ESB-2018.3529 - [RedHat] Red Had OpenShift Container Platform: Denial of service - Existing account 2018-11-12

Printable version
PGP/GPG verifiable version

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2018.3529
   Red Hat OpenShift Container Platform 3.10 security and bug fix update
                             12 November 2018

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Red Had OpenShift Container Platform
Publisher:         Red Hat
Operating System:  Red Hat
Impact/Access:     Denial of Service -- Existing Account
Resolution:        Patch/Upgrade
CVE Names:         CVE-2018-14632  

Reference:         ESB-2018.2898

Original Bulletin: 
   https://access.redhat.com/errata/RHSA-2018:2709

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Important: Red Hat OpenShift Container Platform 3.10 security and bug fix update
Advisory ID:       RHSA-2018:2709-01
Product:           Red Hat OpenShift Enterprise
Advisory URL:      https://access.redhat.com/errata/RHSA-2018:2709
Issue date:        2018-11-11
CVE Names:         CVE-2018-14632 
=====================================================================

1. Summary:

Red Hat OpenShift Container Platform release 3.10.66 is now available with
updates to packages and images that fix several security, bug, and add
enhancements.

Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat OpenShift Container Platform 3.10 - noarch, ppc64le, x86_64

3. Description:

Red Hat OpenShift Container Platform is Red Hat's cloud computing
Kubernetes application platform solution designed for on-premise or private
cloud deployments.

This advisory contains the RPM packages for Red Hat OpenShift Container
Platform 3.10.66. See the following advisory for the container images for
this release:

https://access.redhat.com/errata/RHBA-2018:2824

Security Fix(es):

* atomic-openshift: oc patch with json causes masterapi service crash
(CVE-2018-14632)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

Red Hat would like to thank Lars Haugan for reporting this issue.

All OpenShift Container Platform 3.10 users are advised to upgrade to these
updated packages and images.

Bug Fix(es):

* During etcd scaleup, facts about the etcd cluster are required to add new
hosts. This bug fix adds the necessary tasks to ensure those facts get set
before configuring new hosts, and therefore, allow the scaleup to complete
as expected. (BZ#1578482)

* Previously, sync pod was not available when the Prometheus install
checked for available nodes. As a consequence, if a custom label was used
for the Prometheus install to select an appropriate node, the sync pods
must have already applied the label to the nodes. Otherwise, the Prometheus
installer would not find any nodes with a matching label. This bug fix adds
a check to the install process to wait for sync pods to become available
before continuing. As a result, the node labeling process will complete,
and the nodes will have the correct labels for the Prometheus pod to be
scheduled. (BZ#1609019)

* This bug fix corrects an issue where a pod is stuck terminating due to
I/O errors on a FlexVolume mounted on the XFS file system. (BZ#1626054)

* Previously, fluentd generated events internally with the `OneEventStream`
class. This class does not have the `empty?` method. The Kubernetes
metadata filter used the `empty?` method on the `EventStream` object to
avoid processing an empty stream. Fluentd issued error messages about the
missing `empty?` method, which overwhelmed container logging and caused
disk issues. This bug fix changed the Kubernetes metadata filter only to
call the `empty?` method on objects that have this method. As a result,
fluentd logs do not contain this message. (BZ#1626552)

* RubyGems FFI 1.9.25 reverted a patch which allowed it to work on systems
with `SELinux deny_execmem=1`. This reversion caused fluentd to crash. This
bug reverts the patch reversion. As a result, fluentd does not crash when
using `SELinux deny_execmem=1`. (BZ#1628405)

* This bug fix updates the *_redeploy-openshift-ca.yml_* playbook to
reference the correct node client certificate file, `node/client-ca.crt`.
(BZ#1628546)

* The fix for BZ1628371 introduced a poorly built shared library with a
missing symbol. This missing symbol caused fluentd to crash with an
"undefined symbol: rbffi_Closure_Alloc" error message. This bug fix
rebuilds the shared library with the correct symbols. As a result, fluentd
does not crash. (BZ#1628798)

* Previously, when using Docker with the journald log driver, all container
logs, including system and plain Docker container logs, were logged to the
journal, and read by fluentd. Fluentd did not know how to handle these
non-Kubernetes container logs and threw exceptions. This bug fix treats
non-Kubernetes container logs as logs from other system services, for
example, sending them to the .operations.* index. As a result, logs from
non-Kubernetes containers are indexed correctly and do not cause any
errors. (BZ#1632361)

4. Solution:

See the release notes documentation for important instructions on how to
upgrade your cluster and fully apply this asynchronous errata update:

https://docs.openshift.com/container-platform/3.10/release_notes/ocp_3_10_r
elease_notes.html

This update is available via the Red Hat Network. Details on how to use the
Red Hat Network to apply this update are available at
https://access.redhat.com/articles/11258.

