Issued:
2018-11-11
Updated:
2018-11-11

RHSA-2018:2709 - Important: Red Hat OpenShift Container Platform 3.10 security and bug fix update

Synopsis

Important: Red Hat OpenShift Container Platform 3.10 security and bug fix update

Type/Severity

Security Advisory Important

Topic

Red Hat OpenShift Container Platform release 3.10.66 is now available with updates to packages and images that fix several security, bug, and add enhancements.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments.

This advisory contains the RPM packages for Red Hat OpenShift Container Platform 3.10.66. See the following advisory for the container images for this release:

https://access.redhat.com/errata/RHBA-2018:2824

Security Fix(es):

  • atomic-openshift: oc patch with json causes masterapi service crash (CVE-2018-14632)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Red Hat would like to thank Lars Haugan for reporting this issue.

All OpenShift Container Platform 3.10 users are advised to upgrade to these updated packages and images.

Bug Fix(es):

  • During etcd scaleup, facts about the etcd cluster are required to add new hosts. This bug fix adds the necessary tasks to ensure those facts get set before configuring new hosts, and therefore, allow the scaleup to complete as expected. (BZ#1578482)

  • Previously, sync pod was not available when the Prometheus install checked for available nodes. As a consequence, if a custom label was used for the Prometheus install to select an appropriate node, the sync pods must have already applied the label to the nodes. Otherwise, the Prometheus installer would not find any nodes with a matching label. This bug fix adds a check to the install process to wait for sync pods to become available before continuing. As a result, the node labeling process will complete, and the nodes will have the correct labels for the Prometheus pod to be scheduled. (BZ#1609019)

  • This bug fix corrects an issue where a pod is stuck terminating due to I/O errors on a FlexVolume mounted on the XFS file system. (BZ#1626054)

  • Previously, fluentd generated events internally with the OneEventStream class. This class does not have the empty? method. The Kubernetes metadata filter used the empty? method on the EventStream object to avoid processing an empty stream. Fluentd issued error messages about the missing empty? method, which overwhelmed container logging and caused disk issues. This bug fix changed the Kubernetes metadata filter only to call the empty? method on objects that have this method. As a result, fluentd logs do not contain this message. (BZ#1626552)

  • RubyGems FFI 1.9.25 reverted a patch which allowed it to work on systems with SELinux deny_execmem=1. This reversion caused fluentd to crash. This bug reverts the patch reversion. As a result, fluentd does not crash when using SELinux deny_execmem=1. (BZ#1628405)

  • This bug fix updates the redeploy-openshift-ca.yml playbook to reference the correct node client certificate file, node/client-ca.crt. (BZ#1628546)

  • The fix for BZ1628371 introduced a poorly built shared library with a missing symbol. This missing symbol caused fluentd to crash with an "undefined symbol: rbffi_Closure_Alloc" error message. This bug fix rebuilds the shared library with the correct symbols. As a result, fluentd does not crash. (BZ#1628798)

  • Previously, when using Docker with the journald log driver, all container logs, including system and plain Docker container logs, were logged to the journal, and read by fluentd. Fluentd did not know how to handle these non-Kubernetes container logs and threw exceptions. This bug fix treats non-Kubernetes container logs as logs from other system services, for example, sending them to the .operations.* index. As a result, logs from non-Kubernetes containers are indexed correctly and do not cause any errors. (BZ#1632361)

Solution

See the release notes documentation for important instructions on how to upgrade your cluster and fully apply this asynchronous errata update:

This page is not included, but the link has been rewritten to point to the nearest parent document.https://docs.openshift.com/container-platform/3.10/release_notes/ocp_3_10_release_notes.html

This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/articles/11258.

Affected Products

ProductVersionArch
Red Hat OpenShift Container Platform3.10x86_64
Red Hat OpenShift Container Platform for Power3.10ppc64le

