—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA1
=====================================================================
Red Hat Security Advisory
Synopsis: Important: ansible and openshift-ansible security and bug fix update
Advisory ID: RHSA-2017:1244-01
Product: Red Hat OpenShift Enterprise
Advisory URL: https://access.redhat.com/errata/RHSA-2017:1244
Issue date: 2017-05-17
CVE Names: CVE-2017-7466 CVE-2017-7481
=====================================================================
1. Summary:
Updated atomic-openshift-utils and openshift-ansible packages that fix two
security issues and several bugs are now available for OpenShift Container
Platform 3.5, 3.4, 3.3, and 3.2.
2. Relevant releases/architectures:
Red Hat OpenShift Container Platform 3.2 – noarch
Red Hat OpenShift Container Platform 3.3 – noarch
Red Hat OpenShift Container Platform 3.4 – noarch
Red Hat OpenShift Container Platform 3.5 – noarch
3. Description:
Red Hat OpenShift Container Platform is the company’s cloud computing
Platform-as-a-Service (PaaS) solution designed for on-premise or private
cloud deployments.
Ansible is a SSH-based configuration management, deployment, and task
execution system. The openshift-ansible packages contain Ansible code and
playbooks for installing and upgrading OpenShift Container Platform 3.
Security Fix(es):
* An input validation vulnerability was found in Ansible’s handling of data
sent from client systems. An attacker with control over a client system
being managed by Ansible, and the ability to send facts back to the Ansible
server, could use this flaw to execute arbitrary code on the Ansible server
using the Ansible server privileges. (CVE-2017-7466)
* Ansible fails to properly mark lookup() results as unsafe,
if an attacker can control the results of lookup() calls they can inject
unicode strings which may then be parsed by the jinja2 templating system
resulting in code execution. (CVE-2017-7481)
This update also fixes the following bugs:
* The installer could fail to add iptables rules if other iptables rules
were being updated at the same time. This bug fix updates the installer to
wait to obtain a lock when updating iptables rules, ensuring that rules are
properly created. (BZ#1445194, BZ#1445282)
* In multi-master environments, if `ansible_host` and `openshift_hostname`
values differ and Ansible sorts one of the lists differently from the
other, then the CA host may be the first master but it was still signing
the initial certificates with the host names of the first master. By
ensuring that the host names of the CA host are used when creating the
certificate authority, this bug fix ensures that the certificates are
signed with the correct host names. (BZ#1447399, BZ#1440309, BZ#1447398)
* Running Ansible via `batch` systems like the `nohup` command caused
Ansible to leak file descriptors and abort playbooks whenever the maximum
number of open file descriptors was reached. Ansible 2.2.3.0 includes a fix
for this problem, and OCP channels have been updated to include this
version. (BZ#1439277)
* The OCP 3.4 logging stack upgraded the schema to use the common standard
logging data model. However, some of the Elasticsearch and Kibana
configuration to use this schema was missing. This caused Kibana to show an
error message upon startup. This bug fix adds the correct Elasticsearch and
Kibana configuration to the logging stack, including during upgrade from
OCP 3.3 to 3.4, and from 3.4.x to 3.4.y. As a result, Kibana works
correctly with the new logging data schema. (BZ#1444106)
* Because the upgrade playbooks upgraded packages in a serial manner rather
than all at once, yum dependency resolution would have installed the latest
version available in the enabled repositories rather than the requested
version. This bug fix updates the playbooks to upgrade all packages to the
requested version at once, which prevents yum from potentially upgrading to
the latest version. (BZ#1391325, BZ#1449220, BZ#1449221)
* In an environment utilizing mixed containerized and RPM based
installation methods, the installer would fail to gather facts when a
master and node used different installation methods. This bug fix updates
the installer to ensure mixed installations work properly. (BZ#1408663)
* Previously, if `enable_excluders=false` was set the playbooks would still
install and upgrade the excluders during the config.yml playbook even if
the excluders were never previously installed. With this bug fix, if the
excluders were not previously installed, the playbooks will avoid
installing them. (BZ#1434679)
* Previously, the playbooks would abort if a namespace had non-ASCII
characters in their descriptions. This bug fix updates the playbooks to
properly decode unicode characters ensuring that upgrades to OCP 3.5 work
as expected. (BZ#1444806)
All OpenShift Container Platform users are advised to upgrade to these
updated packages.
