Related Vulnerabilities: CVE-2017-12195 CVE-2017-12195 CVE-2017-12195

Source

Synopsis

Moderate: Red Hat OpenShift Container Platform 3.7 security, bug, and enhancement update

Type/Severity

Security Advisory: Moderate

Topic

An update is now available for Red Hat OpenShift Container Platform 3.7.

Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

Red Hat OpenShift Container Platform is the company's cloud computing Platform-as-a-Service (PaaS) solution designed for on-premise or private cloud deployments.

The OpenShift Container Platform 3.7 Release Notes, link located within the reference section, provides information about new features, bug fixes, and known issues.

This advisory contains the RPM packages for this release. An advisory for the container images for this release is available at: https://access.redhat.com/errata/RHEA-2017:3187.

Security Fix(es):

An attacker with knowledge of the given name used to authenticate and access Elasticsearch can later access it without the token, bypassing authentication. This attack also requires that the Elasticsearch be configured with an external route, and the data accessed is limited to the indices. (CVE-2017-12195)

Red Hat would like to thank Rich Megginson for reporting this issue.

Solution

For details on how to apply this update, which includes the changes described in this advisory, refer to:
https://access.redhat.com/articles/11258

For instructions on new installations, see the following documentation:
https://docs.openshift.com/container-platform/3.7/install_config/install/planning.html

For instructions on how to properly upgrade existing clusters to OpenShift Container Platform 3.7, see the following documentation:
https://docs.openshift.com/container-platform/3.7/install_config/upgrading/index.html

