ESB-2018.3610 - [RedHat] Red Hat OpenShift Container Platform 3.9: Denial of service - Existing account 2018-11-21

Printable version
PGP/GPG verifiable version

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2018.3610
       Important: Red Hat OpenShift Container Platform 3.9 security
                            and bug fix update
                             21 November 2018

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Red Hat OpenShift Container Platform 3.9
Publisher:         Red Hat
Operating System:  Red Hat Enterprise Linux Server 7
Impact/Access:     Denial of Service -- Existing Account
Resolution:        Patch/Upgrade
CVE Names:         CVE-2018-14632  

Reference:         ESB-2018.3529
                   ESB-2018.2898

Original Bulletin: 
   https://access.redhat.com/errata/RHSA-2018:2908

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Important: Red Hat OpenShift Container Platform 3.9 security and bug fix update
Advisory ID:       RHSA-2018:2908-01
Product:           Red Hat OpenShift Enterprise
Advisory URL:      https://access.redhat.com/errata/RHSA-2018:2908
Issue date:        2018-11-20
CVE Names:         CVE-2018-14632 
=====================================================================

1. Summary:

Red Hat OpenShift Container Platform release 3.9.51 is now available with
updates to packages and images that fix several bugs.

Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat OpenShift Container Platform 3.9 - noarch, x86_64

3. Description:

Red Hat OpenShift Container Platform is Red Hat's cloud computing
Kubernetes application platform solution designed for on-premise or private
cloud deployments.

This advisory contains the RPM packages for Red Hat OpenShift Container
Platform 3.9.51. See the following advisory for the container images for
this release:

https://access.redhat.com/errata/RHBA-2018:2907

Security Fix:

* atomic-openshift: oc patch with json causes masterapi service crash
(CVE-2018-14632)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

Red Hat would like to thank Lars Haugan for reporting this issue.

Bug Fixes:

* Events on `storage` in Internet Explorer 11 were triggered in the same
window tab, whereas in other browsers, the events were triggered in
duplicate tabs. This issue caused the request to time out when logging into
the console in Internet Explorer 11. This bug fix enables
`inactivityLogoutKey`, and ensures that all tabs are logged out before
timing out. As a result, Internet Explorer 11 logs out on the same
conditions as other browsers. (BZ#1607150)

* Previously, fluentd generated events internally with the `OneEventStream`
class. This class does not have the `empty?` method. The Kubernetes
metadata filter used the `empty?` method on the `EventStream` object to
avoid processing an empty stream. Fluentd issued error messages about the
missing `empty?` method, which overwhelmed container logging and caused
disk issues. This bug fix changed the Kubernetes metadata filter only to
call the `empty?` method on objects that have this method. As a result,
fluentd logs do not contain this message. (BZ#1626281)

* RubyGems FFI 1.9.25 reverted a patch which allowed it to work on systems
with `SELinux deny_execmem=1`. This reversion caused fluentd to crash. This
bug reverts the patch reversion. As a result, fluentd does not crash when
using `SELinux deny_execmem=1`. (BZ#1628371)

* The fix for BZ1628371 introduced a poorly built shared library with a
missing symbol. This missing symbol caused fluentd to crash with an
"undefined symbol: rbffi_Closure_Alloc" error message. This bug fix
rebuilds the shared library with the correct symbols. As a result, fluentd
does not crash. (BZ#1628799)

* Previously, the `json` was the default log format for an audit. This
format caused the audit log to print using JSON format. This bug fix allows
you to set the format as specified in *_master-config.yaml_*. As a result,
the audit log contains values per configured log format. (BZ#1631087)

* Previously, when using Docker with the journald log driver, all container
logs, including system and plain Docker container logs, were logged to the
journal, and read by fluentd. Fluentd did not know how to handle these
non-Kubernetes container logs and threw exceptions. This bug fix treats
non-Kubernetes container logs as logs from other system services, for
example, sending them to the .operations.* index. As a result, logs from
non-Kubernetes containers are indexed correctly and do not cause any
errors. (BZ#1632130)

All OpenShift Container Platform 3.9 users are advised to upgrade to these
updated packages and images.

4. Solution:

Before applying this update, ensure all previously released errata relevant
to your system have been applied.

