-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Important: Red Hat OpenShift Container Platform 3.9 security and bug fix update Advisory ID: RHSA-2018:2908-01 Product: Red Hat OpenShift Enterprise Advisory URL: https://access.redhat.com/errata/RHSA-2018:2908 Issue date: 2018-11-20 CVE Names: CVE-2018-14632 ===================================================================== 1. Summary: Red Hat OpenShift Container Platform release 3.9.51 is now available with updates to packages and images that fix several bugs. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat OpenShift Container Platform 3.9 - noarch, x86_64 3. Description: Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the RPM packages for Red Hat OpenShift Container Platform 3.9.51. See the following advisory for the container images for this release: https://access.redhat.com/errata/RHBA-2018:2907 Security Fix: * atomic-openshift: oc patch with json causes masterapi service crash (CVE-2018-14632) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Red Hat would like to thank Lars Haugan for reporting this issue. Bug Fixes: * Events on `storage` in Internet Explorer 11 were triggered in the same window tab, whereas in other browsers, the events were triggered in duplicate tabs. This issue caused the request to time out when logging into the console in Internet Explorer 11. This bug fix enables `inactivityLogoutKey`, and ensures that all tabs are logged out before timing out. As a result, Internet Explorer 11 logs out on the same conditions as other browsers. (BZ#1607150) * Previously, fluentd generated events internally with the `OneEventStream` class. This class does not have the `empty?` method. The Kubernetes metadata filter used the `empty?` method on the `EventStream` object to avoid processing an empty stream. Fluentd issued error messages about the missing `empty?` method, which overwhelmed container logging and caused disk issues. This bug fix changed the Kubernetes metadata filter only to call the `empty?` method on objects that have this method. As a result, fluentd logs do not contain this message. (BZ#1626281) * RubyGems FFI 1.9.25 reverted a patch which allowed it to work on systems with `SELinux deny_execmem=1`. This reversion caused fluentd to crash. This bug reverts the patch reversion. As a result, fluentd does not crash when using `SELinux deny_execmem=1`. (BZ#1628371) * The fix for BZ1628371 introduced a poorly built shared library with a missing symbol. This missing symbol caused fluentd to crash with an "undefined symbol: rbffi_Closure_Alloc" error message. This bug fix rebuilds the shared library with the correct symbols. As a result, fluentd does not crash. (BZ#1628799) * Previously, the `json` was the default log format for an audit. This format caused the audit log to print using JSON format. This bug fix allows you to set the format as specified in *_master-config.yaml_*. As a result, the audit log contains values per configured log format. (BZ#1631087) * Previously, when using Docker with the journald log driver, all container logs, including system and plain Docker container logs, were logged to the journal, and read by fluentd. Fluentd did not know how to handle these non-Kubernetes container logs and threw exceptions. This bug fix treats non-Kubernetes container logs as logs from other system services, for example, sending them to the .operations.* index. As a result, logs from non-Kubernetes containers are indexed correctly and do not cause any errors. (BZ#1632130) All OpenShift Container Platform 3.9 users are advised to upgrade to these updated packages and images. 4. Solution: Before applying this update, ensure all previously released errata relevant to your system have been applied. See the following documentation, which will be updated shortly for release 3.9.51, for important instructions on how to upgrade your cluster and fully apply this asynchronous errata update: https://docs.openshift.com/container-platform/3.9/release_notes/ocp_3_9_rel ease_notes.html This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/articles/11258. 