-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Critical: OpenShift Container Platform 3.5 security update Advisory ID: RHSA-2018:3624-01 Product: Red Hat OpenShift Enterprise Advisory URL: https://access.redhat.com/errata/RHSA-2018:3624 Issue date: 2018-12-03 CVE Names: CVE-2018-1002105 ===================================================================== 1. Summary: An update is now available for Red Hat OpenShift Container Platform release 3.5. Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat OpenShift Container Platform 3.5 - noarch, x86_64 3. Description: Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. Security Fix(es): * A privilege escalation vulnerability exists in OpenShift Container Platform 3.x which allows for compromise of pods running on a compute node to which a pod is scheduled with normal user privilege. This access could include access to all secrets, pods, environment variables, running pod/container processes, and persistent volumes, including in privileged containers. Additionally, on versions 3.6 and higher of OpenShift Container Platform, this vulnerability allows cluster-admin level access to any API hosted by an aggregated API server. This includes the aservicecataloga API which is installed by default in 3.7 and later. Cluster-admin level access to the service catalog allows creation of brokered services by an unauthenticated user with escalated privileges in any namespace and on any node. This could lead to an attacker being allowed to deploy malicious code, or alter existing services. (CVE-2018-1002105) Space precludes documenting all of the bug fixes and enhancements in this advisory. See the following Release Notes documentation for details about these changes: https://docs.openshift.com/container-platform/3.5/release_notes/ocp_3_5_rel ease_notes.html All OpenShift Container Platform 3.5 users are advised to upgrade to these updated packages and images. 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1563329 - Mounting socket files from subPaths fail 1568292 - [3.5]Failed to prevent s2i builder images from running as root 1573956 - Kibana page displays "OPENSHIFT ORIGIN" in OCP 1648138 - CVE-2018-1002105 kubernetes: authentication/authorization bypass in the handling of non-101 responses 6. Package List: Red Hat OpenShift Container Platform 3.5: Source: atomic-openshift-3.5.5.31.80-1.git.0.c4a0780.el7.src.rpm cockpit-160-3.el7.src.rpm openshift-ansible-3.5.175-1.git.0.1274ebe.el7.src.rpm noarch: atomic-openshift-docker-excluder-3.5.5.31.80-1.git.0.c4a0780.el7.noarch.rpm atomic-openshift-excluder-3.5.5.31.80-1.git.0.c4a0780.el7.noarch.rpm atomic-openshift-utils-3.5.175-1.git.0.1274ebe.el7.noarch.rpm openshift-ansible-3.5.175-1.git.0.1274ebe.el7.noarch.rpm openshift-ansible-callback-plugins-3.5.175-1.git.0.1274ebe.el7.noarch.rpm openshift-ansible-docs-3.5.175-1.git.0.1274ebe.el7.noarch.rpm openshift-ansible-filter-plugins-3.5.175-1.git.0.1274ebe.el7.noarch.rpm openshift-ansible-lookup-plugins-3.5.175-1.git.0.1274ebe.el7.noarch.rpm openshift-ansible-playbooks-3.5.175-1.git.0.1274ebe.el7.noarch.rpm openshift-ansible-roles-3.5.175-1.git.0.1274ebe.el7.noarch.rpm x86_64: atomic-openshift-3.5.5.31.80-1.git.0.c4a0780.el7.x86_64.rpm atomic-openshift-clients-3.5.5.31.80-1.git.0.c4a0780.el7.x86_64.rpm atomic-openshift-clients-redistributable-3.5.5.31.80-1.git.0.c4a0780.el7.x86_64.rpm atomic-openshift-dockerregistry-3.5.5.31.80-1.git.0.c4a0780.el7.x86_64.rpm atomic-openshift-master-3.5.5.31.80-1.git.0.c4a0780.el7.x86_64.rpm atomic-openshift-node-3.5.5.31.80-1.git.0.c4a0780.el7.x86_64.rpm atomic-openshift-pod-3.5.5.31.80-1.git.0.c4a0780.el7.x86_64.rpm atomic-openshift-sdn-ovs-3.5.5.31.80-1.git.0.c4a0780.el7.x86_64.rpm atomic-openshift-tests-3.5.5.31.80-1.git.0.c4a0780.el7.x86_64.rpm cockpit-debuginfo-160-3.el7.x86_64.rpm cockpit-kubernetes-160-3.el7.x86_64.rpm tuned-profiles-atomic-openshift-node-3.5.5.31.80-1.git.0.c4a0780.el7.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2018-1002105 https://access.redhat.com/security/updates/classification/#critical https://docs.openshift.com/container-platform/3.5/release_notes/ocp_3_5_release_notes.html 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2018 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBXAVpTNzjgjWX9erEAQgbvRAAjLwkonIPikx7ofM1DZ40aI0AwSrMhRK1 pGPx+rriDE5AndP+ElQJvGxVGW3311f41onUgwHlKsur29KjLRxxHTddQvA/IN1X 1RmuCMKtJkOIczqw/wu/n0qm4BXZzekrcSbzIeRXz0cwD7qt3VZZDrhnJh1io7Tw 3SHLi3kTyYcudPFKFAcSfuy1jDW1dG0zOMzA2CuwMuwEN0KhPCrS8co37g9lMfaJ dPGgj69BpPqQhOXHF2mHIbzvR4GTAF21eusAgDdDWxPBhZIxlSkem/WqMkpXKahc 38oAzgPZd88yuiKTG+/JHrVFHu4Hlhgl14fU33XqPADpk0+QnDf22N8z82ez1utt d04lZzS48srqy8t18vPR8WnRA2Ftoze+7j+PZK01m1yVoKW7Eue8JnnTWfuavgiR bZdxYQE4wQrTKrhKRPdsk6mP11h1jdxjZ1sDXiUsYMKtBBMy9r5SX3UhbgSlqIgx ER6vdh6m7bWfUZGorVRN5mjWZi1eKIfk/4bHFVcXMdXm0BxM4QTwZRNZ7RO/JB2i DIJgv19fsIjYuM/kOzD85HW3c7Ti0sbW/VLQsdtykyHqDi3HeJXoGV4cXR2KqK8l HWhLDvCiTmYTqcUNmdoYARG3lKU8ax8S9qjzQIj8nDCZsW3SZLXaG+O/uVZaXkTu fY0if+mXW4w= =ON+p -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://www.redhat.com/mailman/listinfo/rhsa-announce