Affected Products

Red Hat OpenShift Container Platform 3.7 x86_64

Fixes

BZ - 1270436 - Could not log in when client clock is > 5 minutes ahead of server clock
BZ - 1292507 - pod terminal does not support 3rd level characters
BZ - 1316364 - Auto completion does not work normaly when command name is prefixed with path
BZ - 1328913 - Long running reliability tests show network errors on nodes
BZ - 1356478 - Openshift need update the output error message when try re-format the volume
BZ - 1372059 - Dynamic provisioned volumes fail in AWS due to incorrect zone
BZ - 1373418 - [atomic registry]Should give more detail info when creating Project and Image Stream with invalid name
BZ - 1375134 - Navigation bar can not roll down when user zoom in till it cross over the screen boundary
BZ - 1386917 - Deleting an image should allow references to the image to be deleted from imagestreamtags
BZ - 1395564 - Unneeded spaces when copying content from terminal in web console
BZ - 1401831 - docker-registry can't fetch requested blob from a remote registry when OpenShift is behind proxy
BZ - 1410288 - DNSMasq and NetworkManager scripts cause boot issues with network resources
BZ - 1413147 - Size of the emitted data exceeds buffer_chunk_limit
BZ - 1415297 - Metrics does not install with cloud-provider and dynamic storage
BZ - 1420543 - The --ports flag does not modify dc environment variables
BZ - 1422049 - EmptyDir could lead to memory exhaustion
BZ - 1427227 - Fix controller panic in creating pod event
BZ - 1427992 - replicationcontrollers - not yet ready to handle request; Current resource version
BZ - 1428991 - Reordering issue on environment tab dc/bc page
BZ - 1430484 - Upgrade from 3.3 to 3.4, Insufficient Pods
BZ - 1430651 - Not able to set elasticsearch minimum heap size
BZ - 1430661 - RFE: Add metricsPublicURL into master-config during ansible deployment for metrics
BZ - 1432607 - Elasticsearch no longer logging to a local file in a pod
BZ - 1433236 - [vSphere] Unable to restart atomic-openshift-node, node ip conflicts with cluster network
BZ - 1435144 - [Intservice_public_324] Logging upgrade from 3.4.1 to 3.5.0 failed because "No Elasticsearch pods found running. Cannot update common data model."
BZ - 1435781 - Router Metrics needs to use image shipped by Red Hat
BZ - 1436093 - oc binary for MAC is not signed
BZ - 1436841 - Concurrent build registry push hangs - baremetal cluster with CNS Gluster registry storage
BZ - 1440620 - The help info of clear route status script need to be more specific
BZ - 1441028 - Can't prune the external image
BZ - 1441062 - Image Identifier is null
BZ - 1442875 - Build stuck in Running status
BZ - 1443163 - Failed to push image error at the end of the build when creating an application from a template
BZ - 1444367 - ansible doesn't allow to set challenge true for Openid and gitlab
BZ - 1445053 - Fluentd logger is unable to keep up with high amounts of logs from containers running on node.
BZ - 1445425 - Visualization errors with multiple indices
BZ - 1445797 - journald docker driver, rate limiting across all containers is silently dropping messages.
BZ - 1448595 - oadm prune command fails with TLS issues after adding --confirm
BZ - 1448816 - Should add 'projected' in scc/restricted volume policy by default
BZ - 1449608 - Got error message when using `oc get storageclass storageclass_name`
BZ - 1449812 - Update installer example hosts file
BZ - 1449820 - Pod STATUS field is showing actual error message
BZ - 1450337 - [platformmanagement_public_788]Can't remove any signature from the image
BZ - 1451023 - Changes to the default clusterNetworkCIDR & hostSubnetLength via installer does not take in account old default value when adding new master.
BZ - 1451209 - [Performance issue]hawkular-cassandra pool is busy, there is no available connection and the queue has reached its max size 256
BZ - 1451403 - Integrate .Net Core 2.0 Jenkins slave
BZ - 1451769 - Image and Container GC failing at set thresholds
BZ - 1451881 - headless services causes SDN initialization failure for master-controllers when network change.
BZ - 1451910 - [doc] Service is not blocked by dns egress policy rule
BZ - 1452206 - Constant short buffer/very short watch error messages for ClusterRoleBinding, ClusterRole and Role
BZ - 1452214 - registry-console not starting - dc points to openshift3/registry-console:3.6, actual image is openshift3/registry-console:v3.6
BZ - 1453113 - all veth cannot be recovered after restarting openvswitch service
BZ - 1453190 - Isolate the network still can be accessed for the project which already make network global
BZ - 1454239 - golang 1.8 performance regression in net/http affecting kubernetes scale
BZ - 1454535 - modifying project name in template doesn't work
BZ - 1454550 - After create imagestream the usage num of 'openshift.io/imagestreams' will double counted
BZ - 1454601 - Provision PV in zone other than master failed with error "disk is not found" while disk exists
BZ - 1454858 - [paid][free][online-int][starter-us-east-1] Registry liveness probe failures for http2: no cached connection was available
BZ - 1455115 - oc run valid image by dry run flag raises mess error
BZ - 1455650 - If authentication receives an error it overwrites the message with simply "State is Invalid"
BZ - 1455836 - Upgrades fail due to slow reboots causing timeouts
BZ - 1456584 - EFK fails when used with Active Directory authentication user with slashes and comma
BZ - 1457092 - [3.6][Cinder] Dynamic provision failed when zone is not specified in the StorageClass
BZ - 1458663 - HPA V1 unable to get metrics for resource cpu
BZ - 1458849 - Deny 0.0.0.0/0 blocks all DNS resolution to local nameserver
BZ - 1459430 - ES Pod failed to start up if set openshift_logging_es_cluster_size as non-default value
BZ - 1459826 - init-containers with resource requests/limits got error
BZ - 1459960 - ipfailover keepalived image lacks IP Address validation
BZ - 1460145 - [ursxF5mB]The message of forbidden without assign permission to create templateinstance could be more friendly
BZ - 1460153 - Overview page Application's drop-down menu partly hides when deployment is running
BZ - 1460167 - [free-int] Access 'View Quota' link will prompt error
BZ - 1460564 - Change the Elasticsearch setting "node.max_local_storage_nodes" to 1 to prevent sharing EBS volumes