5. Bugs fixed (https://bugzilla.redhat.com/): 1607150 - UI Timeout causing IE 11 to automatically log out 1625885 - CVE-2018-14632 atomic-openshift: oc patch with json causes masterapi service crash 1626281 - [3.9] fluentd pods are running with error logs which makes fill up disk very quickly. 1628371 - [3.9] Fluentd pods failed to start after an update to 3.9.41 when deny_execmem=1 on nodes 1628799 - [3.9] Fluentd pod crashes with "undefined symbol: rbffi_Closure_Alloc" 1629001 - openshift_hosted_manage_registry and openshift_hosted_manage_router are not respected upon upgrade 1631087 - Cannot see basic audit log 1632130 - [3.9] Fluentd cannot handle S2I Logs 1633767 - [3.9] Storage upgrade fails on loaded HA cluster: the server doesn't have a resource type \"clusterservicebrokers\" and ERROR: logging before flag.Parse 6. Package List: Red Hat OpenShift Container Platform 3.9: Source: atomic-openshift-3.9.51-1.git.0.dc3a40b.el7.src.rpm atomic-openshift-web-console-3.9.51-1.git.268.c379530.el7.src.rpm fluentd-0.12.43-3.el7.src.rpm golang-github-prometheus-node_exporter-3.9.51-1.git.1060.2055e02.el7.src.rpm openshift-ansible-3.9.51-1.git.0.c4968ca.el7.src.rpm openshift-elasticsearch-plugin-2.4.4.23__redhat_1-3.el7.src.rpm rubygem-fluent-plugin-kubernetes_metadata_filter-1.0.3-2.el7.src.rpm noarch: atomic-openshift-docker-excluder-3.9.51-1.git.0.dc3a40b.el7.noarch.rpm atomic-openshift-excluder-3.9.51-1.git.0.dc3a40b.el7.noarch.rpm atomic-openshift-utils-3.9.51-1.git.0.c4968ca.el7.noarch.rpm fluentd-doc-0.12.43-3.el7.noarch.rpm openshift-ansible-3.9.51-1.git.0.c4968ca.el7.noarch.rpm openshift-ansible-docs-3.9.51-1.git.0.c4968ca.el7.noarch.rpm openshift-ansible-playbooks-3.9.51-1.git.0.c4968ca.el7.noarch.rpm openshift-ansible-roles-3.9.51-1.git.0.c4968ca.el7.noarch.rpm openshift-elasticsearch-plugin-2.4.4.23__redhat_1-3.el7.noarch.rpm rubygem-fluent-plugin-kubernetes_metadata_filter-1.0.3-2.el7.noarch.rpm rubygem-fluent-plugin-kubernetes_metadata_filter-doc-1.0.3-2.el7.noarch.rpm x86_64: atomic-openshift-3.9.51-1.git.0.dc3a40b.el7.x86_64.rpm atomic-openshift-clients-3.9.51-1.git.0.dc3a40b.el7.x86_64.rpm atomic-openshift-clients-redistributable-3.9.51-1.git.0.dc3a40b.el7.x86_64.rpm atomic-openshift-cluster-capacity-3.9.51-1.git.0.dc3a40b.el7.x86_64.rpm atomic-openshift-dockerregistry-3.9.51-1.git.353.7685923.el7.x86_64.rpm atomic-openshift-federation-services-3.9.51-1.git.0.dc3a40b.el7.x86_64.rpm atomic-openshift-master-3.9.51-1.git.0.dc3a40b.el7.x86_64.rpm atomic-openshift-node-3.9.51-1.git.0.dc3a40b.el7.x86_64.rpm atomic-openshift-pod-3.9.51-1.git.0.dc3a40b.el7.x86_64.rpm atomic-openshift-sdn-ovs-3.9.51-1.git.0.dc3a40b.el7.x86_64.rpm atomic-openshift-service-catalog-3.9.51-1.git.0.dc3a40b.el7.x86_64.rpm atomic-openshift-template-service-broker-3.9.51-1.git.0.dc3a40b.el7.x86_64.rpm atomic-openshift-tests-3.9.51-1.git.0.dc3a40b.el7.x86_64.rpm atomic-openshift-web-console-3.9.51-1.git.268.c379530.el7.x86_64.rpm fluentd-0.12.43-3.el7.x86_64.rpm fluentd-debuginfo-0.12.43-3.el7.x86_64.rpm prometheus-node-exporter-3.9.51-1.git.1060.2055e02.el7.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2018-14632 https://access.redhat.com/security/updates/classification/#important 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2018 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBW/N7iNzjgjWX9erEAQhOLg/8CAQR8FexHTaitZBksQMd+DnXfm65oChz kmu/uSECE6gBbhx4ayDqUeEQK6DAT9yOZlLUdeLPHe/VnuVuZ3qVhyCL7dh7vOvm wmwYdboJ76XStT0pfzDexyMLDk5zfAf0Pg7QgPV2u6Vncnk6rpqPUqksGnCqP49r 6pxTeO8CB/e4CkZA7KyRUUcSOUWRuFZFcv4bg86bc/NleUtC/kxtocTzihujsNdr P3XP7YZA+Pjay7D1KouqxeyYJOM2/7uovkwiZBDi7obx5v0ip+GNsSYkOarAOTqa 07dKkqCWm/ru3w1VcR6XknNLTl82OO2vPiZrlqzX4Fjlpk2QtTmwcRWhbaKjGfHt 1aQTpZGsLe0nF3Hear7ca7xR0wbEMow9FPOTQrT8vmE6XR7vTxtupB7dy86uuxVH 7oqGGQkQwNWCeAFQYYzFHlQxNINQx9kMs8FMh/xLmGm6BiD7hGYpYPTC4u3hCE0g +KM3JElVn7XDN5j6nBZSxCenMGmVlJDvl6wFyTb82a7tl/wicKnujimnjqY2N8IX DVHMuOYNNi98+1Dt9hrRJYH2HTzX/fhrPh5RGqfbwLL2glisA6z+axup5UhgWfaz lVR8bI2JSOsF9AFwGBBO/8iENJE4WaZoWgaT12ciuxja0+u7Za1lBZ7oSTZNIW7f MdspFHLyT20= =O6BE -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://www.redhat.com/mailman/listinfo/rhsa-announce