ESB-2018.1878 - [RedHat] Red Hat OpenShift Enterprise: Multiple vulnerabilities 2018-06-28

Printable version
PGP/GPG verifiable version

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2018.1878
OpenShift Container Platform 3.9 security, bug fix, and enhancement update
                               28 June 2018

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Red Hat OpenShift Enterprise
Publisher:         Red Hat
Operating System:  Red Hat
Impact/Access:     Execute Arbitrary Code/Commands -- Existing Account
                   Denial of Service               -- Existing Account
                   Unauthorised Access             -- Existing Account
Resolution:        Patch/Upgrade
CVE Names:         CVE-2018-10843 CVE-2018-1085 CVE-2018-1070

Reference:         ESB-2018.1866
                   ESB-2018.1805

Original Bulletin: 
   https://access.redhat.com/errata/RHSA-2018:2013

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Important: OpenShift Container Platform 3.9 security, bug fix, and enhancement update
Advisory ID:       RHSA-2018:2013-01
Product:           Red Hat OpenShift Enterprise
Advisory URL:      https://access.redhat.com/errata/RHSA-2018:2013
Issue date:        2018-06-27
CVE Names:         CVE-2018-1070 CVE-2018-1085 CVE-2018-10843 
=====================================================================

1. Summary:

Red Hat OpenShift Container Platform release 3.9.31 is now available with
updates to packages and images that address security issues, fix several
bugs, and add enhancements.

Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat OpenShift Container Platform 3.9 - noarch, x86_64

3. Description:

Red Hat OpenShift Container Platform is the company's cloud computing
Platform-as-a-Service (PaaS) solution designed for on-premise or private
cloud deployments.

This advisory contains the RPM packages for Red Hat OpenShift Container
Platform 3.9.31. See the following advisory for the container images for
this release:

https://access.redhat.com/errata/RHBA-2018:2014

Security Fix(es):

* routing: Malicious Service configuration can bring down routing for an
entire shard (CVE-2018-1070)

* openshift-ansible: Incorrectly quoted values in etcd.conf causes
disabling of SSL client certificate authentication (CVE-2018-1085)

* source-to-image: Builder images with assembler-user LABEL set to root
allows attackers to execute arbitrary code (CVE-2018-10843)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

Red Hat would like to thank David Hocky (Comcast) for reporting
CVE-2018-1085. The CVE-2018-1070 issue was discovered by Mark Chappell (Red
Hat) and the CVE-2018-10843 issue was discovered by Jeremy Choi (Red Hat).

Space precludes documenting all of the bug fixes and enhancements in this
advisory. See the following Release Notes documentation, which will be
updated shortly for this release, for details about these changes:

https://docs.openshift.com/container-platform/3.9/release_notes/ocp_3_9_rel
ease_notes.html

All OpenShift Container Platform 3.9 users are advised to upgrade to these
updated packages and images.

4. Solution:

For OpenShift Container Platform 3.9 see the following documentation, which
will be updated shortly for release 3.9.31, for important instructions on
how to upgrade your cluster and fully apply this asynchronous errata
update:

https://docs.openshift.com/container-platform/3.9/release_notes/ocp_3_9_rel
ease_notes.html

This update is available via the Red Hat Network. Details on how to use the
Red Hat Network to apply this update are available at
https://access.redhat.com/articles/11258.