BZ - 1460749 - Data loss of logs can occur if fluentd pod is terminated/restarted when Elasticsearch is unavailable
BZ - 1460930 - docker is using a new configure file to defined registries
BZ - 1461208 - [RFE] Allow project administrators to manage networkpolicies in their own projects
BZ - 1461466 - The router does not do a case-insensitive match of a hostname
BZ - 1462397 - EnsureLoadBalancer is spammy in large clusters
BZ - 1462445 - Useless log messages from AWS API calls
BZ - 1462781 - [trello RXZJJKAK] "From" shows "pushed image" for tagged image in imagestream page
BZ - 1463499 - app's dc is pulling image from registry by IP but not by DNS.
BZ - 1463570 - [PFfBJOsO]Only one annotation returns when both expose and base64-expose annotations are defined in template per bind request
BZ - 1463574 - Node system container failed to start due to "failed to run Kubelet: failed to create kubelet: mkdir /var/lib/dockershim: read-only file system"
BZ - 1463798 - Stale APBs present in ASB after bootstrap
BZ - 1464020 - Kibana-proxy gets OOMKilled
BZ - 1464025 - pre_upgrade checking failed for upgrades/etcd/noop.yml does not exist
BZ - 1464222 - Ansible Service Broker requiring environment variables which should be optional
BZ - 1464349 - Kibana deployment config error
BZ - 1464653 - Nodes becomes NotReady, when status update connection is dropped/severed to master, causing node to wait on 15min default net/http timeout before trying again.
BZ - 1464871 - hawkular-openshift-agent-configmap.yaml should be changed since there is no hawkular-metrics-certificate secret in Metrics 3.6.0
BZ - 1465168 - mux doesn't recognize ansible boolean parameters correctly
BZ - 1465304 - [trello EVOHdIMU] avoid to add path (sub-folder) in front of the vserver name if have specified custom partition and path
BZ - 1465361 - Failed to watch networking object api errors appear in the master log
BZ - 1465572 - [RFE] allow to set TLS cipher suite for the router
BZ - 1465713 - Traceback info in curator pod's log
BZ - 1465722 - Master is enforced to find neutron LBaaS extension when openstack cloud provider is enabled
BZ - 1465801 - Some events record in ocp36 is different from ocp35
BZ - 1465987 - [RFE] Change preemption strategy for keepalived failover ip
BZ - 1466031 - Ansible Service Broker does not work against pulp crane 2.13
BZ - 1466133 - router pod cannot be running when set the stats-port to 0
BZ - 1466152 - Json-file log driver: Neither "openshift_logging_fluentd_use_journal=false" nor omitted collects the log entries
BZ - 1466239 - Restart master service could not fix the invalid hostip in hostsubnet
BZ - 1466249 - [glusterfs] Improve error messaging for failed volume mount
BZ - 1466403 - Prevent internet connections by default
BZ - 1466636 - node can not be started for Unit kubepods-burstable.slice already exists
BZ - 1466671 - oc patch always returns "patched" even if it doesn't do anything
BZ - 1466933 - Spam to API server is causing too many etcd writes
BZ - 1467006 - Merge tests for router doing a case-insensitive match of a hostname
BZ - 1467257 - stats disappeared in haproxy router
BZ - 1467265 - Logging uninstall does not remove PVC
BZ - 1467776 - .svc should be added to no_proxy list by default
BZ - 1467790 - Start and enable node failed due to node has 64 characters hostname
BZ - 1467905 - Null pointer dereference when we get bad data
BZ - 1467948 - Service Broker Installer not setting correct config values
BZ - 1467963 - There are no Kibana dashboards for container admins
BZ - 1468173 - asb need auto bootstrap apb image spec from container catalog
BZ - 1468420 - LoadBalancerRR: Removing log spam
BZ - 1468579 - Missing Kubernetes Cluster ID tag from openshift cluster resources
BZ - 1469001 - [RFE] Allow to specify global default FSType for volumes
BZ - 1469401 - Help info of asbd is duplicate and has error
BZ - 1469445 - Can't scale up elasticsearch by ansible deployment
BZ - 1469448 - Need provide method to update broker status not only recreate
BZ - 1469485 - Need to update service account Ansible Service Broker is using for proper permissions
BZ - 1469654 - image pruning doesn't work from outside the cluster
BZ - 1469918 - The searchguard plugin script is missing in the latest elasticsearch image
BZ - 1470003 - oc adm top doesn't work out of the box
BZ - 1470350 - A/B deployment seems to round-robin across all pods in multiple services, instead of proportional routing to services
BZ - 1470622 - When provision mediawiki success/failed there is no return in catalog console
BZ - 1470623 - Need create default tsb-broker if enable service-catalog and template-service-broker in openshift-ansible
BZ - 1470628 - service-catalog can't access the template-service-broker by auth
BZ - 1470824 - Revisit privileges granted to Service Accounts used by Ansible Service Broker
BZ - 1470860 - Ansible Service Broker: Do not create a project if it does not exist.
BZ - 1470861 - Ansible Service Broker: Change ServiceAccount to use 'admin' role
BZ - 1470976 - Edit Autoscaler page does not show scale up/down button in the input fields in iPad Pro & iPhone Safari.
BZ - 1471033 - Sometime get "Failed to list templates/v1(undefined)" error in catalog console
BZ - 1471155 - clarify route CA certifiate edit field
BZ - 1471239 - Cassandra Java heap parameters can configured incorrectly
BZ - 1471255 - X-Forwarded-For and related headers send the IPv6 form of the source IPv4 address
BZ - 1471630 - [vSphere][containerized] VMDK not unmounted after deleting Pod
BZ - 1471707 - exposing docker-registry with a non tls-passthrough route does not work
BZ - 1471717 - oc version cannot get openshift version against ansible deployed service catalog env
BZ - 1471899 - Addition of new routes slows down considerably with high numbers of routes.
BZ - 1471973 - Ansible Service Broker: config needs to specify bootstrap_on_startup: true
BZ - 1472224 - AD LDAP sync only users within group with oadm sync command
BZ - 1473013 - Metrics can't recover when the commit log is too big
BZ - 1473027 - /etc/etcd/etcd.conf file has ETCD_SNAPSHOT_COUNTER but should be ETCD_SNAPSHOT_COUNT
BZ - 1473031 - fatal error: concurrent map read and map write
BZ - 1473329 - Jobs from Jenkins are not stopped when jenkins build pod is killed
BZ - 1473352 - DNSSearchForming: Event Spam
BZ - 1473370 - ResourceQuota controller observed making excessive LIST calls at scale
