Nacionalni CERT

Sigurnosni nedostatak programskog paketa OpenShift Enterprise

<p>-----BEGIN PGP SIGNED MESSAGE-----<br />Hash: SHA1<br /><br />=====================================================================<br /> Red Hat Security Advisory<br /><br />Synopsis: Moderate: Red Hat OpenShift Enterprise security, bug fix, and enhancement update<br />Advisory ID: RHSA-2017:3389-01<br />Product: Red Hat OpenShift Enterprise<br />Advisory URL: https://access.redhat.com/errata/RHSA-2017:3389<br />Issue date: 2017-12-07<br />CVE Names: CVE-2017-12195 <br />=====================================================================<br /><br />1. Summary:<br /><br />An update is now available for Red Hat OpenShift Container Platform 3.4,<br />Red Hat OpenShift Container Platform 3.5, and Red Hat OpenShift Container<br />Platform 3.6.<br /><br />Red Hat Product Security has rated this update as having a security impact<br />of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which<br />gives a detailed severity rating, is available for each vulnerability from<br />the CVE link(s) in the References section.<br /><br />2. Relevant releases/architectures:<br /><br />Red Hat OpenShift Container Platform 3.4 - noarch, x86_64<br />Red Hat OpenShift Container Platform 3.5 - noarch, x86_64<br />Red Hat OpenShift Container Platform 3.6 - noarch, x86_64<br /><br />3. Description:<br /><br />OpenShift Enterprise by Red Hat is the company's cloud computing<br />Platform-as-a-Service (PaaS) solution designed for on-premise or private<br />cloud deployments.<br /><br />This advisory contains the RPM packages for this release. An advisory for<br />the container images for this release is available at:<br />https://access.redhat.com/errata/RHBA-2017:3390.<br /><br />Space precludes documenting all of the bug fixes and enhancements in this<br />advisory. See the following Release Notes documentation, which will be<br />updated shortly for this release, for details about these changes:<br /><br />https://docs.openshift.com/container-platform/3.6/release_notes/ocp_3_6_... />ease_notes.html<br /><br />https://docs.openshift.com/container-platform/3.5/release_notes/ocp_3_5_... />ease_notes.html<br /><br />https://docs.openshift.com/container-platform/3.4/release_notes/ocp_3_4_... />ease_notes.html<br /><br />All OpenShift Container Platform 3 users are advised to upgrade to these<br />updated packages and images.<br /><br />Security Fix(es):<br /><br />* An attacker with knowledge of the given name used to authenticate and<br />access Elasticsearch can later access it without the token, bypassing<br />authentication. This attack also requires that the Elasticsearch be<br />configured with an external route, and the data accessed is limited to the<br />indices. (CVE-2017-12195)<br /><br />This issue was discovered by Rich Megginson (Red Hat).<br /><br />4. Solution:<br /><br />For details on how to apply this update, which includes the changes<br />described in this advisory, refer to:<br /><br />https://access.redhat.com/articles/11258<br /><br />5. Bugs fixed (https://bugzilla.redhat.com/):<br /><br />1399240 - pod age is shown invalid by oc client<br />1434942 - Symbolic link error for log file of every pod started when docker log driver is journald<br />1441089 - oc get/describe could not work when using 3.5 client to login 3.6 server<br />1457042 - Unable to pull through to registry.access.redhat.com<br />1458186 - Hawkular metrics rest api responding sporadically<br />1465532 - Heapster fails to push to Hawkular-Metrics sink starting around 4K pods in 3.6<br />1471251 - 3.4.1 White spaces in the cert prevents Origin Metrics from starting<br />1476026 - Service Catalog issues repeated Deprovision requests against the broker, despite a 410 response<br />1479955 - Container ose-sti-builder is marked as deprecated<br />1481550 - [3.5]'oadm diagnostics NetworkCheck' timeout due to image 'openshift/diagnostics-deployer' pull failed<br />1489023 - [3.4 Backport] Can not start atomic-openshift-node if the system does not have a default route<br />1489024 - [3.5 Backport] Can not start atomic-openshift-node if the system does not have a default route<br />1490719 - Enabled ops cluser,log in kibana-ops UI, there is no log entry under .all index, log entries only could be shown under .operations.