-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Important: OpenShift Container Platform 3.9 security, bug fix, and enhancement update
Advisory ID:       RHSA-2018:2013-01
Product:           Red Hat OpenShift Enterprise
Advisory URL:      https://access.redhat.com/errata/RHSA-2018:2013
Issue date:        2018-06-27
CVE Names:         CVE-2018-1070 CVE-2018-1085 CVE-2018-10843 
=====================================================================

1. Summary:

Red Hat OpenShift Container Platform release 3.9.31 is now available with
updates to packages and images that address security issues, fix several
bugs, and add enhancements.

Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat OpenShift Container Platform 3.9 - noarch, x86_64

3. Description:

Red Hat OpenShift Container Platform is the company's cloud computing
Platform-as-a-Service (PaaS) solution designed for on-premise or private
cloud deployments.

This advisory contains the RPM packages for Red Hat OpenShift Container
Platform 3.9.31. See the following advisory for the container images for
this release:

https://access.redhat.com/errata/RHBA-2018:2014

Security Fix(es):

* routing: Malicious Service configuration can bring down routing for an
entire shard (CVE-2018-1070)

* openshift-ansible: Incorrectly quoted values in etcd.conf causes
disabling of SSL client certificate authentication (CVE-2018-1085)

* source-to-image: Builder images with assembler-user LABEL set to root
allows attackers to execute arbitrary code (CVE-2018-10843)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

Red Hat would like to thank David Hocky (Comcast) for reporting
CVE-2018-1085. The CVE-2018-1070 issue was discovered by Mark Chappell (Red
Hat) and the CVE-2018-10843 issue was discovered by Jeremy Choi (Red Hat).

Space precludes documenting all of the bug fixes and enhancements in this
advisory. See the following Release Notes documentation, which will be
updated shortly for this release, for details about these changes:

https://docs.openshift.com/container-platform/3.9/release_notes/ocp_3_9_rel
ease_notes.html

All OpenShift Container Platform 3.9 users are advised to upgrade to these
updated packages and images.

4. Solution:

For OpenShift Container Platform 3.9 see the following documentation, which
will be updated shortly for release 3.9.31, for important instructions on
how to upgrade your cluster and fully apply this asynchronous errata
update:

https://docs.openshift.com/container-platform/3.9/release_notes/ocp_3_9_rel
ease_notes.html

This update is available via the Red Hat Network. Details on how to use the
Red Hat Network to apply this update are available at
https://access.redhat.com/articles/11258.

