Synopsis
Important: ansible and openshift-ansible security and bug fix update
Type/Severity
Security Advisory: Important
Topic
An update for ansible and openshift-ansible is now available for Red Hat OpenShift Container Platform 3.2, Red Hat OpenShift Container Platform 3.3, and Red Hat OpenShift Container Platform 3.4.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Description
Red Hat OpenShift Container Platform is the company's cloud computing Platform-as-a-Service (PaaS) solution designed for on-premise or private cloud deployments.
Ansible is a SSH-based configuration management, deployment, and task execution system. The openshift-ansible packages contain Ansible code and playbooks for installing and upgrading OpenShift Container Platform 3.
Security Fix(es):
- An input validation vulnerability was found in Ansible's handling of data sent from client systems. An attacker with control over a client system being managed by Ansible and the ability to send facts back to the Ansible server could use this flaw to execute arbitrary code on the Ansible server using the Ansible server privileges. (CVE-2016-9587)
Bug Fix(es):
Space precludes documenting all of the non-security bug fixes in this advisory. See the relevant OpenShift Container Platform Release Notes linked to in the References section, which will be updated shortly for this release.
Solution
Before applying this update, make sure all previously released errata relevant to your system have been applied.
To apply this update, run the following on all hosts where you intend to initiate Ansible-based installation or upgrade procedures:
# yum update atomic-openshift-utils
This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at:
https://access.redhat.com/articles/11258
Affected Products
-
Red Hat OpenShift Container Platform 3.4 x86_64
-
Red Hat OpenShift Container Platform 3.3 x86_64
-
Red Hat OpenShift Container Platform 3.2 x86_64
Fixes
- BZ - 1379189 - [3.2] ansible sometimes gets UNREACHABLE error after iptables restarted
- BZ - 1388016 - [3.3] The insecure-registry address was removed during upgrade
- BZ - 1389263 - [3.4] the summary of json report should include total/ok number after certificate expiry check
- BZ - 1393000 - [3.3] Ansible upgrade from 3.2 to 3.3 fails
- BZ - 1404378 - CVE-2016-9587 Ansible: Compromised remote hosts can lead to running commands on the Ansible controller
- BZ - 1414276 - [3.3] Installer is failing when `ansible_user` is set to Windows Login which requires dom\user format
- BZ - 1415067 - [3.2]Installer should persist net.ipv4.ip_forward
- BZ - 1416926 - [3.3] ansible sometimes gets UNREACHABLE error after iptables restarted
- BZ - 1416927 - [3.4] ansible sometimes gets UNREACHABLE error after iptables restarted
- BZ - 1417680 - [3.2] Backport openshift_certificate_expiry role
- BZ - 1417681 - [3.4] Backport openshift_certificate_expiry role
- BZ - 1417682 - [3.3] Backport openshift_certificate_expiry role
- BZ - 1419493 - [3.4] Installer pulls in 3.3 registry-console image
- BZ - 1419533 - [3.2]Installation on node failed when creating node config
- BZ - 1419654 - [3.4] Containerized advanced installation fails due to missing CA certificate /etc/origin/master/ca.crt
- BZ - 1420393 - [3.4] conntrack executable not found on $PATH during cluster horizontal run
- BZ - 1420395 - [3.3] conntrack executable not found on $PATH during cluster horizontal run
- BZ - 1421053 - [quick installer 3.4] quick installer failed due to a python method failure
- BZ - 1421059 - [quick installer 3.2]quick installer failed due to a python method failure
- BZ - 1421061 - [quick installer 3.3]quick installer failed due to a python method failure
- BZ - 1421860 - [3.4] Metrics Resolution of Heapster Image Should be 30s to Match cAdvisor
- BZ - 1422361 - [3.4] Advanced installer fails if python-six not available
- BZ - 1426705 - [3.4] Installer is failing when `ansible_user` is set to Windows Login which requires dom\user format
CVEs
References
Vulmon