BZ - 1473512 - Pod chart display was out of the border on overviewpage in IE 11
BZ - 1473523 - Got "500 Internal Server Error" when watch bindings and instances of apigroup servicecatalog.k8s.io
BZ - 1473538 - Failed to deploy jenkins pod on an Overlay2 openshift cluster
BZ - 1473589 - Install CRS failed due to installer change the iptables rules of external glusterfs cluster
BZ - 1473615 - Catalog items icons display too much spacing on web console homepage in IE
BZ - 1473770 - Cinder volume not attaching to the Pod
BZ - 1473777 - Hang during oadm drain node
BZ - 1473858 - Installer does not configure flannel correctly for openstack installs.
BZ - 1474441 - controller-manager panic/crash on volume verification
BZ - 1474599 - Default value of openshift_storageclass_provisioner is wrong
BZ - 1474630 - Install CRS as docker registry storage failed due to AnsibleUndefinedVariable error
BZ - 1474715 - Failed to start Kibana pod, permission denied to run run.sh
BZ - 1475242 - Device busy - pod volumes not cleaned up and stuck in "Terminating" state
BZ - 1475251 - Mediawiki123 deprovision failed.
BZ - 1475558 - controller manager spam about PVCs
BZ - 1475867 - Running Jenkins Builds Write to API every second
BZ - 1475949 - Service Catalog does not poll on async deprovision
BZ - 1476134 - The version of service-catalog is UNKNOWN
BZ - 1476166 - CLI returned the clusterrole was created, but actually it did not
BZ - 1476173 - Delete project can't delete the instance/bindings and other user can get it if have same name project
BZ - 1476195 - Deploy metrics via ansible was failed due to clusterrole "hawkular-metrics" was not found
BZ - 1477043 - OpenShift Registry console shows duplicate image layers
BZ - 1477110 - [trello zoxUAO2w] Cannot place cursor in terminal when text are selected outside
BZ - 1477518 - The neighbor cache should be also updated for atomic host env
BZ - 1477685 - A/B deployment seems to round-robin across all pods in multiple services, instead of proportional routing to services
BZ - 1477716 - SDN should not set net.ipv4.ip_forward
BZ - 1477718 - Install mixed CRS environment failed due to glusterfs_heketi_ssh_keyfile didn't copy to first master host
BZ - 1477956 - Creating a rolebinding doesn't find the local role due to missing policybinding
BZ - 1479289 - Error message failed to show up the first time typing invalid char in input box
BZ - 1479533 - [starter-us-east-1] error from yum module during upgrade
BZ - 1480312 - Directory permissions are incorrect when using Image Source input
BZ - 1480442 - registry-console points to wrong image tag
BZ - 1480453 - oc describe cronjobs <name> : Error could not find the requested resource
BZ - 1481010 - Jenkins server image, declarative pipeline fails due to missing plugin
BZ - 1481147 - oc adm diagnostics gets stuck in disconnected environment
BZ - 1481354 - fluentd log is filled up with KubeClient messages when using journal and output queue is full
BZ - 1481359 - Cockpit not showing details in the Topology View east panel after you click on one of the diagram nodes. For example, services, containers, routes, replication controllers.
BZ - 1482239 - System container install on atomic host - push image to docker registry fails
BZ - 1482274 - Missing scaleio volume plugin in openshift
BZ - 1482464 - Wrong word 'succesfully' in prompt message
BZ - 1482551 - repoquery reports "Check uncompressed DB failed" during openshift-ansible upgrade
BZ - 1483923 - CNS deployment fails if default node selector is set
BZ - 1483930 - [trello_He2j63p0] Registry hard prune doesn't work with aws s3 storage
BZ - 1483931 - Verify_health_checks.yml is not in upgrade_nodes.yml and upgrade_control_plane.yml
BZ - 1484095 - REST request log spam is back in OCP 3.7
BZ - 1484304 - The excluder packages shouldn't be updated if healthy check failed
BZ - 1484324 - The playbook should abort immediately once pre check finish if pre_check failed
BZ - 1484475 - Improve error messages for FailedMount
BZ - 1484563 - You should not be able to modify metadata.generation in a DC
BZ - 1484831 - oadm groups prune does not find groups when using whitelist
BZ - 1484899 - Error if FLEX volume plugin doesn't support SELINUX
BZ - 1486054 - Installer removes custom configuration from master-config.yaml during upgrade
BZ - 1486356 - Build stuck in Running Pod status shows Init:0/2
BZ - 1486416 - [free-int] Core file generated by OCP 3.7
BZ - 1486623 - Service catalog cannot be installed in v3.7 due to policy change
BZ - 1486809 - backport "docker build --network=..." support
BZ - 1487245 - 'oc get' with 'projectrequest' output as yaml or json causes panic
BZ - 1487408 - Prune Deleted Layer of a Valid Image due to minimum aging
BZ - 1487438 - Conntrack table entry is not removed when UDP service is added after single pod was removed and added back
BZ - 1487573 - Deploy logging 3.7 via ansible, it failed at "Invalid version specified for Elasticsearch".
BZ - 1487665 - oc start-build hangs sometimes
BZ - 1487672 - registry-console stuck in crash loop after upgrade from 3.4
BZ - 1487959 - Service Catalog fails to install with ovs-multitenant SDN driver enabled.
BZ - 1487980 - Install OCP by ansible-2.2.3.0-1.el7 met syntax problem
BZ - 1488076 - Logo and docs links on OCP all point to ORIGIN
BZ - 1488283 - "oc new-app" doesn't respect git proxy for implicit git process
BZ - 1488288 - Pod logs hyperlink for replicaset on Monitoring page has no response after click
BZ - 1488366 - Installation fails with the following problem -> The PersistentVolume "BS31369_ocp_registry-volume" is invalid: metadata.name: Invalid value: "XX11111_ocp_registry-volume": a DNS-1123 subdomain must consist of lower case alphanumeric characters, '-' or '.
BZ - 1488505 - OpenID extra parameters not being added to the authorization token request when openshift_master_identity_providers ansible variable is set
BZ - 1488833 - docker_image_availability check failed when running testing against an authenticated registry
BZ - 1488941 - JOURNAL_READ_FROM_HEAD="false" not honored - pre-existing pod logs indexed on logging-fluentd start
BZ - 1488954 - oc adm router --expose-metrics fails by default
BZ - 1489182 - [free-int] /var disk space exhaustion during upgrades [was: API calls hanging with timeout]
BZ - 1489709 - Creating first project still use /create-project page