4. Solution:
Before applying this update, make sure all previously released errata
relevant to your system have been applied.
To apply this update, run the following on all hosts where you intend to
initiate Ansible-based installation or upgrade procedures:
# yum update atomic-openshift-utils
This update is available via the Red Hat Network. Details on how to use the
Red Hat Network to apply this update are available at:
https://access.redhat.com/articles/11258
5. Bugs fixed (https://bugzilla.redhat.com/):
1391325 – [3.5] openshift_pkg_version doesn’t seem to work
1408663 – [3.4] facts collection for openshift.common.admin_binary does not seem to work in mixed environments
1418032 – [3.2] Update router and registry certificates in the redeploy-certificates.yml
1422541 – [3.5] [quick installer]Installer get stuck at “Gathering information from hosts…” if bad hostname checked
1434679 – [3.5] openshift-ansible should do nothing to existed excluders when set “enable_excluders=false”
1439212 – CVE-2017-7466 ansible: Arbitrary code execution on control node (incomplete fix for CVE-2016-9587)
1439277 – Ansible Install is unable to complete install due to module losing issues.
1440309 – [3.4] Post-install, master certs signed for wrong name
1444106 – [3.4 Backport] openshift users encountered confirmation “Apply these filters?” when switching between index list populated in the left panel on kibana
1444806 – [3.5] Unable to run upgrade playbook
1445194 – [3.4] Installer fails to add/check iptables rule due to lock on xtables
1445282 – [3.3] Installer fails to add/check iptables rule due to lock on xtables
1446741 – [3.4] Redeploy certificates fails with custom openshift_hosted_router_certificate
1446745 – [3.3] Redeploy certificates fails with custom openshift_hosted_router_certificate
1447398 – [3.3] Post-install, master certs signed for wrong name
1447399 – [3.5] Post-install, master certs signed for wrong name
1448842 – Installing Openshift Container Platform 3.5 returns an error on Play 11/28 (Disable excluders)
1449220 – [3.4] openshift_pkg_version doesn’t seem to work
1449221 – [3.3] openshift_pkg_version doesn’t seem to work
1450018 – CVE-2017-7481 ansible: Security issue with lookup return not tainting the jinja2 environment
1450412 – [3.4] Installing containerized using the 3.4 playbooks may install other versions
1450415 – [3.3] Installing containerized using the 3.3 playbooks may install other versions
6. Package List:
Red Hat OpenShift Container Platform 3.2:
Source:
ansible-2.2.3.0-1.el7.src.rpm
openshift-ansible-3.2.56-1.git.0.b844ab7.el7.src.rpm
noarch:
ansible-2.2.3.0-1.el7.noarch.rpm
atomic-openshift-utils-3.2.56-1.git.0.b844ab7.el7.noarch.rpm
openshift-ansible-3.2.56-1.git.0.b844ab7.el7.noarch.rpm
openshift-ansible-docs-3.2.56-1.git.0.b844ab7.el7.noarch.rpm
openshift-ansible-filter-plugins-3.2.56-1.git.0.b844ab7.el7.noarch.rpm