5. Bugs fixed (https://bugzilla.redhat.com/):

1577955 - Router pod fails to deploy during installation
1578482 - OCP 3.10:  etcd scaleup on CRI-O HA cluster fails with dict object has no attribute etcd_ip error
1594187 - Openshift-on-OpenStack playbook increase watch_retry_timeout for kuryr-cni
1608476 - OpenShift-Ansible ignores oreg_url for registry-console Docker image
1609019 - Prometheus deployment failed due to "No schedulable nodes found matching node selector" but it is not true
1609703 - APP pod unable to start after target port failure in cases where single paths are mounted on APP pods(BZ#1599742)
1614414 - OpenShift 3.10 Missing CA for LDAP Config
1615327 - upgrade fails when restarting nodes object has no attribute status
1619886 - OCP installer provisioning of instances playbook always fails first time running
1623602 - [3.10] installer oreg_url doesn't serve as universal url - needs to
1625885 - CVE-2018-14632 atomic-openshift: oc patch with json causes masterapi service crash
1625911 - Could not find csr for nodes - Bootstrapping task
1626054 - [3.10] Pod stuck in terminating while a volume mounted with flexvolume driver and XFS filesystem
1626552 - [3.10] fluentd pods are running with error logs which makes fill up disk very quickly.
1627764 - master static pod failed to start when LDAP auth is set
1628405 - [3.10] Fluentd pods failed to start after an update to 3.9.41 when deny_execmem=1 on nodes
1628546 - [3.10] Redeploy openshift ca playbook failed
1628798 - [3.10] Fluentd pod crashes with "undefined symbol: rbffi_Closure_Alloc"
1628964 - Could not find csr for node when using cni plugin
1629579 - Image efs-provisioner need to update to ose-efs-provisioner in OCP3.10
1631021 - Fail to atomic pull node image due to docker service was stopped in previous task
1631449 - RBD bind mount on RHEL does not transistively acquire _netdev from original mount
1632361 - [3.10] Fluentd cannot handle S2I Logs
1632418 - iSCSI doesn't give enough time multipathd to create multipath device
1632862 - [3.10] Could not find csr for node when using cni plugin
1632863 - [3.10] upgrade failed at TASK [openshift_node : Approve node certificates when bootstrapping]
1632865 - [3.10] Fail to atomic pull node image due to docker service was stopped in previous task
1633571 - Openshift-on-Openstack uninstall playbook failure in Remove RedHat subscriptions task
1638519 - [3.10] Ability to install a cluster with a mix of Docker and CRI-O nodes
1638521 - [3.10] Upgrade fails at "Set node schedulability"
1638525 - [3.10] Validation of static pod fails due to inconsistent names
1638899 - [3.10] Record is missing kubernetes field when use  '--log-driver journald' in /etc/sysconfig/docker
1642052 - [3.10] Registry doesn't honors openshift_additional_ca

6. Package List:

Red Hat OpenShift Container Platform 3.10:

Source:
atomic-enterprise-service-catalog-3.10.66-1.git.1450.b758bdb.el7.src.rpm
atomic-openshift-3.10.66-1.git.0.91d1e89.el7.src.rpm
atomic-openshift-descheduler-3.10.66-1.git.299.e466391.el7.src.rpm
atomic-openshift-dockerregistry-3.10.66-1.git.390.77310f8.el7.src.rpm
atomic-openshift-node-problem-detector-3.10.66-1.git.198.2fcf818.el7.src.rpm
atomic-openshift-web-console-3.10.66-1.git.389.adbeb58.el7.src.rpm
golang-github-prometheus-node_exporter-3.10.66-1.git.1060.f6046fd.el7.src.rpm
haproxy-1.8.14-2.el7.src.rpm
image-inspector-2.4.0-3.el7.src.rpm
openshift-ansible-3.10.66-1.git.0.3c3a83a.el7.src.rpm
openshift-enterprise-cluster-capacity-3.10.66-1.git.380.aef3728.el7.src.rpm
openshift-monitor-project-lifecycle-3.10.66-1.git.59.57c03d5.el7.src.rpm
perl-IO-String-1.08-20.el7.src.rpm
python-py-1.4.32-2.el7.src.rpm
python-setuptools-17.1.1-4.el7.src.rpm
rubygem-ffi-1.9.25-4.el7_5.src.rpm

noarch:
atomic-openshift-docker-excluder-3.10.66-1.git.0.91d1e89.el7.noarch.rpm
atomic-openshift-excluder-3.10.66-1.git.0.91d1e89.el7.noarch.rpm
openshift-ansible-3.10.66-1.git.0.3c3a83a.el7.noarch.rpm
openshift-ansible-docs-3.10.66-1.git.0.3c3a83a.el7.noarch.rpm
openshift-ansible-playbooks-3.10.66-1.git.0.3c3a83a.el7.noarch.rpm
openshift-ansible-roles-3.10.66-1.git.0.3c3a83a.el7.noarch.rpm
perl-IO-String-1.08-20.el7.noarch.rpm
python-py-1.4.32-2.el7.noarch.rpm
python-setuptools-17.1.1-4.el7.noarch.rpm

ppc64le:
atomic-enterprise-service-catalog-3.10.66-1.git.1450.b758bdb.el7.ppc64le.rpm
atomic-enterprise-service-catalog-svcat-3.10.66-1.git.1450.b758bdb.el7.ppc64le.rpm
atomic-openshift-3.10.66-1.git.0.91d1e89.el7.ppc64le.rpm
atomic-openshift-clients-3.10.66-1.git.0.91d1e89.el7.ppc64le.rpm
atomic-openshift-descheduler-3.10.66-1.git.299.e466391.el7.ppc64le.rpm
atomic-openshift-dockerregistry-3.10.66-1.git.390.77310f8.el7.ppc64le.rpm
atomic-openshift-hyperkube-3.10.66-1.git.0.91d1e89.el7.ppc64le.rpm
atomic-openshift-hypershift-3.10.66-1.git.0.91d1e89.el7.ppc64le.rpm
atomic-openshift-master-3.10.66-1.git.0.91d1e89.el7.ppc64le.rpm
atomic-openshift-node-3.10.66-1.git.0.91d1e89.el7.ppc64le.rpm
atomic-openshift-node-problem-detector-3.10.66-1.git.198.2fcf818.el7.ppc64le.rpm
atomic-openshift-pod-3.10.66-1.git.0.91d1e89.el7.ppc64le.rpm
atomic-openshift-sdn-ovs-3.10.66-1.git.0.91d1e89.el7.ppc64le.rpm
atomic-openshift-template-service-broker-3.10.66-1.git.0.91d1e89.el7.ppc64le.rpm
atomic-openshift-tests-3.10.66-1.git.0.91d1e89.el7.ppc64le.rpm
atomic-openshift-web-console-3.10.66-1.git.389.adbeb58.el7.ppc64le.rpm
haproxy-debuginfo-1.8.14-2.el7.ppc64le.rpm
haproxy18-1.8.14-2.el7.ppc64le.rpm
image-inspector-2.4.0-3.el7.ppc64le.rpm
openshift-enterprise-cluster-capacity-3.10.66-1.git.380.aef3728.el7.ppc64le.rpm
openshift-monitor-project-lifecycle-3.10.66-1.git.59.57c03d5.el7.ppc64le.rpm
prometheus-node-exporter-3.10.66-1.git.1060.f6046fd.el7.ppc64le.rpm
rubygem-ffi-1.9.25-4.el7_5.ppc64le.rpm
rubygem-ffi-debuginfo-1.9.25-4.el7_5.ppc64le.rpm