BZ - 1489754 - Log Tail cannot show error log when build failed
BZ - 1490186 - Router pod not running after router certificates redeployment
BZ - 1490246 - Install CNS failed due to template file missed
BZ - 1490268 - [3.7] "when statements should not include jinja2 templating delimiters" warning is shown when running installer with ansible-2.3.1.0-3.el7.noarch
BZ - 1490304 - Etcd scale-up playbook should add new member to etcdClientInfo of master-config.yaml
BZ - 1490323 - No cri-o image
BZ - 1490647 - 3.6.2: logging-fluentd deployed with openshift_logging_use_mux=false fails to start due to missing mux secrets
BZ - 1490660 - logging-fluentd 3.6.173.0.32 in non-mux mode fails to start with ConfigParseError
BZ - 1490680 - Missing 'un-saved' dialogs when navigate away the dc edit yaml page with unsaved changes
BZ - 1490738 - "'openshift_hosted_registry_storage_swift_domainid' is undefined" error is seen when set openshift_hosted_registry_storage_provider to swift
BZ - 1490739 - "Could not find the requested service iptables: host" when scaling up etcd
BZ - 1490768 - Failed to provision cinder volume, got http response code 300
BZ - 1490905 - openshift-ansible CNS deployment fails when Docker storage is overlay2
BZ - 1490940 - [RFE] make the installer to use sysctl.d directorys instead of sysctl.conf file.
BZ - 1491193 - Error getting when request token from web console
BZ - 1491202 - [Federation] Failed to create load balancer for service federation-system/apiserver on GCE
BZ - 1491331 - failed to provision volume for claim test/pv0001-claim with StorageClass cinder. No suitable endpoint could be found in the service catalog
BZ - 1491399 - Require AWS hosts be tagged "kubernetes.io/cluster/xxxx" in 3.7
BZ - 1491405 - Fluentd logs filled with long lines of backslashes and undefined method utc errors after updating docker and using json-file as log driver
BZ - 1491495 - Storage size could not be set with decimal on web console
BZ - 1491589 - Image Size Limit does not work
BZ - 1491592 - Versions in doc is not correct
BZ - 1491626 - service-catalog can't access the template-service-broker by token in server via ansible installed
BZ - 1491657 - openshift_storage_nfs task failed due to iptables-services rpm package is not installed
BZ - 1491850 - DNS resolution is broken when installing on host with multiple NICs
BZ - 1491947 - "Unknown filter plugin 'k8s_meta_filter_for_mux_client' error in fluentd pod log when enabled mux service
BZ - 1492189 - [starter-us-east-1]Traffic passing through the router takes two orders of magnitude longer to serve than locally
BZ - 1492545 - Prometheus images are not pushed to brew and ops repo
BZ - 1492576 - [trello O6MCrGUx]Can't save searches, visulizations and dashboards in shared_ops mode
BZ - 1492786 - Installer fails at Create OpenShift router step
BZ - 1492891 - etcd writes being blocked when hard quota hit
BZ - 1492935 - Registry console error on project creation, allows project to be created regardless
BZ - 1492949 - Template processing pane from service-catalog home page should fill in pre-selected project
BZ - 1492999 - Enabling admission plugins with configurations fails by using DefaultAdmissionConfig
BZ - 1493057 - HPA V2 cannot get services/unsafeproxy in the namespace "openshift-infra"
BZ - 1493276 - Setting servingInfo.clientCA to ca-bundle.crt can cause unwanted client cert popups in browser when hitting console
BZ - 1493347 - Wrong HPA condition - ScalingLimited while CPU usage is zero
BZ - 1493368 - Code error of resources.limits.memory for prometheus prom-proxy container
BZ - 1493376 - installer is using "latest" tag of cri-o image as hardcode
BZ - 1493431 - Should use less image parameters to deploy peometheus if we want to use images from brew or ops repo
BZ - 1493432 - Pod scheduled failed when it uses a local storage
BZ - 1493450 - Cannot delete servicebroker/serviceinstance/serviceinstancecredential resources
BZ - 1493679 - can't get token from https://api.free-int.openshift.com/oauth/token/request
BZ - 1493714 - installer removes /var/lib/docker/* when cri-o variables are passed in inv file
BZ - 1493827 - Debug Terminal's right border goes outside
BZ - 1493903 - [hNhBstvg] accessTokenMaxAgeSeconds in oauthclient not override the master default
BZ - 1494201 - controller attach and detach not working for fiber channel
BZ - 1494231 - oc import-image generates x509 error when trying to import an image
BZ - 1494357 - containerized install failed when openshift_use_crio=true and openshift_release=v3.7 is set
BZ - 1494433 - duplicate "[OSEv3:children]" in document
BZ - 1494461 - installer is trying to start cri-o service on nfs host
BZ - 1494470 - Upgrade failed for AnsibleUndefinedVariable: 'l_bind_docker_reg_auth' is undefined
BZ - 1494673 - Cassandra readiness probe can incorrectly fail in multi node setup
BZ - 1495103 - audit log doesn't work now
BZ - 1495105 - [trello:yzMWezC1] Node service could be started when set net.ipv4.ip_forward = 0
BZ - 1495107 - upgrade masters failed due to unexpected task to install pkgs on dedicated node hosts
BZ - 1495135 - Upgrade failed due to can not find atomic-openshift-master-api service in non-ha containerized env
BZ - 1495139 - device or resource busy error info in prometheus container logs after running for an hour
BZ - 1495142 - All the internal hosts should be added to NO_PROXY
BZ - 1495150 - failed to install OCP when use openshift_logging_es_pvc_dynamic with NFS
BZ - 1495203 - openshift_logging_storage_volume_size is required even without installation of logging stack
BZ - 1495446 - Deploy prometheus without pv, ansible throw out 'dict object' has no attribute 'nfs' info
BZ - 1495491 - BC page should have Events tab
BZ - 1495545 - Wrong setting etcd_backup_tag variable when create etcd backup file
BZ - 1496174 - filter get_router_replicas is missing in Ansible 2.4.0.0
BZ - 1496202 - openshift_logging_storage_volume_size does not take effect
BZ - 1496352 - Failed to undeploy Metrics
BZ - 1496359 - No APB dependencies in image rhscl-mysql-apb
BZ - 1496391 - Pull image failed due to installer comment "registry.access.redhat.com"
BZ - 1496426 - Ansible service broker cannot be installed in v3.7 due to broker configuration need to update
BZ - 1496572 - ASB: Misleading error message when dockerhub credentials are incorrect: V1 Schema Manifest does not exist in registry