Updated Packages

  • prometheus-node-exporter-3.10.66-1.git.1060.f6046fd.el7.x86_64.rpm
  • openshift-enterprise-cluster-capacity-3.10.66-1.git.380.aef3728.el7.ppc64le.rpm
  • python-setuptools-17.1.1-4.el7.noarch.rpm
  • atomic-openshift-hyperkube-3.10.66-1.git.0.91d1e89.el7.ppc64le.rpm
  • openshift-monitor-project-lifecycle-3.10.66-1.git.59.57c03d5.el7.ppc64le.rpm
  • haproxy18-1.8.14-2.el7.ppc64le.rpm
  • perl-IO-String-1.08-20.el7.noarch.rpm
  • atomic-openshift-node-3.10.66-1.git.0.91d1e89.el7.ppc64le.rpm
  • image-inspector-2.4.0-3.el7.src.rpm
  • atomic-openshift-web-console-3.10.66-1.git.389.adbeb58.el7.src.rpm
  • openshift-enterprise-cluster-capacity-3.10.66-1.git.380.aef3728.el7.x86_64.rpm
  • atomic-openshift-descheduler-3.10.66-1.git.299.e466391.el7.src.rpm
  • openshift-monitor-project-lifecycle-3.10.66-1.git.59.57c03d5.el7.x86_64.rpm
  • rubygem-ffi-1.9.25-4.el7_5.x86_64.rpm
  • atomic-openshift-hyperkube-3.10.66-1.git.0.91d1e89.el7.x86_64.rpm
  • image-inspector-2.4.0-3.el7.x86_64.rpm
  • atomic-openshift-dockerregistry-3.10.66-1.git.390.77310f8.el7.ppc64le.rpm
  • openshift-monitor-project-lifecycle-3.10.66-1.git.59.57c03d5.el7.src.rpm
  • atomic-openshift-dockerregistry-3.10.66-1.git.390.77310f8.el7.src.rpm
  • atomic-openshift-pod-3.10.66-1.git.0.91d1e89.el7.x86_64.rpm
  • atomic-openshift-sdn-ovs-3.10.66-1.git.0.91d1e89.el7.x86_64.rpm
  • atomic-openshift-3.10.66-1.git.0.91d1e89.el7.src.rpm
  • golang-github-prometheus-node_exporter-3.10.66-1.git.1060.f6046fd.el7.src.rpm
  • atomic-enterprise-service-catalog-3.10.66-1.git.1450.b758bdb.el7.ppc64le.rpm
  • atomic-openshift-master-3.10.66-1.git.0.91d1e89.el7.x86_64.rpm
  • python-setuptools-17.1.1-4.el7.src.rpm
  • rubygem-ffi-debuginfo-1.9.25-4.el7_5.x86_64.rpm
  • image-inspector-2.4.0-3.el7.ppc64le.rpm
  • prometheus-node-exporter-3.10.66-1.git.1060.f6046fd.el7.ppc64le.rpm
  • atomic-openshift-template-service-broker-3.10.66-1.git.0.91d1e89.el7.x86_64.rpm
  • atomic-enterprise-service-catalog-svcat-3.10.66-1.git.1450.b758bdb.el7.x86_64.rpm
  • atomic-enterprise-service-catalog-svcat-3.10.66-1.git.1450.b758bdb.el7.ppc64le.rpm
  • haproxy-debuginfo-1.8.14-2.el7.ppc64le.rpm
  • haproxy18-1.8.14-2.el7.x86_64.rpm
  • atomic-openshift-excluder-3.10.66-1.git.0.91d1e89.el7.noarch.rpm
  • atomic-openshift-template-service-broker-3.10.66-1.git.0.91d1e89.el7.ppc64le.rpm
  • rubygem-ffi-debuginfo-1.9.25-4.el7_5.ppc64le.rpm
  • atomic-openshift-descheduler-3.10.66-1.git.299.e466391.el7.x86_64.rpm
  • python-py-1.4.32-2.el7.noarch.rpm
  • atomic-openshift-master-3.10.66-1.git.0.91d1e89.el7.ppc64le.rpm
  • atomic-openshift-docker-excluder-3.10.66-1.git.0.91d1e89.el7.noarch.rpm
  • atomic-openshift-node-problem-detector-3.10.66-1.git.198.2fcf818.el7.src.rpm
  • python-py-1.4.32-2.el7.src.rpm
  • atomic-openshift-descheduler-3.10.66-1.git.299.e466391.el7.ppc64le.rpm
  • atomic-openshift-node-problem-detector-3.10.66-1.git.198.2fcf818.el7.ppc64le.rpm
  • atomic-openshift-web-console-3.10.66-1.git.389.adbeb58.el7.ppc64le.rpm
  • perl-IO-String-1.08-20.el7.src.rpm
  • atomic-openshift-hypershift-3.10.66-1.git.0.91d1e89.el7.ppc64le.rpm
  • atomic-enterprise-service-catalog-3.10.66-1.git.1450.b758bdb.el7.x86_64.rpm
  • atomic-openshift-clients-redistributable-3.10.66-1.git.0.91d1e89.el7.x86_64.rpm
  • atomic-openshift-clients-3.10.66-1.git.0.91d1e89.el7.ppc64le.rpm
  • haproxy-debuginfo-1.8.14-2.el7.x86_64.rpm
  • atomic-openshift-node-3.10.66-1.git.0.91d1e89.el7.x86_64.rpm
  • haproxy-1.8.14-2.el7.src.rpm
  • atomic-openshift-dockerregistry-3.10.66-1.git.390.77310f8.el7.x86_64.rpm
  • atomic-openshift-web-console-3.10.66-1.git.389.adbeb58.el7.x86_64.rpm
  • openshift-ansible-playbooks-3.10.66-1.git.0.3c3a83a.el7.noarch.rpm
  • rubygem-ffi-1.9.25-4.el7_5.ppc64le.rpm
  • atomic-openshift-clients-3.10.66-1.git.0.91d1e89.el7.x86_64.rpm
  • atomic-openshift-pod-3.10.66-1.git.0.91d1e89.el7.ppc64le.rpm
  • atomic-enterprise-service-catalog-3.10.66-1.git.1450.b758bdb.el7.src.rpm
  • rubygem-ffi-1.9.25-4.el7_5.src.rpm
  • atomic-openshift-3.10.66-1.git.0.91d1e89.el7.x86_64.rpm
  • openshift-ansible-3.10.66-1.git.0.3c3a83a.el7.src.rpm
  • openshift-enterprise-cluster-capacity-3.10.66-1.git.380.aef3728.el7.src.rpm
  • atomic-openshift-sdn-ovs-3.10.66-1.git.0.91d1e89.el7.ppc64le.rpm
  • atomic-openshift-tests-3.10.66-1.git.0.91d1e89.el7.ppc64le.rpm
  • atomic-openshift-tests-3.10.66-1.git.0.91d1e89.el7.x86_64.rpm
  • atomic-openshift-hypershift-3.10.66-1.git.0.91d1e89.el7.x86_64.rpm
  • atomic-openshift-3.10.66-1.git.0.91d1e89.el7.ppc64le.rpm
  • atomic-openshift-node-problem-detector-3.10.66-1.git.198.2fcf818.el7.x86_64.rpm
  • openshift-ansible-3.10.66-1.git.0.3c3a83a.el7.noarch.rpm
  • openshift-ansible-docs-3.10.66-1.git.0.3c3a83a.el7.noarch.rpm
  • openshift-ansible-roles-3.10.66-1.git.0.3c3a83a.el7.noarch.rpm

Fixes

CVEs

References

Additional information