Jump to content
Compatible Support Forums
Sign in to follow this  
news

[RHSA-2014:1906-01] Moderate: Red Hat OpenShift Enterprise 2.1.9 security, bug fix, and enhancement update

Recommended Posts

-----BEGIN PGP SIGNED MESSAGE-----

Hash: SHA1

 

=====================================================================

Red Hat Security Advisory

 

Synopsis: Moderate: Red Hat OpenShift Enterprise 2.1.9 security, bug fix, and enhancement update

Advisory ID: RHSA-2014:1906-01

Product: Red Hat OpenShift Enterprise

Advisory URL: https://rhn.redhat.com/errata/RHSA-2014-1906.html

Issue date: 2014-11-25

CVE Names: CVE-2014-3602 CVE-2014-3674

=====================================================================

 

1. Summary:

 

Red Hat OpenShift Enterprise release 2.1.9, which fixes two security

issues, several bugs, and add one enhancement, is now available.

 

Red Hat Product Security has rated this update as having Moderate security

impact. Common Vulnerability Scoring System (CVSS) base scores, which give

detailed severity ratings, are available for each vulnerability from the

CVE links in the References section.

 

2. Relevant releases/architectures:

 

RHOSE Infrastructure 2.1 - noarch

RHOSE JBoss EAP add-on 2.1 - noarch

RHOSE Node 2.1 - noarch

 

3. Description:

 

OpenShift Enterprise by Red Hat is the company's cloud computing

Platform-as-a-Service (PaaS) solution designed for on-premise or private

cloud deployments.

 

It was found that OpenShift Enterprise 2.1 did not properly restrict access

to services running on different gears. This could allow an attacker to

access unprotected network resources running in another user's gear.

 

In a previous update, OpenShift Enterprise 2.2 introduced the

oo-gear-firewall command, which creates firewall rules and SELinux policy

to contain services running on gears to their own internal gear IPs.

The command is invoked by default during new installations of OpenShift

Enterprise 2.2 to prevent this security issue. This update backports the

command to OpenShift Enterprise 2.1.; administrators should run the

following command on node hosts in existing OpenShift Enterprise 2.1

deployments after applying this update to address this security issue:

 

# oo-gear-firewall -i enable -s enable

 

Please see the man page of the oo-gear-firewall command for more details.

(CVE-2014-3674)

 

It was found that OpenShift Enterprise did not restrict access to the

/proc/net/tcp file in gears, which allowed local users to view all

listening connections and connected sockets. This could result in remote

system's IP or port numbers in use to be exposed, which may be useful for

further targeted attacks.

 

Note that for local listeners, OpenShift Enterprise restricts connections

to within the gear by default, so even with the knowledge of the local port

and IP, the attacker is unable to connect. The SELinux policy on node hosts

has been updated to prevent this gear information from being accessed by

local users.

 

Due to the closing of this access, JBoss-based cartridges that relied on it

previously must be upgraded according to the standard procedure. This is a

compatible cartridge upgrade and therefore does not require a restart.

(CVE-2014-3602)

 

Space precludes documenting all of the bug fixes and enhancements in this

advisory. See the OpenShift Enterprise Technical Notes linked to in the

References section, which will be updated shortly for release 2.1.9, for

details about these changes.

 

All OpenShift Enterprise users are advised to upgrade to these updated

packages.

 

4. Solution:

 

Before applying this update, make sure all previously released errata

relevant to your system have been applied.

 

See the OpenShift Enterprise 2.1 Release Notes linked to in the References

section, which will be updated shortly for release 2.1.9, for important

instructions on how to fully apply this asynchronous errata update.

 

This update is available via the Red Hat Network. Details on how to use the

Red Hat Network to apply this update are available at

https://access.redhat.com/site/articles/11258.

 

5. Bugs fixed (https://bugzilla.redhat.com/):

 

1131680 - CVE-2014-3602 OpenShift: /proc/net/tcp information disclosure

1143991 - [2.1 backport] Expose haproxy-sni-proxy mapped ports as environmental variables

1148170 - CVE-2014-3674 OpenShift Enterprise: gears fail to properly isolate network traffic

1149837 - [2.1 backport] oo-accept-systems: improve cartridge integrity checks

1153319 - [2.1 backport] Disable SSLv3 to mitigate POODLE CVE- 2014- 3566

1155794 - [2.1 backport] Race condition in `oo-httpd-singular graceful` when using apache-vhost

1163502 - Remove explicit dependency on RHEL 6.6's subscription-manager package

 

6. Package List:

 

RHOSE Infrastructure 2.1:

 