BZ - 1496593 - NetworkManager(99-origin-dns.sh) does not add cluster.local to resolv.conf if there are no `search xxx` in resolv.conf
BZ - 1496638 - mariadb-apb, mysql-apb should support for Service Plans
BZ - 1496688 - [ASB_public_377] Apb sandbox will be launched in openshift.namespace and fail to create the pod since can not find the matched secret when openshift.namespace is not the namespace which ansible-service-broker located
BZ - 1496694 - cluster role need update to track current resources name of servicecatalog api group for v3.7
BZ - 1496707 - atomic-openshift-node unit file should configure container-engine dependence instead of docker while enabling node and docker system container
BZ - 1496725 - Could not find the requested service container-engine while configuring "openshift_docker_use_system_container=false" in inventory file
BZ - 1496742 - Lacking of template_service_broker templates after installing atomic-openshift-utils
BZ - 1496753 - Viewer could not get serviceinstance
BZ - 1496756 - containerized haproxy fail to be started because no DOCKER chain is existing
BZ - 1496760 - openshift_health_check is doing "docker_storage" against a NFS host
BZ - 1497041 - 3.7 installer is setting default image version for service catalog image to v3.6
BZ - 1497047 - service catalog failed to be deployed due to "No matched nodes" when setting osm_default_node_selector
BZ - 1497098 - should move single quote character of login command
BZ - 1497106 - Admission controller should block creating new Service Credentials for an instance that is in the process of being deleted
BZ - 1497133 - [trello HbrHhjgd]Error provisioning serviceclass in tsb server installed by openshift ansible
BZ - 1497144 - docker role is run against a standalone nfs host.
BZ - 1497150 - atomic-openshift-node randomly failed on AWS due to AWS credentials not set
BZ - 1497168 - Upgrade should be blocked if etcd3 is not currently in use
BZ - 1497310 - Registry-console image check states to use registry.access.redhat.com
BZ - 1497325 - unable to find api field in struct Container for the json field \"$setElementOrder/env\""
BZ - 1497401 - Default image version for logging and metrics should be v3.7 in 3.7 ansible playbooks
BZ - 1497403 - Should display Parameter by Ordering and Grouping when provision
BZ - 1497412 - Comment old registry params are called always
BZ - 1497766 - APB Pods are deleted even when an error occurs
BZ - 1497819 - Broker should not rely on image field of APB yaml
BZ - 1497839 - When Secrets are defined the APB Pod is not run in the transient namespace
BZ - 1497937 - logging-deployer pod never completes update
BZ - 1498178 - Builds using Docker strategy attempt to pull down all tags of a base image when tag is not specified
BZ - 1498203 - Extracted Credentials were leaking to new bindings
BZ - 1498213 - Increase ARP cache size on loadbalancers
BZ - 1498571 - Remove image field from APB yaml
BZ - 1498618 - Bind Parameters not shown in the UI
BZ - 1498632 - OCP 3.7 syslog and journal filling up with looping "du and find on following dirs took..." messages when exceeding 450 pods per node
BZ - 1498897 - [free-stg] Application creation dialog does not close after pressing "Create"
BZ - 1498908 - openshift-installer image should support an inventory directory in addition to flat files.
BZ - 1498954 - Broker in developer mode must support apb push
BZ - 1498992 - Ansible Service Broker template should default ENABLE_BASIC_AUTH to false
BZ - 1499172 - [3.7] Deleted in use PVCs can break the scheduler
BZ - 1499177 - [3.3] Deleted in use PVCs can break the scheduler
BZ - 1499178 - [3.2] Deleted in use PVCs can break the scheduler
BZ - 1499616 - Unable to find originating origin header
BZ - 1499622 - Get ProvisionedSuccessfully event while Provisioning
BZ - 1499651 - The requested handler 'restart node' was not found while enabling flannel
BZ - 1499746 - Hpa v1 fail to get metrics
BZ - 1500048 - APBs in the service broker need to have globally unique plan IDs
BZ - 1500164 - "debug_level" isn't working
BZ - 1500180 - Too many "no observation found for eviction signal allocatableNodeFs.available" logs in node
BZ - 1500242 - Failed to tag image via jenkin plugin in jenkins1 and jenkins2
BZ - 1500519 - Logs are flooded with "unauthorized: authentication required" errors
BZ - 1500615 - should see serviceclass relist by RelistDuration setting while setting RelistDuration greater than 5mins
BZ - 1500616 - Should prevent relistDuration change to negative value in servicebroker
BZ - 1500627 - Prometheus pod in CrashLoopBackOff status, prometheus container failed to start up
BZ - 1500631 - Etcd migrate failed for an undefined variable
BZ - 1500642 - [3.7] installer need provide a way to add docker auth to kubelet for auto pulling infra image from an authenticated registry
BZ - 1500650 - There is no clusterNetworks config in master config
BZ - 1500661 - The default value for enum field of serviceclass is not shown automatically when provisioning in web
BZ - 1500664 - [hwivBoNF] Panic error "index out of range" on node when adding ipv6 address to hostsubnet as egressIPs
BZ - 1500667 - Fail to scale-up etcd when running as system container
BZ - 1500731 - Bitbucket Server 5.4 Webhook push sends X-Event-Key repo:refs_changed.
BZ - 1500859 - Incorrect project count in My Projects
BZ - 1500930 - Deleting 1 APB service instance triggers 4 deprovision pods inside of 4 temporary namespaces
BZ - 1501133 - [H1FhCI1I]HSTS for the route is not working well due to the format is not correct
BZ - 1501152 - Binding take up to 400+ seconds when pvc is created before creating pv.
BZ - 1501231 - There is no outside network access for user created docker container on Atomic-7.4.2
BZ - 1501271 - ansible_ssh_user is overwritten by openshift_aws_build_ami_ssh_user
BZ - 1501319 - Panic error "cap out of range" on node when deleting other node in the cluster
BZ - 1501523 - [ASB] APB provisioning fails to start when attempted directly after "apb push"ing a new APB.
BZ - 1501752 - OCP cluster does not work after migrate from etcd2 to etcd3 if no .snap file is created before migrate
BZ - 1501768 - deploy eventrouter failed when openshift_logging_eventrouter_nodeselector was set
BZ - 1501795 - servingInfo.clientCA should be updated to ca.crt during upgrade