x86_64:
atomic-enterprise-service-catalog-3.10.66-1.git.1450.b758bdb.el7.x86_64.rpm
atomic-enterprise-service-catalog-svcat-3.10.66-1.git.1450.b758bdb.el7.x86_64.rpm
atomic-openshift-3.10.66-1.git.0.91d1e89.el7.x86_64.rpm
atomic-openshift-clients-3.10.66-1.git.0.91d1e89.el7.x86_64.rpm
atomic-openshift-clients-redistributable-3.10.66-1.git.0.91d1e89.el7.x86_64.rpm
atomic-openshift-descheduler-3.10.66-1.git.299.e466391.el7.x86_64.rpm
atomic-openshift-dockerregistry-3.10.66-1.git.390.77310f8.el7.x86_64.rpm
atomic-openshift-hyperkube-3.10.66-1.git.0.91d1e89.el7.x86_64.rpm
atomic-openshift-hypershift-3.10.66-1.git.0.91d1e89.el7.x86_64.rpm
atomic-openshift-master-3.10.66-1.git.0.91d1e89.el7.x86_64.rpm
atomic-openshift-node-3.10.66-1.git.0.91d1e89.el7.x86_64.rpm
atomic-openshift-node-problem-detector-3.10.66-1.git.198.2fcf818.el7.x86_64.rpm
atomic-openshift-pod-3.10.66-1.git.0.91d1e89.el7.x86_64.rpm
atomic-openshift-sdn-ovs-3.10.66-1.git.0.91d1e89.el7.x86_64.rpm
atomic-openshift-template-service-broker-3.10.66-1.git.0.91d1e89.el7.x86_64.rpm
atomic-openshift-tests-3.10.66-1.git.0.91d1e89.el7.x86_64.rpm
atomic-openshift-web-console-3.10.66-1.git.389.adbeb58.el7.x86_64.rpm
haproxy-debuginfo-1.8.14-2.el7.x86_64.rpm
haproxy18-1.8.14-2.el7.x86_64.rpm
image-inspector-2.4.0-3.el7.x86_64.rpm
openshift-enterprise-cluster-capacity-3.10.66-1.git.380.aef3728.el7.x86_64.rpm
openshift-monitor-project-lifecycle-3.10.66-1.git.59.57c03d5.el7.x86_64.rpm
prometheus-node-exporter-3.10.66-1.git.1060.f6046fd.el7.x86_64.rpm
rubygem-ffi-1.9.25-4.el7_5.x86_64.rpm
rubygem-ffi-debuginfo-1.9.25-4.el7_5.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2018-14632
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2018 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBW+hbatzjgjWX9erEAQhcGBAAlweGshGT7w4jvXgUC1bZUHdQSMiF+g2D
6rZYMgcL1r6yG5oiNa4jyPmuTh4k76SCTFNKVwUa5CD8jPI/V8KSKKReA2HtsxhF
FLp86g3HyQ0X4jeE5i7fsKpgFRv4WJz3UtzM6TvfBOWzYN+dkk0xTGZji/jzeWb4
FRcgmCeYv2H33W0diUgiVpFyOSECqyWsqM6JN2fVUXIF1FM5EaGVRMqWNCRiWzO1
TaCHOhdZJXQR08AQsBYc9xEL3Zq8c32W4tvPNmcS+HBMYd4TLMveXfqlwBE5cOyA
A6MFLFSBG7R13h0U8Y7O6YdXeQ8vdMdCU3ExeA1jqgyZs/dc4wisHZRIgYDyVwxO
BqRnvdVxwJzTUaWM5AOFqH58V9FBfNJqcy0nq3oL8cYIFUUGvHSachpsx3V7GOOi
4ivl4nraQuxjqsMuLyz4WSpfPB3Od+ca2cCTOSD42zjcmRe6/imUgR6E+EaQQVnI
Ckc14PXpFA94QyVDNzBgYT6WepHwZHTn1apMaXNN2kVUYrga+6qiaei+kIobQnzs
SGAW3ha5ckbl+bMlsQCErT5BxdsKVSEUdw84VwiEKq0DPM50Fnl8jl7IaXzFeDe8
/+ahdvfZXhfc2PujIAriKPHLci+YJQ/ulnukicK3r/AH5g16HvtRKixd2mjLnOAt
sAjCYXTpyvA=
=aYqe
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBW+i/C2aOgq3Tt24GAQia+RAAieZ2M0WhffZUQEyKyTIcLYH79KdJ+8O4
iB5q+GOxtmb/iY0Qj7f+5DActaXqvImG2e/EqksAlFt18ld1OGSZ5HA6bSWEYouo
1fy3w0825POaclnzbDsRhsj8C3xUuPNFd+upspp2fhsWv5wsQPuL1iJDaxxSyZvj
xmk7dHbnMzE38b8mhNZSTnMCyoivIRuZJZLKtg6fGJaJBwjgkkwq4+pK+gpSnj6H
i/4BfaputKbGdLPXHECMrYZp6qAKgjjBTtvEJ5+Qy7tUwRP10XEogRKGXToJNpj/
4f+JANV3OywRT7K0+onPAIeamKDvfdW1gKrvYzyJmL5ZB7nBms1/UiIgHE+ZrK07
lNUn4WeJK+d6+FiiQIx5G/und6abHjkcZ9H6OEX0FX4p/KkwGx4kiWKtAIYYb0/c
YUNNNp5Q48I9Zpy32D+NOA22fYkSeh6g/3rz+iPmcvxBrZkj35Y1eO+z9XNr80kD
GmAji71FkyzFC9L2sy1LcZVipIZoGsA9A2qT+0eMmyDHy/dTcO1guJnet18Phoj8
p88e8no7xbh/ks0RWc67UVyBkeFqcskOt9gwRco1oOZxdLQWrDMCO4DksRhT2ySe
dzi+YXHrVLMI1fDO27w5QZ93DQXP857IkV8RuViP5UMtM3wiIIflvtaqmwMI5eGH
Uij80IdyZuE=
=Ez6s
-----END PGP SIGNATURE-----

« Back to bulletins