Jump to content
Compatible Support Forums
Sign in to follow this  
Followers 0
news

[RHSA-2017:1244-01] Important: ansible and openshift-ansible security and bug fix update

By news, in Upcoming News

Recommended Posts

news    28

news
Posted

-----BEGIN PGP SIGNED MESSAGE-----

Hash: SHA1

 

=====================================================================

Red Hat Security Advisory

 

Synopsis: Important: ansible and openshift-ansible security and bug fix update

Advisory ID: RHSA-2017:1244-01

Product: Red Hat OpenShift Enterprise

Advisory URL: https://access.redhat.com/errata/RHSA-2017:1244

Issue date: 2017-05-17

CVE Names: CVE-2017-7466 CVE-2017-7481

=====================================================================

 

1. Summary:

 

Updated atomic-openshift-utils and openshift-ansible packages that fix two

security issues and several bugs are now available for OpenShift Container

Platform 3.5, 3.4, 3.3, and 3.2.

 

2. Relevant releases/architectures:

 

Red Hat OpenShift Container Platform 3.2 - noarch

Red Hat OpenShift Container Platform 3.3 - noarch

Red Hat OpenShift Container Platform 3.4 - noarch

Red Hat OpenShift Container Platform 3.5 - noarch

 

3. Description:

 

Red Hat OpenShift Container Platform is the company's cloud computing

Platform-as-a-Service (PaaS) solution designed for on-premise or private

cloud deployments.

 

Ansible is a SSH-based configuration management, deployment, and task

execution system. The openshift-ansible packages contain Ansible code and

playbooks for installing and upgrading OpenShift Container Platform 3.

 

Security Fix(es):

 

* An input validation vulnerability was found in Ansible's handling of data

sent from client systems. An attacker with control over a client system

being managed by Ansible, and the ability to send facts back to the Ansible

server, could use this flaw to execute arbitrary code on the Ansible server

using the Ansible server privileges. (CVE-2017-7466)

 

* Ansible fails to properly mark lookup() results as unsafe,

if an attacker can control the results of lookup() calls they can inject

unicode strings which may then be parsed by the jinja2 templating system

resulting in code execution. (CVE-2017-7481)

 

This update also fixes the following bugs:

 

* The installer could fail to add iptables rules if other iptables rules

were being updated at the same time. This bug fix updates the installer to

wait to obtain a lock when up[censored] iptables rules, ensuring that rules are

properly created. (BZ#1445194, BZ#1445282)

 

* In multi-master environments, if `ansible_host` and `openshift_hostname`

values differ and Ansible sorts one of the lists differently from the

other, then the CA host may be the first master but it was still signing

the initial certificates with the host names of the first master. By

ensuring that the host names of the CA host are used when creating the

certificate authority, this bug fix ensures that the certificates are

signed with the correct host names. (BZ#1447399, BZ#1440309, BZ#1447398)

 

* Running Ansible via `batch` systems like the `nohup` command caused

Ansible to leak file descriptors and abort playbooks whenever the maximum

number of open file descriptors was reached. Ansible 2.2.3.0 includes a fix

for this problem, and OCP channels have been updated to include this

version. (BZ#1439277)

 

* The OCP 3.4 logging stack upgraded the schema to use the common standard

logging data model. However, some of the Elasticsearch and Kibana

configuration to use this schema was missing. This caused Kibana to show an

error message upon startup. This bug fix adds the correct Elasticsearch and

Kibana configuration to the logging stack, including during upgrade from

OCP 3.3 to 3.4, and from 3.4.x to 3.4.y. As a result, Kibana works

correctly with the new logging data schema. (BZ#1444106)

 

* Because the upgrade playbooks upgraded packages in a serial manner rather

than all at once, yum dependency resolution would have installed the latest

version available in the enabled repositories rather than the requested

version. This bug fix updates the playbooks to upgrade all packages to the

requested version at once, which prevents yum from potentially upgrading to

the latest version. (BZ#1391325, BZ#1449220, BZ#1449221)

 

* In an environment utilizing mixed containerized and RPM based

installation methods, the installer would fail to gather facts when a

master and node used different installation methods. This bug fix updates

the installer to ensure mixed installations work properly. (BZ#1408663)

 

* Previously, if `enable_excluders=false` was set the playbooks would still

install and upgrade the excluders during the config.yml playbook even if

the excluders were never previously installed. With this bug fix, if the

excluders were not previously installed, the playbooks will avoid

installing them. (BZ#1434679)

 

* Previously, the playbooks would abort if a namespace had non-ASCII

characters in their descriptions. This bug fix updates the playbooks to

properly decode unicode characters ensuring that upgrades to OCP 3.5 work

as expected. (BZ#1444806)

 

All OpenShift Container Platform users are advised to upgrade to these

updated packages.