BZ - 1501807 - Missed notification drawer bell icon in IE & edge browsers
BZ - 1501831 - The openshift_logging_elasticsearch_proxy_image_prefix shouldn't be image name
BZ - 1501845 - the router configuration is not reloaded in 10 minutes after adding namespace label
BZ - 1501850 - Networkpolicy plugin checks pod status too fast that there are lots of warnings about PodIP is not set in node log
BZ - 1501855 - the rules added in chain OPENSHIFT-ADMIN-OUTPUT-RULES cannot work
BZ - 1501876 - [hwivBoNF] The pod on the other node will lose the outside connection when enable the egressIP
BZ - 1501986 - CVE-2017-12195 OpenShift Enterprise 3: authentication bypass for elasticsearch with external routes
BZ - 1502044 - Ansible Service Broker should report created on deprovision request
BZ - 1502054 - glusterfs installation failed: parameter TOPOLOGY_PATH is required and must be specified
BZ - 1502551 - files in {{ __tsb_files_location }} doesn't existing
BZ - 1502560 - Default docker parameter "--signature-enabled=false" shouldn't be removed during the installation
BZ - 1502767 - Encryption of secrets in datastore is not occurring
BZ - 1502866 - 3.6 Nodes will not start with 3.7 master
BZ - 1502914 - Deploymentconfig page failed to add, update, delete and move order for environment variables
BZ - 1503015 - Creating volumesnapshot does not generate volumesnapshotdata.
BZ - 1503036 - The 'next' button wrongly changed to 'create' when click image on homepage
BZ - 1503091 - Need to update apiservice from v1alpha1 to v1beta1 for servicecatalog.k8s.io
BZ - 1503233 - Warning statements from `oc status` because ASB deploymentconfig has no readiness & liveness checks
BZ - 1503289 - Registry credentials are displayed in plain text in configmap for ASB
BZ - 1503404 - It appears that master API service in 3.7 causes fluentd k8s metadata plugin to kill fluentd
BZ - 1503415 - Upgrade failed due to an undefined variable oreg_auth_credentials_replace
BZ - 1503450 - 3.7.1 White spaces in the cert prevents Origin Metrics from starting
BZ - 1503458 - oc logs fails with unexpected stream type ""
BZ - 1503860 - system container install seems broken for 3.7
BZ - 1503903 - Proxy installation failed with system containers enabled
BZ - 1503987 - Should prevent externalClusterServicePlanName update in serviceinstance while PlanUpdatable=false
BZ - 1503995 - Fail to pull ose image during upgrade due to docker auth token was not updated even if oreg_auth_credentials_replace=true is set
BZ - 1504001 - [trello 6zsvyyYu] A tooltip uselessly always pop up with item name when mouse moves around
BZ - 1504021 - disabledFeatures is not added into master config file when installing standalone registry console env.
BZ - 1504191 - Logging deploy configuring a bad oauth-proxy image location
BZ - 1504250 - Ansible Service Broker stops listening for deprovision messages after failure
BZ - 1504511 - [trello 6zsvyyYu] Back and Next operations forget previously filled in value in ordering template
BZ - 1504515 - Upgrade failed due to installer try to stop atomic-openshift-master-controllers on etcd host
BZ - 1504525 - Upgrade failed due to masters can not finish reconciling
BZ - 1504535 - Deploy cfme failed when using external NFS
BZ - 1504583 - Fluent failed to gather docker event logs
BZ - 1504593 - Installer doesn't report the installer status correctly if openshift health checks failed
BZ - 1504604 - Original ocp does not work after migrate an embedded etcd to a fresh hosts
BZ - 1504729 - Ansible Service Broker should log job state
BZ - 1504927 - ASB Failed provision marked successful even on pod error
BZ - 1504973 - Cannot unhide/confirm password parameters
BZ - 1505255 - unnecessary blank shows in dc configuration page
BZ - 1505266 - Node could not start due to the error:SDN node startup failed: could not find egress network interface
BZ - 1505273 - fluentd failed to load plugin when remote_syslog was enabled
BZ - 1505281 - Message is confused to user when resource created by importing template on console
BZ - 1505289 - Machine error message when minpod greater than maxpod in the process of add autoscale
BZ - 1505354 - OpenShift unable to delete pods which failed ContainerCreating using cri-o (missing CreatedAt field)
BZ - 1505537 - Installer hangs at "Wait for master controller service to start on first master"
BZ - 1505671 - Failed to update status since precondition failed while Deprovisioning
BZ - 1505712 - Should disable the create button for the viewer user when ordering template
BZ - 1505782 - Should not display the delete icon in the Environment tab of pod page
BZ - 1506017 - failed to start SDN plugin controller when Network CIDRS are invalid.
BZ - 1506099 - [3.7]fluentd pods failed to start up,"Unknown filter plugin 'record_modifier' in fluentd pods log
BZ - 1506115 - [starter-ca-central-1] web console terminal content is not cleared on re-connect
BZ - 1506128 - cri-o system container has wrong start parameter "--debug" cause installer failure
BZ - 1506141 - Upgrade failed in turn at task [Restart journald] for the first time when run upgrade playbook on master hosts
BZ - 1506149 - [hwivBoNF] Be able to access the node through the egress IP after restart iptables service
BZ - 1506153 - URL should support clusterserviceclass instead of serviceclass for parameter
BZ - 1506165 - master api&controllers did not work after split from orignal master during upgrade
BZ - 1506173 - S2I behavior change between OCP 3.4 (3.4.1.24) and 3.5 (3.5.5.31.24) with regards to symlinks
BZ - 1506332 - Reduce node iptables logging in V(2)
BZ - 1506375 - API server panics while running conformance: APIServer panic'd on GET /api/v1/namespaces/extended-test-cli-deployment-59v3j-tb8s9: multiple NewLogged calls!
BZ - 1506396 - Increase iptables-restore timeout
BZ - 1506399 - Installer ignores missing overlay
BZ - 1506502 - [TSB] Should not show openshift/templates on Catalog after TSB enabled
BZ - 1506537 - Provisioning OCP on AWS failed due to SSLCertificateId missed
BZ - 1506541 - No controller-manager and apiserver in latest(v3.7.0-0.179.0.0) image
BZ - 1506713 - Update parameter types are not properly passed out on the /v2/catalog API
BZ - 1506931 - request to add some retires for "Create credentials for docker cli registry auth"
BZ - 1506971 - openshift-ansible-* packages should also be updated when updating atomic-openshift-utils