5. Bugs fixed (https://bugzilla.redhat.com/):

1466390 - [RFE] add selector option to oadm drain
1498398 - Incomplete default configuration for secure-forward
1506175 - Should not meet "lookup failed" and "incorrect username or password" when new-app with public image in project having fake docker secret
1507429 - [tsb]Some error message shown when describe serviceinstance
1512042 - Local Registry Adapter should not display APBs that can't be deployed from a namespace other than 'openshift'
1525642 - immortal namespace are not immortal (as we claim them to be)
1529575 - [3.9] Updating etcd does not update the etcd config with new variables
1531096 - Prometheus fills up entire storage space
1534311 - [3.8]apiserver pod of service catalog in CrashLoopBackOff status after upgrading to v3.8
1534894 - apb preprare -f fail with error
1537872 - Azure need set virt_use_samba
1538215 - [DOCKER] Eviction manager erros in node logs
1539252 - Failed to push image to OCP internal image registry on EC2
1539310 - ASB bootstrap fail while using file authenticate type since failed to read registry credentials from file
1539529 - `oc apply --force` will delete resource when failing to apply
1539757 - async unbind returns 200 instead of 202
1540819 - Failed to unbind after deleting templateinstance with servicebinding existing
1541212 - prometheus fails compaction
1541350 - Namespace goes in "terminating" state due to unprovisioned ServiceInstance
1542387 - Unable to retrieve image names from rhcc(stage) registry
1542460 - When jenkins in one project and pipeline in other project. View log link points to wrong URL.
1546097 - Master controllers are using high amount of CPU after upgrade to 3.7
1546324 - Manifest does not match provided manifest digest
1546936 - Setting up of prometheus using ansible fails
1548677 - Upgrade failed due to ovs2.9 can not start while selinux-policy was not updated
1549060 - Should be correct 'openshift' link on about page
1549454 - Etcd scale-up failed when running as system container on RHEL
1550193 - openshift jenkins rhel image release to release migration not working
1550316 - Synchronize openvswitch 2.9 to mirror fastdatapath repo
1550385 - Update *sql-apb plan or version failed in 'behind proxy' env
1550591 - Mirror openshift3/prometheus-node-exporter  on external mirror
1553012 - Duplicated node-labels in node-config.yaml while enabling cri-o
1553035 - CVE-2018-1070 Routing: Malicous Service configuration can bring down routing for an entire shard.
1553294 - [3.9] various auto-egress IP problems
1554141 - Unable to delete serviceinstance
1554145 - [apb] Newer version of APB tool fails with `apb remove` on a 3.7 version of broker
1554239 - [ASB] Delete project failed even if provision serviceinstances success
1557040 - Missing v.3.9 openshift3/metrics-cassandra metrics-hawkular-metrics and metrics-heapster images from registry.reg-aws.openshift.com
1557822 - CVE-2018-1085 openshift-ansible: Incorrectly quoted values in etcd.conf causes disabling of SSL client certificate authentication
1558183 - [starter-ca-central-1] builds in pending state indefinitely
1558997 - Issue when deploying Jenkins instances which have routes on various sharded routers
1560311 - [3.9] oc adm migrate storage produces error as signature annotations forbidden
1563150 - openshift3/ose image contains centos repository for RHEL7 based image
1563673 - [RFE] Add timeout when draining a node for update
1566238 - upgrade from v3.7 to v3.9 fails with openshift-ansible-3.9.20-1.git.0.f99fb43.el7
1568815 - Service Catalog does not refresh ClusterServicePlan after removing from catalog
1569030 - OpenShift Container Platform 3.9.z APB image refresh
1570065 - Ansible Service Broker fails to deploy due to missing namespace argument
1570581 - There is wrong version of atomic-openshift-web-console rpm within web-console image
1571601 - [3.9] Certificate expiry playbook couldn't work
1571944 - Stack trace from github.com/openshift/origin/pkg/image/trigger/deploymentconfigs.calculateDeploymentConfigTrigger
1572786 - [3.9] RFE - Need a way to upgrade OS during upgrade
1579096 - CVE-2018-10843 source-to-image: Builder images with assembler-user LABEL set to root allows attackers to execute arbitrary code
1580538 - Unable to disallow project creation from system:authentcated users after upgrade to 3.9
1583895 - [APB] mysql-apb update from 5.6 to 5.7 failed
1585243 - [3.9] Entire cluster goes to NotReady using a NetworkPolicy that contains an ingress ipBlock section
1586076 - API server crashes when using old format of webhook triggers in build Configs
1588009 - Deploying logging on a system where /tmp mounted with noexec option fails
1588768 - [3.9] Unqualified image is completed with "docker.io"

6. Package List:

Red Hat OpenShift Container Platform 3.9:

Source:
atomic-openshift-3.9.31-1.git.0.ef9737b.el7.src.rpm
atomic-openshift-descheduler-3.9.13-1.git.267.bb59a3f.el7.src.rpm
atomic-openshift-node-problem-detector-3.9.13-1.git.167.5d6b0d4.el7.src.rpm
atomic-openshift-web-console-3.9.31-1.git.246.bded6a4.el7.src.rpm
golang-github-prometheus-node_exporter-3.9.31-1.git.890.a55de06.el7.src.rpm
mysql-apb-role-1.1.11-1.el7.src.rpm
openshift-ansible-3.9.31-1.git.34.154617d.el7.src.rpm

noarch:
atomic-openshift-docker-excluder-3.9.31-1.git.0.ef9737b.el7.noarch.rpm
atomic-openshift-excluder-3.9.31-1.git.0.ef9737b.el7.noarch.rpm
atomic-openshift-utils-3.9.31-1.git.34.154617d.el7.noarch.rpm
mysql-apb-role-1.1.11-1.el7.noarch.rpm
openshift-ansible-3.9.31-1.git.34.154617d.el7.noarch.rpm
openshift-ansible-docs-3.9.31-1.git.34.154617d.el7.noarch.rpm
openshift-ansible-playbooks-3.9.31-1.git.34.154617d.el7.noarch.rpm
openshift-ansible-roles-3.9.31-1.git.34.154617d.el7.noarch.rpm