5. Bugs fixed (https://bugzilla.redhat.com/):

1466390 - [RFE] add selector option to oadm drain
1498398 - Incomplete default configuration for secure-forward
1506175 - Should not meet "lookup failed" and "incorrect username or password" when new-app with public image in project having fake docker secret
1507429 - [tsb]Some error message shown when describe serviceinstance
1512042 - Local Registry Adapter should not display APBs that can't be deployed from a namespace other than 'openshift'
1525642 - immortal namespace are not immortal (as we claim them to be)
1529575 - [3.9] Updating etcd does not update the etcd config with new variables
1531096 - Prometheus fills up entire storage space
1534311 - [3.8]apiserver pod of service catalog in CrashLoopBackOff status after upgrading to v3.8
1534894 - apb preprare -f fail with error
1537872 - Azure need set virt_use_samba
1538215 - [DOCKER] Eviction manager erros in node logs
1539252 - Failed to push image to OCP internal image registry on EC2
1539310 - ASB bootstrap fail while using file authenticate type since failed to read registry credentials from file
1539529 - `oc apply --force` will delete resource when failing to apply
1539757 - async unbind returns 200 instead of 202
1540819 - Failed to unbind after deleting templateinstance with servicebinding existing
1541212 - prometheus fails compaction
1541350 - Namespace goes in "terminating" state due to unprovisioned ServiceInstance
1542387 - Unable to retrieve image names from rhcc(stage) registry
1542460 - When jenkins in one project and pipeline in other project. View log link points to wrong URL.
1546097 - Master controllers are using high amount of CPU after upgrade to 3.7
1546324 - Manifest does not match provided manifest digest
1546936 - Setting up of prometheus using ansible fails
1548677 - Upgrade failed due to ovs2.9 can not start while selinux-policy was not updated
1549060 - Should be correct 'openshift' link on about page
1549454 - Etcd scale-up failed when running as system container on RHEL
1550193 - openshift jenkins rhel image release to release migration not working
1550316 - Synchronize openvswitch 2.9 to mirror fastdatapath repo
1550385 - Update *sql-apb plan or version failed in 'behind proxy' env
1550591 - Mirror openshift3/prometheus-node-exporter  on external mirror
1553012 - Duplicated node-labels in node-config.yaml while enabling cri-o
1553035 - CVE-2018-1070 Routing: Malicous Service configuration can bring down routing for an entire shard.
1553294 - [3.9] various auto-egress IP problems
1554141 - Unable to delete serviceinstance
1554145 - [apb] Newer version of APB tool fails with `apb remove` on a 3.7 version of broker
1554239 - [ASB] Delete project failed even if provision serviceinstances success
1557040 - Missing v.3.9 openshift3/metrics-cassandra metrics-hawkular-metrics and metrics-heapster images from registry.reg-aws.openshift.com
1557822 - CVE-2018-1085 openshift-ansible: Incorrectly quoted values in etcd.conf causes disabling of SSL client certificate authentication
1558183 - [starter-ca-central-1] builds in pending state indefinitely
1558997 - Issue when deploying Jenkins instances which have routes on various sharded routers
1560311 - [3.9] oc adm migrate storage produces error as signature annotations forbidden
1563150 - openshift3/ose image contains centos repository for RHEL7 based image
1563673 - [RFE] Add timeout when draining a node for update
1566238 - upgrade from v3.7 to v3.9 fails with openshift-ansible-3.9.20-1.git.0.f99fb43.el7
1568815 - Service Catalog does not refresh ClusterServicePlan after removing from catalog
1569030 - OpenShift Container Platform 3.9.z APB image refresh
1570065 - Ansible Service Broker fails to deploy due to missing namespace argument
1570581 - There is wrong version of atomic-openshift-web-console rpm within web-console image
1571601 - [3.9] Certificate expiry playbook couldn't work
1571944 - Stack trace from github.com/openshift/origin/pkg/image/trigger/deploymentconfigs.calculateDeploymentConfigTrigger
1572786 - [3.9] RFE - Need a way to upgrade OS during upgrade
1579096 - CVE-2018-10843 source-to-image: Builder images with assembler-user LABEL set to root allows attackers to execute arbitrary code
1580538 - Unable to disallow project creation from system:authentcated users after upgrade to 3.9
1583895 - [APB] mysql-apb update from 5.6 to 5.7 failed
1585243 - [3.9] Entire cluster goes to NotReady using a NetworkPolicy that contains an ingress ipBlock section
1586076 - API server crashes when using old format of webhook triggers in build Configs
1588009 - Deploying logging on a system where /tmp mounted with noexec option fails
1588768 - [3.9] Unqualified image is completed with "docker.io"

6. Package List:

Red Hat OpenShift Container Platform 3.9:

Source:
atomic-openshift-3.9.31-1.git.0.ef9737b.el7.src.rpm
atomic-openshift-descheduler-3.9.13-1.git.267.bb59a3f.el7.src.rpm
atomic-openshift-node-problem-detector-3.9.13-1.git.167.5d6b0d4.el7.src.rpm
atomic-openshift-web-console-3.9.31-1.git.246.bded6a4.el7.src.rpm
golang-github-prometheus-node_exporter-3.9.31-1.git.890.a55de06.el7.src.rpm
mysql-apb-role-1.1.11-1.el7.src.rpm
openshift-ansible-3.9.31-1.git.34.154617d.el7.src.rpm

noarch:
atomic-openshift-docker-excluder-3.9.31-1.git.0.ef9737b.el7.noarch.rpm
atomic-openshift-excluder-3.9.31-1.git.0.ef9737b.el7.noarch.rpm
atomic-openshift-utils-3.9.31-1.git.34.154617d.el7.noarch.rpm
mysql-apb-role-1.1.11-1.el7.noarch.rpm
openshift-ansible-3.9.31-1.git.34.154617d.el7.noarch.rpm
openshift-ansible-docs-3.9.31-1.git.34.154617d.el7.noarch.rpm
openshift-ansible-playbooks-3.9.31-1.git.34.154617d.el7.noarch.rpm
openshift-ansible-roles-3.9.31-1.git.34.154617d.el7.noarch.rpm

