-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Important: ansible and openshift-ansible security and bug fix update Advisory ID: RHSA-2017:1244-01 Product: Red Hat OpenShift Enterprise Advisory URL: https://access.redhat.com/errata/RHSA-2017:1244 Issue date: 2017-05-17 CVE Names: CVE-2017-7466 CVE-2017-7481 ===================================================================== 1. Summary: Updated atomic-openshift-utils and openshift-ansible packages that fix two security issues and several bugs are now available for OpenShift Container Platform 3.5, 3.4, 3.3, and 3.2. 2. Relevant releases/architectures: Red Hat OpenShift Container Platform 3.2 - noarch Red Hat OpenShift Container Platform 3.3 - noarch Red Hat OpenShift Container Platform 3.4 - noarch Red Hat OpenShift Container Platform 3.5 - noarch 3. Description: Red Hat OpenShift Container Platform is the company's cloud computing Platform-as-a-Service (PaaS) solution designed for on-premise or private cloud deployments. Ansible is a SSH-based configuration management, deployment, and task execution system. The openshift-ansible packages contain Ansible code and playbooks for installing and upgrading OpenShift Container Platform 3. Security Fix(es): * An input validation vulnerability was found in Ansible's handling of data sent from client systems. An attacker with control over a client system being managed by Ansible, and the ability to send facts back to the Ansible server, could use this flaw to execute arbitrary code on the Ansible server using the Ansible server privileges. (CVE-2017-7466) * Ansible fails to properly mark lookup() results as unsafe, if an attacker can control the results of lookup() calls they can inject unicode strings which may then be parsed by the jinja2 templating system resulting in code execution. (CVE-2017-7481) This update also fixes the following bugs: * The installer could fail to add iptables rules if other iptables rules were being updated at the same time. This bug fix updates the installer to wait to obtain a lock when updating iptables rules, ensuring that rules are properly created. (BZ#1445194, BZ#1445282) * In multi-master environments, if `ansible_host` and `openshift_hostname` values differ and Ansible sorts one of the lists differently from the other, then the CA host may be the first master but it was still signing the initial certificates with the host names of the first master. By ensuring that the host names of the CA host are used when creating the certificate authority, this bug fix ensures that the certificates are signed with the correct host names. (BZ#1447399, BZ#1440309, BZ#1447398) * Running Ansible via `batch` systems like the `nohup` command caused Ansible to leak file descriptors and abort playbooks whenever the maximum number of open file descriptors was reached. Ansible 2.2.3.0 includes a fix for this problem, and OCP channels have been updated to include this version. (BZ#1439277) * The OCP 3.4 logging stack upgraded the schema to use the common standard logging data model. However, some of the Elasticsearch and Kibana configuration to use this schema was missing. This caused Kibana to show an error message upon startup. This bug fix adds the correct Elasticsearch and Kibana configuration to the logging stack, including during upgrade from OCP 3.3 to 3.4, and from 3.4.x to 3.4.y. As a result, Kibana works correctly with the new logging data schema. (BZ#1444106) * Because the upgrade playbooks upgraded packages in a serial manner rather than all at once, yum dependency resolution would have installed the latest version available in the enabled repositories rather than the requested version. This bug fix updates the playbooks to upgrade all packages to the requested version at once, which prevents yum from potentially upgrading to the latest version. (BZ#1391325, BZ#1449220, BZ#1449221) * In an environment utilizing mixed containerized and RPM based installation methods, the installer would fail to gather facts when a master and node used different installation methods. This bug fix updates the installer to ensure mixed installations work properly. (BZ#1408663) * Previously, if `enable_excluders=false` was set the playbooks would still install and upgrade the excluders during the config.yml playbook even if the excluders were never previously installed. With this bug fix, if the excluders were not previously installed, the playbooks will avoid installing them. (BZ#1434679) * Previously, the playbooks would abort if a namespace had non-ASCII characters in their descriptions. This bug fix updates the playbooks to properly decode unicode characters ensuring that upgrades to OCP 3.5 work as expected. (BZ#1444806) All OpenShift Container Platform users are advised to upgrade to these updated packages. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. To apply this update, run the following on all hosts where you intend to initiate Ansible-based installation or upgrade procedures: # yum update atomic-openshift-utils This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1391325 - [3.5] openshift_pkg_version doesn't seem to work 1408663 - [3.4] facts collection for openshift.common.admin_binary does not seem to work in mixed environments 1418032 - [3.2] Update router and registry certificates in the redeploy-certificates.yml 1422541 - [3.5] [quick installer]Installer get stuck at "Gathering information from hosts..." if bad hostname checked 1434679 - [3.5] openshift-ansible should do nothing to existed excluders when set "enable_excluders=false" 1439212 - CVE-2017-7466 ansible: Arbitrary code execution on control node (incomplete fix for CVE-2016-9587) 1439277 - Ansible Install is unable to complete install due to module losing issues. 1440309 - [3.4] Post-install, master certs signed for wrong name 1444106 - [3.4 Backport] openshift users encountered confirmation "Apply these filters?" when switching between index list populated in the left panel on kibana 1444806 - [3.5] Unable to run upgrade playbook 1445194 - [3.4] Installer fails to add/check iptables rule due to lock on xtables 1445282 - [3.3] Installer fails to add/check iptables rule due to lock on xtables 1446741 - [3.4] Redeploy certificates fails with custom openshift_hosted_router_certificate 1446745 - [3.3] Redeploy certificates fails with custom openshift_hosted_router_certificate 1447398 - [3.3] Post-install, master certs signed for wrong name 1447399 - [3.5] Post-install, master certs signed for wrong name 1448842 - Installing Openshift Container Platform 3.5 returns an error on Play 11/28 (Disable excluders) 1449220 - [3.4] openshift_pkg_version doesn't seem to work 1449221 - [3.3] openshift_pkg_version doesn't seem to work 1450018 - CVE-2017-7481 ansible: Security issue with lookup return not tainting the jinja2 environment 1450412 - [3.4] Installing containerized using the 3.4 playbooks may install other versions 1450415 - [3.3] Installing containerized using the 3.3 playbooks may install other versions 6. Package List: Red Hat OpenShift Container Platform 3.2: Source: ansible-2.2.3.0-1.el7.src.rpm openshift-ansible-3.2.56-1.git.0.b844ab7.el7.src.rpm noarch: ansible-2.2.3.0-1.el7.noarch.rpm atomic-openshift-utils-3.2.56-1.git.0.b844ab7.el7.noarch.rpm openshift-ansible-3.2.56-1.git.0.b844ab7.el7.noarch.rpm openshift-ansible-docs-3.2.56-1.git.0.b844ab7.el7.noarch.rpm openshift-ansible-filter-plugins-3.2.56-1.git.0.b844ab7.el7.noarch.rpm openshift-ansible-lookup-plugins-3.2.56-1.git.0.b844ab7.el7.noarch.rpm openshift-ansible-playbooks-3.2.56-1.git.0.b844ab7.el7.noarch.rpm openshift-ansible-roles-3.2.56-1.git.0.b844ab7.el7.noarch.rpm Red Hat OpenShift Container Platform 3.3: Source: ansible-2.2.3.0-1.el7.src.rpm openshift-ansible-3.3.82-1.git.0.af0c922.el7.src.rpm noarch: ansible-2.2.3.0-1.el7.noarch.rpm atomic-openshift-utils-3.3.82-1.git.0.af0c922.el7.noarch.rpm openshift-ansible-3.3.82-1.git.0.af0c922.el7.noarch.rpm openshift-ansible-callback-plugins-3.3.82-1.git.0.af0c922.el7.noarch.rpm openshift-ansible-docs-3.3.82-1.git.0.af0c922.el7.noarch.rpm openshift-ansible-filter-plugins-3.3.82-1.git.0.af0c922.el7.noarch.rpm openshift-ansible-lookup-plugins-3.3.82-1.git.0.af0c922.el7.noarch.rpm openshift-ansible-playbooks-3.3.82-1.git.0.af0c922.el7.noarch.rpm openshift-ansible-roles-3.3.82-1.git.0.af0c922.el7.noarch.rpm Red Hat OpenShift Container Platform 3.4: Source: ansible-2.2.3.0-1.el7.src.rpm openshift-ansible-3.4.89-1.git.0.ac29ce8.el7.src.rpm noarch: ansible-2.2.3.0-1.el7.noarch.rpm atomic-openshift-utils-3.4.89-1.git.0.ac29ce8.el7.noarch.rpm openshift-ansible-3.4.89-1.git.0.ac29ce8.el7.noarch.rpm openshift-ansible-callback-plugins-3.4.89-1.git.0.ac29ce8.el7.noarch.rpm openshift-ansible-docs-3.4.89-1.git.0.ac29ce8.el7.noarch.rpm openshift-ansible-filter-plugins-3.4.89-1.git.0.ac29ce8.el7.noarch.rpm openshift-ansible-lookup-plugins-3.4.89-1.git.0.ac29ce8.el7.noarch.rpm openshift-ansible-playbooks-3.4.89-1.git.0.ac29ce8.el7.noarch.rpm openshift-ansible-roles-3.4.89-1.git.0.ac29ce8.el7.noarch.rpm Red Hat OpenShift Container Platform 3.5: Source: ansible-2.2.3.0-1.el7.src.rpm openshift-ansible-3.5.71-1.git.0.128c2db.el7.src.rpm noarch: ansible-2.2.3.0-1.el7.noarch.rpm atomic-openshift-utils-3.5.71-1.git.0.128c2db.el7.noarch.rpm openshift-ansible-3.5.71-1.git.0.128c2db.el7.noarch.rpm openshift-ansible-callback-plugins-3.5.71-1.git.0.128c2db.el7.noarch.rpm openshift-ansible-docs-3.5.71-1.git.0.128c2db.el7.noarch.rpm openshift-ansible-filter-plugins-3.5.71-1.git.0.128c2db.el7.noarch.rpm openshift-ansible-lookup-plugins-3.5.71-1.git.0.128c2db.el7.noarch.rpm openshift-ansible-playbooks-3.5.71-1.git.0.128c2db.el7.noarch.rpm openshift-ansible-roles-3.5.71-1.git.0.128c2db.el7.noarch.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2017-7466 https://access.redhat.com/security/cve/CVE-2017-7481 https://access.redhat.com/security/updates/classification/#important 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2017 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iD8DBQFZHIsFXlSAg2UNWIIRAuB1AJ9F/QzE7KWxmeObPZ4D1cr+b+kEDACghefR WrXYiGid1xP2VEDz+gniRjk= =Z/cV -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://www.redhat.com/mailman/listinfo/rhsa-announce