openshift-ansible-lookup-plugins-3.2.56-1.git.0.b844ab7.el7.noarch.rpm
openshift-ansible-playbooks-3.2.56-1.git.0.b844ab7.el7.noarch.rpm
openshift-ansible-roles-3.2.56-1.git.0.b844ab7.el7.noarch.rpm
Red Hat OpenShift Container Platform 3.3:
Source:
ansible-2.2.3.0-1.el7.src.rpm
openshift-ansible-3.3.82-1.git.0.af0c922.el7.src.rpm
noarch:
ansible-2.2.3.0-1.el7.noarch.rpm
atomic-openshift-utils-3.3.82-1.git.0.af0c922.el7.noarch.rpm
openshift-ansible-3.3.82-1.git.0.af0c922.el7.noarch.rpm
openshift-ansible-callback-plugins-3.3.82-1.git.0.af0c922.el7.noarch.rpm
openshift-ansible-docs-3.3.82-1.git.0.af0c922.el7.noarch.rpm
openshift-ansible-filter-plugins-3.3.82-1.git.0.af0c922.el7.noarch.rpm
openshift-ansible-lookup-plugins-3.3.82-1.git.0.af0c922.el7.noarch.rpm
openshift-ansible-playbooks-3.3.82-1.git.0.af0c922.el7.noarch.rpm
openshift-ansible-roles-3.3.82-1.git.0.af0c922.el7.noarch.rpm
Red Hat OpenShift Container Platform 3.4:
Source:
ansible-2.2.3.0-1.el7.src.rpm
openshift-ansible-3.4.89-1.git.0.ac29ce8.el7.src.rpm
noarch:
ansible-2.2.3.0-1.el7.noarch.rpm
atomic-openshift-utils-3.4.89-1.git.0.ac29ce8.el7.noarch.rpm
openshift-ansible-3.4.89-1.git.0.ac29ce8.el7.noarch.rpm
openshift-ansible-callback-plugins-3.4.89-1.git.0.ac29ce8.el7.noarch.rpm
openshift-ansible-docs-3.4.89-1.git.0.ac29ce8.el7.noarch.rpm
openshift-ansible-filter-plugins-3.4.89-1.git.0.ac29ce8.el7.noarch.rpm
openshift-ansible-lookup-plugins-3.4.89-1.git.0.ac29ce8.el7.noarch.rpm
openshift-ansible-playbooks-3.4.89-1.git.0.ac29ce8.el7.noarch.rpm
openshift-ansible-roles-3.4.89-1.git.0.ac29ce8.el7.noarch.rpm
Red Hat OpenShift Container Platform 3.5:
Source:
ansible-2.2.3.0-1.el7.src.rpm
openshift-ansible-3.5.71-1.git.0.128c2db.el7.src.rpm
noarch:
ansible-2.2.3.0-1.el7.noarch.rpm
atomic-openshift-utils-3.5.71-1.git.0.128c2db.el7.noarch.rpm
openshift-ansible-3.5.71-1.git.0.128c2db.el7.noarch.rpm
openshift-ansible-callback-plugins-3.5.71-1.git.0.128c2db.el7.noarch.rpm
openshift-ansible-docs-3.5.71-1.git.0.128c2db.el7.noarch.rpm
openshift-ansible-filter-plugins-3.5.71-1.git.0.128c2db.el7.noarch.rpm
openshift-ansible-lookup-plugins-3.5.71-1.git.0.128c2db.el7.noarch.rpm
openshift-ansible-playbooks-3.5.71-1.git.0.128c2db.el7.noarch.rpm
openshift-ansible-roles-3.5.71-1.git.0.128c2db.el7.noarch.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/
7. References:
https://access.redhat.com/security/cve/CVE-2017-7466
https://access.redhat.com/security/cve/CVE-2017-7481
https://access.redhat.com/security/updates/classification/#important
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2017 Red Hat, Inc.
—–BEGIN PGP SIGNATURE—–
Version: GnuPG v1
iD8DBQFZHIsFXlSAg2UNWIIRAuB1AJ9F/QzE7KWxmeObPZ4D1cr+b+kEDACghefR
WrXYiGid1xP2VEDz+gniRjk=
=Z/cV
—–END PGP SIGNATURE—–
—
Enterprise-watch-list mailing list
Enterprise-watch-list@redhat.com
https://www.redhat.com/mailman/listinfo/enterprise-watch-list