-ops cluster 1500364 - mariadb, postgresql, mysql, and mediawiki APBs should use rhcc images 1500464 - 3.5.1 White spaces in the cert prevents Origin Metrics from starting 1500471 - 3.6.1 White spaces in the cert prevents Origin Metrics from starting 1500513 - The extensions/v1beta1 API is not updated on old successful Jobs 1500644 - [3.5]Metrics diagrams only could be displayed for openshift-infra project in web console 1501517 - [ocp-3.6] Reduce iptables refreshes 1501948 - [3.5] default fluentd elasticsearch plugin request timeout too short by default, leads to potential log loss and stalled log flow 1501960 - Remove the use of CPU limits by default 1501986 - CVE-2017-12195 OpenShift Enterprise 3: authentication bypass for elasticsearch with external routes 1502789 - Pod running but logs say volume not attached 1503265 - Bundled Netty dependencies have incorrect version 1503563 - Logging upgrade from 3.5 to 3.6 fails with "Exception in thread "main" java.lang.IllegalArgumentException: Unknown Discovery type [kubernetes]" 1505683 - fluentd pods failed to start up,"Unknown filter plugin 'record_modifier' in fluentd pods log 1505898 - [3.6] oadm diagnostics NetworkCheck' timeout due to image 'openshift/diagnostics-deployer' pull failed 1505900 - [3.6] oc adm diagnostics gets stuck in disconnected environment 1506854 - default fluentd elasticsearch plugin request timeout too short by default, leads to potential log loss and stalled log flow 6. Package List: Red Hat OpenShift Container Platform 3.4: Source: atomic-openshift-3.4.1.44.38-1.git.0.d04b8d5.el7.src.rpm cockpit-155-1.el7.src.rpm openshift-elasticsearch-plugin-2.4.1.11__redhat_1-3.el7.src.rpm noarch: atomic-openshift-docker-excluder-3.4.1.44.38-1.git.0.d04b8d5.el7.noarch.rpm atomic-openshift-excluder-3.4.1.44.38-1.git.0.d04b8d5.el7.noarch.rpm openshift-elasticsearch-plugin-2.4.1.11__redhat_1-3.el7.noarch.rpm x86_64: atomic-openshift-3.4.1.44.38-1.git.0.d04b8d5.el7.x86_64.rpm atomic-openshift-clients-3.4.1.44.38-1.git.0.d04b8d5.el7.x86_64.rpm atomic-openshift-clients-redistributable-3.4.1.44.38-1.git.0.d04b8d5.el7.x86_64.rpm atomic-openshift-dockerregistry-3.4.1.44.38-1.git.0.d04b8d5.el7.x86_64.rpm atomic-openshift-master-3.4.1.44.38-1.git.0.d04b8d5.el7.x86_64.rpm atomic-openshift-node-3.4.1.44.38-1.git.0.d04b8d5.el7.x86_64.rpm atomic-openshift-pod-3.4.1.44.38-1.git.0.d04b8d5.el7.x86_64.rpm atomic-openshift-sdn-ovs-3.4.1.44.38-1.git.0.d04b8d5.el7.x86_64.rpm atomic-openshift-tests-3.4.1.44.38-1.git.0.d04b8d5.el7.x86_64.rpm cockpit-debuginfo-155-1.el7.x86_64.rpm cockpit-kubernetes-155-1.el7.x86_64.rpm tuned-profiles-atomic-openshift-node-3.4.1.44.38-1.git.0.d04b8d5.el7.x86_64.rpm Red Hat OpenShift Container Platform 3.5: Source: atomic-openshift-3.5.5.31.47-1.git.0.25d535c.el7.src.rpm cockpit-155-1.el7.src.rpm openshift-elasticsearch-plugin-2.4.4.17__redhat_1-3.el7.src.rpm noarch: atomic-openshift-docker-excluder-3.5.5.31.47-1.git.0.25d535c.el7.noarch.rpm atomic-openshift-excluder-3.5.5.31.47-1.git.0.25d535c.el7.noarch.rpm openshift-elasticsearch-plugin-2.4.4.17__redhat_1-3.el7.noarch.rpm x86_64: atomic-openshift-3.5.5.31.47-1.git.0.25d535c.el7.x86_64.rpm atomic-openshift-clients-3.5.5.31.47-1.git.0.25d535c.el7.x86_64.rpm