x86_64:
atomic-openshift-3.9.31-1.git.0.ef9737b.el7.x86_64.rpm
atomic-openshift-clients-3.9.31-1.git.0.ef9737b.el7.x86_64.rpm
atomic-openshift-clients-redistributable-3.9.31-1.git.0.ef9737b.el7.x86_64.rpm
atomic-openshift-cluster-capacity-3.9.31-1.git.0.ef9737b.el7.x86_64.rpm
atomic-openshift-descheduler-3.9.13-1.git.267.bb59a3f.el7.x86_64.rpm
atomic-openshift-dockerregistry-3.9.31-1.git.351.1bd46ed.el7.x86_64.rpm
atomic-openshift-federation-services-3.9.31-1.git.0.ef9737b.el7.x86_64.rpm
atomic-openshift-master-3.9.31-1.git.0.ef9737b.el7.x86_64.rpm
atomic-openshift-node-3.9.31-1.git.0.ef9737b.el7.x86_64.rpm
atomic-openshift-node-problem-detector-3.9.13-1.git.167.5d6b0d4.el7.x86_64.rpm
atomic-openshift-pod-3.9.31-1.git.0.ef9737b.el7.x86_64.rpm
atomic-openshift-sdn-ovs-3.9.31-1.git.0.ef9737b.el7.x86_64.rpm
atomic-openshift-service-catalog-3.9.31-1.git.0.ef9737b.el7.x86_64.rpm
atomic-openshift-template-service-broker-3.9.31-1.git.0.ef9737b.el7.x86_64.rpm
atomic-openshift-tests-3.9.31-1.git.0.ef9737b.el7.x86_64.rpm
atomic-openshift-web-console-3.9.31-1.git.246.bded6a4.el7.x86_64.rpm
prometheus-node-exporter-3.9.31-1.git.890.a55de06.el7.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2018-1070
https://access.redhat.com/security/cve/CVE-2018-1085
https://access.redhat.com/security/cve/CVE-2018-10843
https://access.redhat.com/security/updates/classification/#important
https://docs.openshift.com/container-platform/3.9/release_notes/ocp_3_9_release_notes.html

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2018 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBWzPRJNzjgjWX9erEAQhcwQ//SFaB/SelgMjCurJyqTaY1IZLq4HKAbjt
K9IQwJc5tWWgzr7OBBZET/ircOW7dwtM1i4JZbjqhhr+81X9Wnyxc4V8NTLsR4hL
wvFw/r780dvfMbjz5Cm3sxRw8FGY8qNpq6XxhO+iTmolJXC9QYtpvKZC0At72/iu
wmlM6H8Z4M4njO4DDlPKgGDajegKkMaOjjigXct+/T8L+azyK1cU/HC9ty2plM3O
ztJqQmwiyelLUPsQm+34oE9obCQ0oqK24EySxjZYQz8FmerBX/MUkk1RSGM0Pfh2
lGp710pbTMLu0bxPwGOyQFMO/ECyliU6/T2MlL8Rl0Sb0d9wFfsYkDUkhb7dkAaM
Oj58gfNGEjpkLCbLHF9xXwwkUBDSUh/7kQRIKnl1nneaL4sae/BEkGsFTUJofMV3
d8kz8a9Myjojk4D9ZfYRv6MrmYV881NBquCCXyaSkD9q8TvWDnR7JClMW9j/WfEA
RH+Aj4FspZhzWXZVbtmLzNXf1AvVqHogO+GtRhl4RS25ilU54UTPshuKCPCNyryM
QyZ9fvoomGq6f0nzbhXcCbbDzVkfLQPeyDR0cq+hJylE57sJ6C2DJfjojODhKNFV
BYsI5kIpRFe0jvu+V8IGiRfjqBbCutnI58ElgYd0/WFIhTYuW0Vc7htHkobJ6Ohm
PCPBXrvdOZI=
=JjBO
-----END PGP SIGNATURE-----

--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce