RHEL 7 : Red Hat OpenShift Container Platform 3.10 (RHSA-2018:2709)

high Nessus Plugin ID 119405

Synopsis

The remote Red Hat host is missing one or more security updates for Red Hat OpenShift Container Platform 3.10.

Description

The remote Redhat Enterprise Linux 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2018:2709 advisory.

Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments.

This advisory contains the RPM packages for Red Hat OpenShift Container Platform 3.10.66. See the following advisory for the container images for this release:

https://access.redhat.com/errata/RHBA-2018:2824

Security Fix(es):

* atomic-openshift: oc patch with json causes masterapi service crash (CVE-2018-14632)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Red Hat would like to thank Lars Haugan for reporting this issue.

All OpenShift Container Platform 3.10 users are advised to upgrade to these updated packages and images.

Bug Fix(es):

* During etcd scaleup, facts about the etcd cluster are required to add new hosts. This bug fix adds the necessary tasks to ensure those facts get set before configuring new hosts, and therefore, allow the scaleup to complete as expected. (BZ#1578482)

* Previously, sync pod was not available when the Prometheus install checked for available nodes. As a consequence, if a custom label was used for the Prometheus install to select an appropriate node, the sync pods must have already applied the label to the nodes. Otherwise, the Prometheus installer would not find any nodes with a matching label. This bug fix adds a check to the install process to wait for sync pods to become available before continuing. As a result, the node labeling process will complete, and the nodes will have the correct labels for the Prometheus pod to be scheduled. (BZ#1609019)

* This bug fix corrects an issue where a pod is stuck terminating due to I/O errors on a FlexVolume mounted on the XFS file system. (BZ#1626054)

* Previously, fluentd generated events internally with the `OneEventStream` class. This class does not have the `empty?` method. The Kubernetes metadata filter used the `empty?` method on the `EventStream` object to avoid processing an empty stream. Fluentd issued error messages about the missing `empty?` method, which overwhelmed container logging and caused disk issues. This bug fix changed the Kubernetes metadata filter only to call the `empty?` method on objects that have this method. As a result, fluentd logs do not contain this message. (BZ#1626552)

* RubyGems FFI 1.9.25 reverted a patch which allowed it to work on systems with `SELinux deny_execmem=1`.
This reversion caused fluentd to crash. This bug reverts the patch reversion. As a result, fluentd does not crash when using `SELinux deny_execmem=1`. (BZ#1628405)

* This bug fix updates the *_redeploy-openshift-ca.yml_* playbook to reference the correct node client certificate file, `node/client-ca.crt`. (BZ#1628546)

* The fix for BZ1628371 introduced a poorly built shared library with a missing symbol. This missing symbol caused fluentd to crash with an undefined symbol: rbffi_Closure_Alloc error message. This bug fix rebuilds the shared library with the correct symbols. As a result, fluentd does not crash. (BZ#1628798)

* Previously, when using Docker with the journald log driver, all container logs, including system and plain Docker container logs, were logged to the journal, and read by fluentd. Fluentd did not know how to handle these non-Kubernetes container logs and threw exceptions. This bug fix treats non-Kubernetes container logs as logs from other system services, for example, sending them to the .operations.* index.
As a result, logs from non-Kubernetes containers are indexed correctly and do not cause any errors. (BZ#1632361)

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Update the RHEL Red Hat OpenShift Container Platform 3.10 package based on the guidance in RHSA-2018:2709.

See Also

http://www.nessus.org/u?dab2ee9b

https://access.redhat.com/errata/RHSA-2018:2709

https://access.redhat.com/security/updates/classification/#important

https://bugzilla.redhat.com/show_bug.cgi?id=1577955

https://bugzilla.redhat.com/show_bug.cgi?id=1578482

https://bugzilla.redhat.com/show_bug.cgi?id=1594187

https://bugzilla.redhat.com/show_bug.cgi?id=1608476

https://bugzilla.redhat.com/show_bug.cgi?id=1609019

https://bugzilla.redhat.com/show_bug.cgi?id=1609703

https://bugzilla.redhat.com/show_bug.cgi?id=1614414

https://bugzilla.redhat.com/show_bug.cgi?id=1615327

https://bugzilla.redhat.com/show_bug.cgi?id=1619886

https://bugzilla.redhat.com/show_bug.cgi?id=1623602

https://bugzilla.redhat.com/show_bug.cgi?id=1625885

https://bugzilla.redhat.com/show_bug.cgi?id=1625911

https://bugzilla.redhat.com/show_bug.cgi?id=1626054

https://bugzilla.redhat.com/show_bug.cgi?id=1626552

https://bugzilla.redhat.com/show_bug.cgi?id=1627764

https://bugzilla.redhat.com/show_bug.cgi?id=1628405

https://bugzilla.redhat.com/show_bug.cgi?id=1628546

https://bugzilla.redhat.com/show_bug.cgi?id=1628798

https://bugzilla.redhat.com/show_bug.cgi?id=1628964

https://bugzilla.redhat.com/show_bug.cgi?id=1629579

https://bugzilla.redhat.com/show_bug.cgi?id=1631021

https://bugzilla.redhat.com/show_bug.cgi?id=1631449

https://bugzilla.redhat.com/show_bug.cgi?id=1632361

https://bugzilla.redhat.com/show_bug.cgi?id=1632418

https://bugzilla.redhat.com/show_bug.cgi?id=1632862

https://bugzilla.redhat.com/show_bug.cgi?id=1632863

https://bugzilla.redhat.com/show_bug.cgi?id=1632865

https://bugzilla.redhat.com/show_bug.cgi?id=1633571

https://bugzilla.redhat.com/show_bug.cgi?id=1638519

https://bugzilla.redhat.com/show_bug.cgi?id=1638521

https://bugzilla.redhat.com/show_bug.cgi?id=1638525

https://bugzilla.redhat.com/show_bug.cgi?id=1638899

https://bugzilla.redhat.com/show_bug.cgi?id=1642052

Plugin Details

Severity: High

ID: 119405

File Name: redhat-RHSA-2018-2709.nasl

Version: 1.11

Type: local

Agent: unix

Published: 12/4/2018

Updated: 11/5/2024

Supported Sensors: Agentless Assessment, Continuous Assessment, Frictionless Assessment Agent, Frictionless Assessment AWS, Frictionless Assessment Azure, Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 4.4

Vendor

Vendor Severity: Important

CVSS v2

Risk Factor: Medium

Base Score: 5

Temporal Score: 3.7

Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P

CVSS Score Source: CVE-2018-14645

CVSS v3

Risk Factor: High

Base Score: 7.7

Temporal Score: 6.7

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

CVSS Score Source: CVE-2018-14632

Vulnerability Information

CPE: p-cpe:/a:redhat:enterprise_linux:atomic-openshift-master, p-cpe:/a:redhat:enterprise_linux:haproxy, cpe:/o:redhat:enterprise_linux:7, p-cpe:/a:redhat:enterprise_linux:haproxy18, p-cpe:/a:redhat:enterprise_linux:atomic-openshift-clients-redistributable, p-cpe:/a:redhat:enterprise_linux:atomic-openshift-docker-excluder, p-cpe:/a:redhat:enterprise_linux:atomic-openshift-excluder, p-cpe:/a:redhat:enterprise_linux:atomic-openshift-hyperkube, p-cpe:/a:redhat:enterprise_linux:atomic-openshift-template-service-broker, p-cpe:/a:redhat:enterprise_linux:atomic-openshift-hypershift, p-cpe:/a:redhat:enterprise_linux:atomic-openshift-pod, p-cpe:/a:redhat:enterprise_linux:atomic-openshift-clients, p-cpe:/a:redhat:enterprise_linux:atomic-openshift-node, p-cpe:/a:redhat:enterprise_linux:atomic-openshift-sdn-ovs, p-cpe:/a:redhat:enterprise_linux:atomic-openshift, p-cpe:/a:redhat:enterprise_linux:atomic-openshift-tests

Required KB Items: Host/local_checks_enabled, Host/RedHat/release, Host/RedHat/rpm-list, Host/cpu

Exploit Ease: No known exploits are available

Patch Publication Date: 11/11/2018

Vulnerability Publication Date: 9/6/2018

Reference Information

CVE: CVE-2018-14632, CVE-2018-14645

CWE: 125, 787

RHSA: 2018:2709