atomic-openshift-clients-redistributable-3.5.5.31.47-1.git.0.25d535c.el7.x86_64.rpm atomic-openshift-dockerregistry-3.5.5.31.47-1.git.0.25d535c.el7.x86_64.rpm atomic-openshift-master-3.5.5.31.47-1.git.0.25d535c.el7.x86_64.rpm atomic-openshift-node-3.5.5.31.47-1.git.0.25d535c.el7.x86_64.rpm atomic-openshift-pod-3.5.5.31.47-1.git.0.25d535c.el7.x86_64.rpm atomic-openshift-sdn-ovs-3.5.5.31.47-1.git.0.25d535c.el7.x86_64.rpm atomic-openshift-tests-3.5.5.31.47-1.git.0.25d535c.el7.x86_64.rpm cockpit-debuginfo-155-1.el7.x86_64.rpm cockpit-kubernetes-155-1.el7.x86_64.rpm tuned-profiles-atomic-openshift-node-3.5.5.31.47-1.git.0.25d535c.el7.x86_64.rpm Red Hat OpenShift Container Platform 3.6: Source: atomic-openshift-3.6.173.0.63-1.git.0.855ea8b.el7.src.rpm cockpit-155-1.el7.src.rpm openshift-elasticsearch-plugin-2.4.4.17__redhat_1-3.el7.src.rpm noarch: atomic-openshift-docker-excluder-3.6.173.0.63-1.git.0.855ea8b.el7.noarch.rpm atomic-openshift-excluder-3.6.173.0.63-1.git.0.855ea8b.el7.noarch.rpm openshift-elasticsearch-plugin-2.4.4.17__redhat_1-3.el7.noarch.rpm x86_64: atomic-openshift-3.6.173.0.63-1.git.0.855ea8b.el7.x86_64.rpm atomic-openshift-clients-3.6.173.0.63-1.git.0.855ea8b.el7.x86_64.rpm atomic-openshift-clients-redistributable-3.6.173.0.63-1.git.0.855ea8b.el7.x86_64.rpm atomic-openshift-cluster-capacity-3.6.173.0.63-1.git.0.855ea8b.el7.x86_64.rpm atomic-openshift-dockerregistry-3.6.173.0.63-1.git.0.855ea8b.el7.x86_64.rpm atomic-openshift-federation-services-3.6.173.0.63-1.git.0.855ea8b.el7.x86_64.rpm atomic-openshift-master-3.6.173.0.63-1.git.0.855ea8b.el7.x86_64.rpm atomic-openshift-node-3.6.173.0.63-1.git.0.855ea8b.el7.x86_64.rpm atomic-openshift-pod-3.6.173.0.63-1.git.0.855ea8b.el7.x86_64.rpm atomic-openshift-sdn-ovs-3.6.173.0.63-1.git.0.855ea8b.el7.x86_64.rpm atomic-openshift-service-catalog-3.6.173.0.63-1.git.0.855ea8b.el7.x86_64.rpm atomic-openshift-tests-3.6.173.0.63-1.git.0.855ea8b.el7.x86_64.rpm cockpit-debuginfo-155-1.el7.x86_64.rpm cockpit-kubernetes-155-1.el7.x86_64.rpm tuned-profiles-atomic-openshift-node-3.6.173.0.63-1.git.0.855ea8b.el7.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2017-12195 https://access.redhat.com/security/updates/classification/#moderate 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2017 Red Hat, Inc. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iD8DBQFaKOk1XlSAg2UNWIIRAmaNAKCH1p1GgMUPywm7UwWsLR+ML5cZ2QCdFOMh 16iZ/jgy+rILRVlGeSq2A5c= =oOgT - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBWinOyYx+lLeg9Ub1AQjIWg//XfdXgMAtl/r+FiKUH5hGPH9M3ki2gCaI 4vWGhO9gnbccONQ0tUUOg9djNWri2p58nJ7xRnF+71DFveyRk5feNAOAHIn4UQ4z P2QMHdzMuzUOb12Es37cZBkBOys8Tqz0o6mBQnvjg95SXAbbdWSp2sEWgi3C2hKd HOf6cxSv9WTdTgkLiJJZ9F4W8/HLsIB8gAsCmRb3lI4wInSzfgVY+3/Iwh+a5JBq qxgUryMX/CNPiKfBJRzVOCpoXnnSzwDY/JLlwLheMvgc5AnEU8BIHQKgJxouXJU2 K5kRfFZcK7LyerjlgNhLE3MjFjH0yAXpG9u/14VCJ9AAT7FzaCAccXSPuoMhLf76 X8DeLM+04OF1kx/5n4LVja3UjO+w1Y7ClcTNPXntizaUC1JAJXdt4/tABmsZ43OW cpFGgRAsJjycJgG0MbRNRkdAEiMk7KLfxtyceNgmpd8wOTIDWQ8cZRYN6+M6w9Qh Uy8lg/bpYVaieQ2VhNQO7uZHi3En904pfCHaM0L+6GnHYbCAmwUWPokyUnsh6Z+T ZTpYA0kaf6h+Hlz1oez5gWr9ABDc0QCVjkotXP3FFmG1vtcgZ88+n5pWJ6r4cDyA qO2n6LAIFoXhW6BaDHlBW/IvhpyGc94ix5VB2y4Fega9slHlMSN1KNSCHEUMlWJX o3b3POwFDuM= =6Icu -----END PGP SIGNATURE-----