x86_64:
atomic-openshift-3.9.31-1.git.0.ef9737b.el7.x86_64.rpm
atomic-openshift-clients-3.9.31-1.git.0.ef9737b.el7.x86_64.rpm
atomic-openshift-clients-redistributable-3.9.31-1.git.0.ef9737b.el7.x86_64.rpm
atomic-openshift-cluster-capacity-3.9.31-1.git.0.ef9737b.el7.x86_64.rpm
atomic-openshift-descheduler-3.9.13-1.git.267.bb59a3f.el7.x86_64.rpm
atomic-openshift-dockerregistry-3.9.31-1.git.351.1bd46ed.el7.x86_64.rpm
atomic-openshift-federation-services-3.9.31-1.git.0.ef9737b.el7.x86_64.rpm
atomic-openshift-master-3.9.31-1.git.0.ef9737b.el7.x86_64.rpm
atomic-openshift-node-3.9.31-1.git.0.ef9737b.el7.x86_64.rpm
atomic-openshift-node-problem-detector-3.9.13-1.git.167.5d6b0d4.el7.x86_64.rpm
atomic-openshift-pod-3.9.31-1.git.0.ef9737b.el7.x86_64.rpm
atomic-openshift-sdn-ovs-3.9.31-1.git.0.ef9737b.el7.x86_64.rpm
atomic-openshift-service-catalog-3.9.31-1.git.0.ef9737b.el7.x86_64.rpm
atomic-openshift-template-service-broker-3.9.31-1.git.0.ef9737b.el7.x86_64.rpm
atomic-openshift-tests-3.9.31-1.git.0.ef9737b.el7.x86_64.rpm
atomic-openshift-web-console-3.9.31-1.git.246.bded6a4.el7.x86_64.rpm
prometheus-node-exporter-3.9.31-1.git.890.a55de06.el7.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2018-1070
https://access.redhat.com/security/cve/CVE-2018-1085
https://access.redhat.com/security/cve/CVE-2018-10843
https://access.redhat.com/security/updates/classification/#important
https://docs.openshift.com/container-platform/3.9/release_notes/ocp_3_9_release_notes.html

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2018 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBWzPRJNzjgjWX9erEAQhcwQ//SFaB/SelgMjCurJyqTaY1IZLq4HKAbjt
K9IQwJc5tWWgzr7OBBZET/ircOW7dwtM1i4JZbjqhhr+81X9Wnyxc4V8NTLsR4hL
wvFw/r780dvfMbjz5Cm3sxRw8FGY8qNpq6XxhO+iTmolJXC9QYtpvKZC0At72/iu
wmlM6H8Z4M4njO4DDlPKgGDajegKkMaOjjigXct+/T8L+azyK1cU/HC9ty2plM3O
ztJqQmwiyelLUPsQm+34oE9obCQ0oqK24EySxjZYQz8FmerBX/MUkk1RSGM0Pfh2
lGp710pbTMLu0bxPwGOyQFMO/ECyliU6/T2MlL8Rl0Sb0d9wFfsYkDUkhb7dkAaM
Oj58gfNGEjpkLCbLHF9xXwwkUBDSUh/7kQRIKnl1nneaL4sae/BEkGsFTUJofMV3
d8kz8a9Myjojk4D9ZfYRv6MrmYV881NBquCCXyaSkD9q8TvWDnR7JClMW9j/WfEA
RH+Aj4FspZhzWXZVbtmLzNXf1AvVqHogO+GtRhl4RS25ilU54UTPshuKCPCNyryM
QyZ9fvoomGq6f0nzbhXcCbbDzVkfLQPeyDR0cq+hJylE57sJ6C2DJfjojODhKNFV
BYsI5kIpRFe0jvu+V8IGiRfjqBbCutnI58ElgYd0/WFIhTYuW0Vc7htHkobJ6Ohm
PCPBXrvdOZI=
=JjBO
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBWzQ1y2aOgq3Tt24GAQhKVhAA21UI6+RPbfnqfzA46Y/ZXbJ8aevelwis
zka7MWq75kDg94ULw3rcI/S0AtivgTDnkj0b76KngqAM9ZQE6TDWEeX4rCvGOGQT
nUg/2Y27Ry5iflsqCbtN+jGxCYXusgy6vqmoe4nC/g8apLFJSMlr8HT+DhR+bO/n
r0y2EoWVbfXjBdgOL4vMx40v4cZwSnU0Y2lWLHDESX7IrVC5KpWxJKBiyqNYeKqu
X5At33YbwJcBu3xmVvFyMeNXyobDF0dliquk/CV6K+Zj6osmR3pr1TwLtAkyc6PN
Ye7GSV43rAfOCiBf1NI9mvmL6qpexP97wQ0PLRnErGELSbw+BK8XldgeHGNMxXLv
1h6ijsTUKprM6hX/6A9IV5XMGcFg6p01UZBm9ICu5/8J2U3nA81UPIunAR9PKmsD
5Ofh+EjN2dxEPVBh/GE7+9fpOH9Y6ruoDr3PzoFqcV5MVI1SY6lzninKLCV+S2AN
NvqtPRfdfXo5rtfRMMvKgJUZibO2KZQVotJZgNcCiWVRroM0VWukTVPtmOX8ubNz
hN8KUUqZgSavanwLds7xpevGjELwv5mo1SbchnZIxEjkNy4sPs3eKUusr4eeich0
G7RB7ObxFr/jvZn/j+u/2z6t8ziPQP5wPLI11oMBxADZN9Kbi+32f0pq8pwG7qlz
4qcJU1ASTj8=
=hyM2
-----END PGP SIGNATURE-----

« Back to bulletins