* index<br />1492194 - [3.5] Node affinity alpha feature can cause scheduling failures across the cluster.<br />1493213 - Builds fail with "authentication required" after upgrade<br />1494239 - Fluentd unable to write to Elastic Search when LDAP distinguished names are used as usernames<br />1495540 - [3.6] oc adm router --expose-metrics fails by default<br />1496232 - "Run mount in its own systemd scope" commit breaks 3.4 build<br />1497042 - Unable to mount dynamically provisioned persistant volumes using vSphere<br />1497836 - default fluentd elasticsearch plugin request timeout too short by default, leads to potential log loss and stalled log flow<br />1498635 - Openshift allows mounting RWO volumes in multiple nodes<br />1499176 - [3.4] Deleted in use PVCs can break the scheduler<br />1499635 - [3.4]Metrics diagrams only could be displayed for openshift-infra project in web console<br />1499813 - Fluentd configuration file is not right on non-ops cluster<br />1500364 - mariadb, postgresql, mysql, and mediawiki APBs should use rhcc images<br />1500464 - 3.5.1 White spaces in the cert prevents Origin Metrics from starting<br />1500471 - 3.6.1 White spaces in the cert prevents Origin Metrics from starting<br />1500513 - The extensions/v1beta1 API is not updated on old successful Jobs<br />1500644 - [3.5]Metrics diagrams only could be displayed for openshift-infra project in web console<br />1501517 - [ocp-3.6] Reduce iptables refreshes<br />1501948 - [3.5] default fluentd elasticsearch plugin request timeout too short by default, leads to potential log loss and stalled log flow<br />1501960 - Remove the use of CPU limits by default<br />1501986 - CVE-2017-12195 OpenShift Enterprise 3: authentication bypass for elasticsearch with external routes<br />1502789 - Pod running but logs say volume not attached<br />1503265 - Bundled Netty dependencies have incorrect version<br />1503563 - Logging upgrade from 3.5 to 3.6 fails with "Exception in thread "main" java.lang.IllegalArgumentException: Unknown Discovery type [kubernetes]"<br />1505683 - fluentd pods failed to start up,"Unknown filter plugin 'record_modifier' in fluentd pods log<br />1505898 - [3.6] oadm diagnostics NetworkCheck' timeout due to image 'openshift/diagnostics-deployer' pull failed<br />1505900 - [3.6] oc adm diagnostics gets stuck in disconnected environment<br />1506854 - default fluentd elasticsearch plugin request timeout too short by default, leads to potential log loss and stalled log flow<br /><br />6. Package List:<br /><br />Red Hat OpenShift Container Platform 3.4:<br /><br />Source:<br />atomic-openshift-3.4.1.44.38-1.git.0.d04b8d5.el7.src.rpm<br />cockpit-155-1.el7.src.rpm<br />openshift-elasticsearch-plugin-2.4.1.11__redhat_1-3.el7.src.rpm<br /><br />noarch:<br />atomic-openshift-docker-excluder-3.4.1.44.38-1.git.0.d04b8d5.el7.noarch.rpm<br />atomic-openshift-excluder-3.4.1.44.38-1.git.0.d04b8d5.el7.noarch.rpm<br />openshift-elasticsearch-plugin-2.4.1.11__redhat_1-3.el7.noarch.rpm<br /><br />x86_64:<br />atomic-openshift-3.4.1.44.38-1.git.0.d04b8d5.el7.x86_64.rpm<br />atomic-openshift-clients-3.4.1.44.38-1.git.0.d04b8d5.el7.x86_64.rpm<br />atomic-openshift-clients-redistributable-3.4.1.44.38-1.git.0.d04b8d5.el7.x86_64.rpm<br />atomic-openshift-dockerregistry-3.4.1.44.38-1.git.0.d04b8d5.el7.x86_64.rpm<br />atomic-openshift-master-3.4.1.44.38-1.git.0.d04b8d5.el7.x86_64.rpm<br />atomic-openshift-node-3.4.1.44.38-1.git.0.d04b8d5.el7.x86_64.rpm<br />atomic-openshift-pod-3.4.1.44.38-1.git.0.d04b8d5.el7.x86_64.rpm<br />atomic-openshift-sdn-ovs-3.4.1.44.38-1.git.0.d04b8d5.el7.x86_64.rpm<br />atomic-openshift-tests-3.4.1.44.38-1.git.0.d04b8d5.el7.x86_64.rpm<br />cockpit-debuginfo-155-1.el7.x86_64.rpm<br />cockpit-kubernetes-155-1.el7.x86_64.rpm<br />tuned-profiles-atomic-openshift-node-3.4.1.44.38-1.git.0.d04b8d5.el7.x86_64.rpm<br /><br />Red Hat OpenShift Container Platform 3.5:<br /><br />Source:<br />atomic-openshift-3.5.5.31.47-1.git.0.25d535c.el7.src.rpm<br />cockpit-155-1.el7.src.rpm<br />openshift-elasticsearch-plugin-2.4.4.17__redhat_1-3.el7.src.rpm<br /><br />noarch:<br />atomic-openshift-docker-excluder-3.5.5.31.47-1.git.0.25d535c.el7.noarch.rpm<br />atomic-openshift-excluder-3.5.5.31.47-1.git.0.25d535c.el7.noarch.rpm<br />openshift-elasticsearch-plugin-2.4.4.17__redhat_1-3.el7.noarch.rpm<br /><br />x86_64:<br />atomic-openshift-3.5.5.31.47-1.git.0.25d535c.el7.x86_64.rpm<br />atomic-openshift-clients-3.5.5.31.47-1.git.0.25d535c.el7.x86_64.rpm<br />atomic-openshift-clients-redistributable-3.5.5.31.47-1.git.0.25d535c.el7.x86_64.rpm<br />atomic-openshift-dockerregistry-3.5.5.31.47-1.git.0.25d535c.el7.x86_64.rpm<br />atomic-openshift-master-3.5.5.31.47-1.git.0.25d535c.el7.x86_64.rpm<br />atomic-openshift-node-3.5.5.31.47-1.git.0.25d535c.el7.x86_64.rpm<br />atomic-openshift-pod-3.5.5.31.47-1.git.0.25d535c.el7.x86_64.rpm<br />atomic-openshift-sdn-ovs-3.5.5.31.47-1.git.0.25d535c.el7.x86_64.rpm<br />atomic-openshift-tests-3.5.5.31.47-1.git.0.25d535c.el7.x86_64.rpm<br />cockpit-debuginfo-155-1.el7.x86_64.rpm<br />cockpit-kubernetes-155-1.el7.x86_64.rpm<br />tuned-profiles-atomic-openshift-node-3.5.5.31.47-1.git.0.25d535c.el7.x86_64.rpm<br /><br />Red Hat OpenShift Container Platform 3.6:<br /><br />Source:<br />atomic-openshift-3.6.173.0.63-1.git.0.855ea8b.el7.src.rpm<br />cockpit-155-1.el7.src.rpm<br />openshift-elasticsearch-plugin-2.4.4.17__redhat_1-3.el7.src.rpm<br /><br />noarch:<br />atomic-openshift-docker-excluder-3.6.173.0.63-1.git.0.855ea8b.el7.noarch.rpm<br />atomic-openshift-excluder-3.6.173.0.63-1.git.0.855ea8b.el7.noarch.rpm<br />openshift-elasticsearch-plugin-2.4.4.17__redhat_1-3.el7.noarch.rpm<br /><br />x86_64:<br />atomic-openshift-3.6.173.0.63-1.git.0.855ea8b.el7.x86_64.rpm<br />atomic-openshift-clients-3.6.173.0.63-1.git.0.855ea8b.el7.x86_64.rpm<br />atomic-openshift-clients-redistributable-3.6.173.0.63-1.git.0.855ea8b.el7.x86_64.rpm<br />atomic-openshift-cluster-capacity-3.6.173.0.63-1.git.0.855ea8b.el7.x86_64.rpm<br />atomic-openshift-dockerregistry-3.6.173.0.63-1.git.0.855ea8b.el7.x86_64.rpm<br />atomic-openshift-federation-services-3.6.173.0.63-1.git.0.855ea8b.el7.x86_64.rpm<br />atomic-openshift-master-3.6.173.0.63-1.git.0.855ea8b.el7.x86_64.rpm<br />atomic-openshift-node-3.6.173.0.63-1.git.0.855ea8b.el7.x86_64.rpm<br />atomic-openshift-pod-3.6.173.0.63-1.git.0.855ea8b.el7.x86_64.rpm<br />atomic-openshift-sdn-ovs-3.6.173.0.63-1.git.0.855ea8b.el7.x86_64.rpm<br />atomic-openshift-service-catalog-3.6.173.0.63-1.git.0.855ea8b.el7.x86_64.rpm<br />atomic-openshift-tests-3.6.173.0.63-1.git.0.855ea8b.el7.x86_64.rpm<br />cockpit-debuginfo-155-1.el7.x86_64.rpm<br />cockpit-kubernetes-155-1.el7.x86_64.rpm<br />tuned-profiles-atomic-openshift-node-3.6.173.0.63-1.git.0.855ea8b.el7.x86_64.rpm<br /><br />These packages are GPG signed by Red Hat for security. Our key and<br />details on how to verify the signature are available from<br />https://access.redhat.com/security/team/key/<br /><br />7. References:<br /><br />https://access.redhat.com/security/cve/CVE-2017-12195<br />https://access.redhat.com/security/updates/classification/#moderate<br /><br />8. Contact:<br /><br />The Red Hat security contact is &lt;secalert@redhat.com&gt;. More contact<br />details at https://access.redhat.com/security/team/contact/<br /><br />Copyright 2017 Red Hat, Inc.<br />-----BEGIN PGP SIGNATURE-----<br />Version: GnuPG v1<br /><br />iD8DBQFaKOk1XlSAg2UNWIIRAmaNAKCH1p1GgMUPywm7UwWsLR+ML5cZ2QCdFOMh<br />16iZ/jgy+rILRVlGeSq2A5c=<br />=oOgT<br />-----END PGP SIGNATURE-----<br /><br />--<br />RHSA-announce mailing list<br />RHSA-announce@redhat.com<br />https://www.redhat.com/mailman/listinfo/rhsa-announce</p>
Otkriven je sigurnosni nedostatak u programskom paketu OpenShift Enterprise za operacijski sustav Red Hat. Otkriveni nedostatak potencijalnim napadačima omogućuje zaobilaženje sigurnosnih ograničenja. Savjetuje se ažuriranje izdanim zakrpama.