See the following documentation, which will be updated shortly for release
3.9.51, for important instructions on how to upgrade your cluster and fully
apply this asynchronous errata update:

https://docs.openshift.com/container-platform/3.9/release_notes/ocp_3_9_rel
ease_notes.html

This update is available via the Red Hat Network. Details on how to use the
Red Hat Network to apply this update are available at
https://access.redhat.com/articles/11258.

5. Bugs fixed (https://bugzilla.redhat.com/):

1607150 - UI Timeout causing IE 11 to automatically log out
1625885 - CVE-2018-14632 atomic-openshift: oc patch with json causes masterapi service crash
1626281 - [3.9] fluentd pods are running with error logs which makes fill up disk very quickly.
1628371 - [3.9] Fluentd pods failed to start after an update to 3.9.41 when deny_execmem=1 on nodes
1628799 - [3.9] Fluentd pod crashes with "undefined symbol: rbffi_Closure_Alloc"
1629001 - openshift_hosted_manage_registry and openshift_hosted_manage_router are not respected upon upgrade
1631087 - Cannot see basic audit log
1632130 - [3.9] Fluentd cannot handle S2I Logs
1633767 - [3.9] Storage upgrade fails on loaded HA cluster:   the server doesn't have a resource type \"clusterservicebrokers\" and ERROR: logging before flag.Parse

6. Package List:

Red Hat OpenShift Container Platform 3.9:

Source:
atomic-openshift-3.9.51-1.git.0.dc3a40b.el7.src.rpm
atomic-openshift-web-console-3.9.51-1.git.268.c379530.el7.src.rpm
fluentd-0.12.43-3.el7.src.rpm
golang-github-prometheus-node_exporter-3.9.51-1.git.1060.2055e02.el7.src.rpm
openshift-ansible-3.9.51-1.git.0.c4968ca.el7.src.rpm
openshift-elasticsearch-plugin-2.4.4.23__redhat_1-3.el7.src.rpm
rubygem-fluent-plugin-kubernetes_metadata_filter-1.0.3-2.el7.src.rpm

noarch:
atomic-openshift-docker-excluder-3.9.51-1.git.0.dc3a40b.el7.noarch.rpm
atomic-openshift-excluder-3.9.51-1.git.0.dc3a40b.el7.noarch.rpm
atomic-openshift-utils-3.9.51-1.git.0.c4968ca.el7.noarch.rpm
fluentd-doc-0.12.43-3.el7.noarch.rpm
openshift-ansible-3.9.51-1.git.0.c4968ca.el7.noarch.rpm
openshift-ansible-docs-3.9.51-1.git.0.c4968ca.el7.noarch.rpm
openshift-ansible-playbooks-3.9.51-1.git.0.c4968ca.el7.noarch.rpm
openshift-ansible-roles-3.9.51-1.git.0.c4968ca.el7.noarch.rpm
openshift-elasticsearch-plugin-2.4.4.23__redhat_1-3.el7.noarch.rpm
rubygem-fluent-plugin-kubernetes_metadata_filter-1.0.3-2.el7.noarch.rpm
rubygem-fluent-plugin-kubernetes_metadata_filter-doc-1.0.3-2.el7.noarch.rpm