BZ - 1506976 - [TSB] Cannot see resources in webconsole after provision a template to an un-owned project which only have view and create/list/get/delete serviceinstance role granted
BZ - 1506998 - Should support to reveal secret with field .dockercfg
BZ - 1507051 - Port 10010 is closed
BZ - 1507061 - cockpit role is skipped
BZ - 1507083 - openshift_master_etcd_hosts list get wrong in rpm install.
BZ - 1507111 - Add support for an adapter to the local OpenShift registry
BZ - 1507257 - Messages flooded with messages like StopPodSandbox $SHA from runtime service failed: rpc error: code = 2 desc = NetworkPlugin cni failed to teardown pod <pod-name> network: CNI failed to retrieve network namespace path: Error: No such container: $SHA
BZ - 1507321 - Cannot access Mediawiki123 route after binding to MySQL
BZ - 1507448 - [tsb]Can't delete templateinstance and other resoureces when deprovision a failed serviceinstance
BZ - 1507449 - osm_controller_lease_ttl setting is not honored
BZ - 1507460 - [atomic registry]Could not show members on project page after add role to other user
BZ - 1507598 - Ordinary users are not able to update ServiceInstance
BZ - 1507617 - Etcd should communicate over SSL and be authenticated to
BZ - 1507664 - The health checks are disabled when there are multiple services
BZ - 1507730 - Bug of Delete ServiceAccount Rolebinding from WebUI
BZ - 1507753 - Inconsistent environment variable action link text between config edit page and Environment tab
BZ - 1507787 - default ansible_service_broker_etcd_image_prefix should use fully qualified etcd image name
BZ - 1507822 - [trello Q53Gxe4v]Plan info is not updated automatically after change plan
BZ - 1507871 - [hwivBoNF] Should not be able to access the denied network which defined in EgressNetworkPolicy via the egressIP
BZ - 1507886 - Change secret data cause ServiceInstance update fail
BZ - 1507908 - Plan of ServiceInstance can still be updated with class has spec.planUpdatable set to false
BZ - 1508047 - Router reduce log output
BZ - 1508049 - apb-tools container does not work
BZ - 1508059 - Prometheus and AlertManager volumes grows infinitely
BZ - 1508084 - Add ServiceClassID and ServiceInstanceID params during provision and bind
BZ - 1508085 - Enable the service catalog, template broker and ansible service broker by default
BZ - 1508278 - [APB] Need to use up-to-date feature rather than the one will be removed
BZ - 1508301 - OpenShift authorization objects should be checked before upgrade v3.6 to v3.7
BZ - 1508374 - For better user experience, we need to put password item after user item
BZ - 1508582 - non-admin users aren't able to update ServiceInstances
BZ - 1508724 - apb image from rhcc registry provision failed
BZ - 1508734 - Failed to upgrade masters due to installer try to stop atomic-openshift-master-controllers on etcd host
BZ - 1508755 - Failed to upgrade nodes for non-ha containerized env
BZ - 1508893 - APB's complain about missing asb ansible module
BZ - 1508969 - OpenShift RestClient Python Helpers should default to Foreground Propagation of Delete
BZ - 1508994 - APBs should not display passwords as text.
BZ - 1509018 - PostgreSQL APB and MariaDB APB not showing under correct tabs in UI
BZ - 1509022 - Template instance provisioning via TSB fails sporadically
BZ - 1509052 - Non-Developer Deployments of Ansible Service Broker should not use log file
BZ - 1509124 - Encounter node service restart failure during openshift CA redeployment
BZ - 1509142 - Should not display the "Reveal Secret" link when secrets without 'data' field
BZ - 1509158 - Mater services were not started automatically after reboot hosts for an upgraded non-ha deployed env
BZ - 1509163 - No recommended version of Open vSwitch for OCP 3.7
BZ - 1509192 - `oc debug` pod does not work and shows "cannot set blockOwnerDeletion if an ownerReference ..."
BZ - 1509341 - Stop prometheus metrics growth issues
BZ - 1509354 - customized router certificate files defined in openshift_hosted_routers are not uploaded to master
BZ - 1509476 - MariaDB provision failure on blank passwords
BZ - 1509680 - ansible_service_broker_registry_user and ansible_service_broker_registry_password shouldn't be required fields for dockerhub type
BZ - 1509782 - openshift_prometheus_image_prefix did not use the default value if not set it in inventory
BZ - 1509819 - Environment from Secret was not shown in Hooks
BZ - 1509837 - Upgrade may fail when restart master controllers
BZ - 1509842 - No configmap to select when adding environment variables for hooks
BZ - 1509880 - oci runtime error: permission denied while enabling docker system container
BZ - 1510172 - master controller panic during reliability long run - TypeAssertionError during project creation/deletion
BZ - 1510299 - mariadb and mysql provision failed at cannot access /etc/apb-secrets while using rhcc registry
BZ - 1510304 - mediawiki-123 still using dockerhub image althrough configured broker with rhcc registry
BZ - 1510314 - Unable to create client binaries/symlinks out of CLI image while using insecure registry
BZ - 1510346 - Secret of null key-value displays messy code when Reveal Secret
BZ - 1510546 - ASB fails to install after recent etcd cert changes
BZ - 1510599 - MariaDB/MySQL APB should use service name for binding
BZ - 1510636 - Registry configuration for local registry missing a name
BZ - 1510746 - Failed to deploy logging 3.7, ansible threw out error "[Errno 2] No such file or directory" when restart atomic-openshift-master-controllers service
BZ - 1511044 - Ansible service broker etcd certs are read using a file lookup, which only works if the installer is running on the first master.
BZ - 1511077 - Mediawiki cannot bind to MySql/MariaDB
BZ - 1511186 - Keep Namespace On Error Configuration Value Should be Set For openshift ansible
BZ - 1511258 - MariaDB deprovision doesn't delete service
BZ - 1511650 - Internet explorer 11 is not displaying catalogs
BZ - 1512708 - vague behavior of a "corsAllowedOrigins" parameter in a "master-config.yaml" configuration file
BZ - 1513369 - Image snapshot-controller is using old api.

CVEs

CVE-2017-12195

Moderate: Red Hat OpenShift Container Platform 3.7 security, bug, and enhancement update

Synopsis

Type/Severity

Topic

Description

Solution

Affected Products

Fixes

CVEs

References

Vulmon Search

About

Products

Connect