 

4. Solution:

 

Before applying this update, make sure all previously released errata

relevant to your system have been applied.

 

To apply this update, run the following on all hosts where you intend to

initiate Ansible-based installation or upgrade procedures:

 

# yum update atomic-openshift-utils

 

This update is available via the Red Hat Network. Details on how to use the

Red Hat Network to apply this update are available at:

 

https://access.redhat.com/articles/11258

 

5. Bugs fixed (https://bugzilla.redhat.com/):

 

1391325 - [3.5] openshift_pkg_version doesn't seem to work

1408663 - [3.4] facts collection for openshift.common.admin_binary does not seem to work in mixed environments

1418032 - [3.2] Update router and registry certificates in the redeploy-certificates.yml

1422541 - [3.5] [quick installer]Installer get stuck at "Gathering information from hosts..." if bad hostname checked

1434679 - [3.5] openshift-ansible should do nothing to existed excluders when set "enable_excluders=false"

1439212 - CVE-2017-7466 ansible: Arbitrary code execution on control node (incomplete fix for CVE-2016-9587)

1439277 - Ansible Install is unable to complete install due to module losing issues.

1440309 - [3.4] Post-install, master certs signed for wrong name

1444106 - [3.4 Backport] openshift users encountered confirmation "Apply these filters?" when switching between index list populated in the left panel on kibana

1444806 - [3.5] Unable to run upgrade playbook

1445194 - [3.4] Installer fails to add/check iptables rule due to lock on xtables

1445282 - [3.3] Installer fails to add/check iptables rule due to lock on xtables

1446741 - [3.4] Redeploy certificates fails with custom openshift_hosted_router_certificate

1446745 - [3.3] Redeploy certificates fails with custom openshift_hosted_router_certificate

1447398 - [3.3] Post-install, master certs signed for wrong name

1447399 - [3.5] Post-install, master certs signed for wrong name

1448842 - Installing Openshift Container Platform 3.5 returns an error on Play 11/28 (Disable excluders)

1449220 - [3.4] openshift_pkg_version doesn't seem to work

1449221 - [3.3] openshift_pkg_version doesn't seem to work

1450018 - CVE-2017-7481 ansible: Security issue with lookup return not tainting the jinja2 environment

1450412 - [3.4] Installing containerized using the 3.4 playbooks may install other versions

1450415 - [3.3] Installing containerized using the 3.3 playbooks may install other versions

 

6. Package List:

 

Red Hat OpenShift Container Platform 3.2:

 

Source:

ansible-2.2.3.0-1.el7.src.rpm

openshift-ansible-3.2.56-1.git.0.b844ab7.el7.src.rpm

 

noarch:

ansible-2.2.3.0-1.el7.noarch.rpm

atomic-openshift-utils-3.2.56-1.git.0.b844ab7.el7.noarch.rpm

openshift-ansible-3.2.56-1.git.0.b844ab7.el7.noarch.rpm

openshift-ansible-docs-3.2.56-1.git.0.b844ab7.el7.noarch.rpm

openshift-ansible-filter-plugins-3.2.56-1.git.0.b844ab7.el7.noarch.rpm

openshift-ansible-lookup-plugins-3.2.56-1.git.0.b844ab7.el7.noarch.rpm

openshift-ansible-playbooks-3.2.56-1.git.0.b844ab7.el7.noarch.rpm

openshift-ansible-roles-3.2.56-1.git.0.b844ab7.el7.noarch.rpm

 

Red Hat OpenShift Container Platform 3.3:

 