x86_64:
atomic-openshift-3.9.51-1.git.0.dc3a40b.el7.x86_64.rpm
atomic-openshift-clients-3.9.51-1.git.0.dc3a40b.el7.x86_64.rpm
atomic-openshift-clients-redistributable-3.9.51-1.git.0.dc3a40b.el7.x86_64.rpm
atomic-openshift-cluster-capacity-3.9.51-1.git.0.dc3a40b.el7.x86_64.rpm
atomic-openshift-dockerregistry-3.9.51-1.git.353.7685923.el7.x86_64.rpm
atomic-openshift-federation-services-3.9.51-1.git.0.dc3a40b.el7.x86_64.rpm
atomic-openshift-master-3.9.51-1.git.0.dc3a40b.el7.x86_64.rpm
atomic-openshift-node-3.9.51-1.git.0.dc3a40b.el7.x86_64.rpm
atomic-openshift-pod-3.9.51-1.git.0.dc3a40b.el7.x86_64.rpm
atomic-openshift-sdn-ovs-3.9.51-1.git.0.dc3a40b.el7.x86_64.rpm
atomic-openshift-service-catalog-3.9.51-1.git.0.dc3a40b.el7.x86_64.rpm
atomic-openshift-template-service-broker-3.9.51-1.git.0.dc3a40b.el7.x86_64.rpm
atomic-openshift-tests-3.9.51-1.git.0.dc3a40b.el7.x86_64.rpm
atomic-openshift-web-console-3.9.51-1.git.268.c379530.el7.x86_64.rpm
fluentd-0.12.43-3.el7.x86_64.rpm
fluentd-debuginfo-0.12.43-3.el7.x86_64.rpm
prometheus-node-exporter-3.9.51-1.git.1060.2055e02.el7.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2018-14632
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2018 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBW/N7iNzjgjWX9erEAQhOLg/8CAQR8FexHTaitZBksQMd+DnXfm65oChz
kmu/uSECE6gBbhx4ayDqUeEQK6DAT9yOZlLUdeLPHe/VnuVuZ3qVhyCL7dh7vOvm
wmwYdboJ76XStT0pfzDexyMLDk5zfAf0Pg7QgPV2u6Vncnk6rpqPUqksGnCqP49r
6pxTeO8CB/e4CkZA7KyRUUcSOUWRuFZFcv4bg86bc/NleUtC/kxtocTzihujsNdr
P3XP7YZA+Pjay7D1KouqxeyYJOM2/7uovkwiZBDi7obx5v0ip+GNsSYkOarAOTqa
07dKkqCWm/ru3w1VcR6XknNLTl82OO2vPiZrlqzX4Fjlpk2QtTmwcRWhbaKjGfHt
1aQTpZGsLe0nF3Hear7ca7xR0wbEMow9FPOTQrT8vmE6XR7vTxtupB7dy86uuxVH
7oqGGQkQwNWCeAFQYYzFHlQxNINQx9kMs8FMh/xLmGm6BiD7hGYpYPTC4u3hCE0g
+KM3JElVn7XDN5j6nBZSxCenMGmVlJDvl6wFyTb82a7tl/wicKnujimnjqY2N8IX
DVHMuOYNNi98+1Dt9hrRJYH2HTzX/fhrPh5RGqfbwLL2glisA6z+axup5UhgWfaz
lVR8bI2JSOsF9AFwGBBO/8iENJE4WaZoWgaT12ciuxja0+u7Za1lBZ7oSTZNIW7f
MdspFHLyT20=
=O6BE
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBW/ST1maOgq3Tt24GAQiTtQ/+MTeTOd3n0mpZqzQJ/g+cYBtJ2kH6irw3
MXsVMX6rn2fG31Fyj6k+z6gq3PBoGvvN7y1tD0Nd9Tp/p86HpAFz9hltYMKc3tG5
RdkhbuC9EnOBeudX9PF8qnalgmhrNx/prTMU9KNKuZCrJ/5+K3SHunPID1b/5z81
grP9NGhiw6Py/K+UFmD3YCOPFiqhpQSylM7DcGMHC7QqyR97RlSwN0AaaQVNzj5f
ivFgUU5Gfkqe0d7WizPmvuK+gTkvdgVl+/xouDcSitiqQi3iraPAEFfcucsRJvI9
u5AyvuXtesCXzMtXfWZUX2gr+Co7M/zeJnEDceDHnL9kfFvAgiWM0vzfUeWeHgz6
0rr2IKl3iCn6CYVMyfAyQc7TppYCbXEzWxn6eefYweAlRINHoc4QfXL4TTznqxVD
EzC5K9+XlQDA33hK8WuhSRGPRG7Q+y3jmS5VLScirgb63JcewE5hHsqgMrjGpkN4
SvYZs2LQx4Clcc03MaLvn9aRsnPqQtvUQhFoMjUI+BF0TrSthPPTVoamjhaNIlwN
mYREuN17C0g0qy0jaVPXdXLsfkXaV6kktdY3g3xb3DPi73gSH84WPq4OYUWMgZU9
2tJxIgIexoxXEPsWHEzrZp9PWKmdOfLZL+W2nDWEHRvCkxyMgW20n2BAR7LRf06C
yJ7sovc0nQA=
=HUWT
-----END PGP SIGNATURE-----

« Back to bulletins