Source:

openshift-enterprise-upgrade-2.1.9-1.el6op.src.rpm

openshift-origin-broker-1.16.1.14-1.el6op.src.rpm

openshift-origin-broker-util-1.23.8.14-1.el6op.src.rpm

rubygem-openshift-origin-controller-1.23.10.15-1.el6op.src.rpm

rubygem-openshift-origin-msg-broker-mcollective-1.23.3.6-1.el6op.src.rpm

 

noarch:

openshift-enterprise-release-2.1.9-1.el6op.noarch.rpm

openshift-enterprise-upgrade-broker-2.1.9-1.el6op.noarch.rpm

openshift-enterprise-yum-validator-2.1.9-1.el6op.noarch.rpm

openshift-origin-broker-1.16.1.14-1.el6op.noarch.rpm

openshift-origin-broker-util-1.23.8.14-1.el6op.noarch.rpm

rubygem-openshift-origin-controller-1.23.10.15-1.el6op.noarch.rpm

rubygem-openshift-origin-msg-broker-mcollective-1.23.3.6-1.el6op.noarch.rpm

 

RHOSE JBoss EAP add-on 2.1:

 

Source:

openshift-origin-cartridge-jbosseap-2.16.3.7-1.el6op.src.rpm

 

noarch:

openshift-origin-cartridge-jbosseap-2.16.3.7-1.el6op.noarch.rpm

 

RHOSE Node 2.1:

 

Source:

openshift-enterprise-upgrade-2.1.9-1.el6op.src.rpm

openshift-origin-cartridge-jbossews-1.22.3.7-1.el6op.src.rpm

openshift-origin-msg-node-mcollective-1.22.2.3-1.el6op.src.rpm

openshift-origin-node-util-1.22.20.5-1.el6op.src.rpm

rubygem-openshift-origin-frontend-apache-mod-rewrite-0.5.2.2-1.el6op.src.rpm

rubygem-openshift-origin-frontend-apache-vhost-0.5.2.6-1.el6op.src.rpm

rubygem-openshift-origin-frontend-apachedb-0.4.1.2-1.el6op.src.rpm

rubygem-openshift-origin-frontend-haproxy-sni-proxy-0.3.2.2-1.el6op.src.rpm

rubygem-openshift-origin-node-1.23.9.26-1.el6op.src.rpm

 

noarch:

openshift-enterprise-release-2.1.9-1.el6op.noarch.rpm

openshift-enterprise-upgrade-node-2.1.9-1.el6op.noarch.rpm

openshift-enterprise-yum-validator-2.1.9-1.el6op.noarch.rpm

openshift-origin-cartridge-jbossews-1.22.3.7-1.el6op.noarch.rpm

openshift-origin-msg-node-mcollective-1.22.2.3-1.el6op.noarch.rpm

openshift-origin-node-util-1.22.20.5-1.el6op.noarch.rpm

rubygem-openshift-origin-frontend-apache-mod-rewrite-0.5.2.2-1.el6op.noarch.rpm

rubygem-openshift-origin-frontend-apache-vhost-0.5.2.6-1.el6op.noarch.rpm

rubygem-openshift-origin-frontend-apachedb-0.4.1.2-1.el6op.noarch.rpm

rubygem-openshift-origin-frontend-haproxy-sni-proxy-0.3.2.2-1.el6op.noarch.rpm

rubygem-openshift-origin-node-1.23.9.26-1.el6op.noarch.rpm

 

These packages are GPG signed by Red Hat for security. Our key and

details on how to verify the signature are available from

https://access.redhat.com/security/team/key/

 

7. References:

 

https://access.redhat.com/security/cve/CVE-2014-3602

https://access.redhat.com/security/cve/CVE-2014-3674

https://access.redhat.com/security/updates/classification/#moderate

https://access.redhat.com/documentation/en-US/OpenShift_Enterprise/2/html-single/Technical_Notes/index.html

https://access.redhat.com/documentation/en-US/OpenShift_Enterprise/2/html-single/2.1_Release_Notes/index.html#chap-Asynchronous_Errata_Updates

 

8. Contact:

 

The Red Hat security contact is . More contact

details at https://access.redhat.com/security/team/contact/

 

Copyright 2014 Red Hat, Inc.

-----BEGIN PGP SIGNATURE-----

Version: GnuPG v1

 

iD8DBQFUdMvPXlSAg2UNWIIRAl3BAJ9rQqkEpZf4eADw2UlOjewslifYTACcD1EL

/UsGQ44U3ghdvF3PGBBRVOM=

=Cp0R

-----END PGP SIGNATURE-----

 

 

--

 

Share this post


Link to post

Please sign in to comment

You will be able to leave a comment after signing in



Sign In Now
Sign in to follow this  

×