Source:

ansible-2.2.3.0-1.el7.src.rpm

openshift-ansible-3.3.82-1.git.0.af0c922.el7.src.rpm

 

noarch:

ansible-2.2.3.0-1.el7.noarch.rpm

atomic-openshift-utils-3.3.82-1.git.0.af0c922.el7.noarch.rpm

openshift-ansible-3.3.82-1.git.0.af0c922.el7.noarch.rpm

openshift-ansible-callback-plugins-3.3.82-1.git.0.af0c922.el7.noarch.rpm

openshift-ansible-docs-3.3.82-1.git.0.af0c922.el7.noarch.rpm

openshift-ansible-filter-plugins-3.3.82-1.git.0.af0c922.el7.noarch.rpm

openshift-ansible-lookup-plugins-3.3.82-1.git.0.af0c922.el7.noarch.rpm

openshift-ansible-playbooks-3.3.82-1.git.0.af0c922.el7.noarch.rpm

openshift-ansible-roles-3.3.82-1.git.0.af0c922.el7.noarch.rpm

 

Red Hat OpenShift Container Platform 3.4:

 

Source:

ansible-2.2.3.0-1.el7.src.rpm

openshift-ansible-3.4.89-1.git.0.ac29ce8.el7.src.rpm

 

noarch:

ansible-2.2.3.0-1.el7.noarch.rpm

atomic-openshift-utils-3.4.89-1.git.0.ac29ce8.el7.noarch.rpm

openshift-ansible-3.4.89-1.git.0.ac29ce8.el7.noarch.rpm

openshift-ansible-callback-plugins-3.4.89-1.git.0.ac29ce8.el7.noarch.rpm

openshift-ansible-docs-3.4.89-1.git.0.ac29ce8.el7.noarch.rpm

openshift-ansible-filter-plugins-3.4.89-1.git.0.ac29ce8.el7.noarch.rpm

openshift-ansible-lookup-plugins-3.4.89-1.git.0.ac29ce8.el7.noarch.rpm

openshift-ansible-playbooks-3.4.89-1.git.0.ac29ce8.el7.noarch.rpm

openshift-ansible-roles-3.4.89-1.git.0.ac29ce8.el7.noarch.rpm

 

Red Hat OpenShift Container Platform 3.5:

 

Source:

ansible-2.2.3.0-1.el7.src.rpm

openshift-ansible-3.5.71-1.git.0.128c2db.el7.src.rpm

 

noarch:

ansible-2.2.3.0-1.el7.noarch.rpm

atomic-openshift-utils-3.5.71-1.git.0.128c2db.el7.noarch.rpm

openshift-ansible-3.5.71-1.git.0.128c2db.el7.noarch.rpm

openshift-ansible-callback-plugins-3.5.71-1.git.0.128c2db.el7.noarch.rpm

openshift-ansible-docs-3.5.71-1.git.0.128c2db.el7.noarch.rpm

openshift-ansible-filter-plugins-3.5.71-1.git.0.128c2db.el7.noarch.rpm

openshift-ansible-lookup-plugins-3.5.71-1.git.0.128c2db.el7.noarch.rpm

openshift-ansible-playbooks-3.5.71-1.git.0.128c2db.el7.noarch.rpm

openshift-ansible-roles-3.5.71-1.git.0.128c2db.el7.noarch.rpm

 

These packages are GPG signed by Red Hat for security. Our key and

details on how to verify the signature are available from

https://access.redhat.com/security/team/key/

 

7. References:

 

https://access.redhat.com/security/cve/CVE-2017-7466

https://access.redhat.com/security/cve/CVE-2017-7481

https://access.redhat.com/security/updates/classification/#important

 

8. Contact:

 

The Red Hat security contact is . More contact

details at https://access.redhat.com/security/team/contact/

 

Copyright 2017 Red Hat, Inc.

-----BEGIN PGP SIGNATURE-----

Version: GnuPG v1

 

iD8DBQFZHIsFXlSAg2UNWIIRAuB1AJ9F/QzE7KWxmeObPZ4D1cr+b+kEDACghefR

WrXYiGid1xP2VEDz+gniRjk=

=Z/cV

-----END PGP SIGNATURE-----

 

 

--

 

Share this post

Link to post

Please sign in to comment

You will be able to leave a comment after signing in



Sign In Now
Sign in to follow this  
Followers 0
Go To Topic Listing Upcoming News
×