7.5 - RHSA-2014:1796

Problem Description:

Red Hat OpenShift Enterprise release 2.2, which fixes a security issue, several bugs and includes various enhancements, is now available.

Red Hat Product Security has rated this update as having Moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.

2. Relevant releases/architectures:

RHOSE Client 2.2 - noarch RHOSE Infrastructure 2.2 - noarch, x86_64 RHOSE JBoss EAP add-on 2.2 - noarch RHOSE Node 2.2 - noarch, x86_64

3. Description:

OpenShift Enterprise by Red Hat is the company's cloud computing Platform-as-a-Service (PaaS) solution designed for on-premise or private cloud deployments.

It was reported that OpenShift Enterprise 2.2 did not properly restrict access to services running on different gears. This could allow an attacker to access unprotected network resources running in another user's gear. OpenShift Enterprise 2.2 introduces the oo-gear-firewall command which creates firewall rules and SELinux policy to contain services running on gears to their own internal gear IPs. The command is invoked by default during new installations of OpenShift Enterprise 2.2 to prevent this security issue. Administrators should run the following on node hosts in existing deployments after upgrading to 2.2 to address this security issue:

# oo-gear-firewall -i enable -s enable

Please see the man page for the oo-gear-firewall command for more details. (CVE-2014-3674)

It was reported that OpenShift Enterprise did not restrict access to the /proc/net/tcp file on gears, which allowed local users to view all listening connections and connected sockets. This could result in remote systems IP or port numbers in use being exposed which may be useful for further targeted attacks. Note that for local listeners, OSE restricts connections to within the gear by default, so even with the knowledge of the local port and IP the attacker is unable to connect. This bug fix updates the SELinux policy on node hosts to prevent this gear information from being accessed by local users. (CVE-2014-3602)

The OpenShift Enterprise 2.2 Release Notes provide information about new features and notable technical changes in this release, as well as notes on initial installations. For more information about OpenShift Enterprise, see the documentation available at:

https://access.redhat.com/site/documentation/en-US/OpenShift_Enterprise/2/

All OpenShift Enterprise users are advised to upgrade to release 2.2.

4. Solution:

Before applying this update, make sure all previously released errata relevant to your system have been applied.

See the latest OpenShift Enterprise Deployment Guide at https://access.redhat.com/site/documentation/en-US/OpenShift_Enterprise/2/ for instructions on initial installations and upgrades from previous versions.

This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/articles/11258.

5. Bugs fixed (https://bugzilla.redhat.com/):

1004479 - [RFE] Add the ability to limit a user's access to certain cartridges 1093192 - /etc/openshift-enterprise-release does not update with releases 1100102 - oo-diagnostics tools should check the source of packages that are installed for python-3.3 cartridge. 1121195 - oo-iptables-port-proxy fails unhelpfully if EXTERNAL_ETH_DEV is set incorrectly 1123850 - Openshift overwrites data/postgresql.conf during restart, destroying Locale and Formatting configuration 1130347 - "rhc server list" show that an unexpected server is in use if user change libra_server manually. 1131167 - oo-install proceeds with install when user has requested quit 1131190 - No stop related info shows in $cartridge.log when stop for jboss app 1131680 - CVE-2014-3602 OpenShift: /proc/net/tcp information disclosure 1133075 - OpenShift Enterprise 2.2 Errata Tool Advisory Bug 1134139 - [RFE] Track real person for gear SSH logins 1140289 - Background requests made to the broker are done under a hard-coded timeout. 1144057 - Gear size is still added to a user account if adding to the domain fails 1144940 - Console should show error info when adding invalid SSL certificate file. 1145810 - Scaled application fails when HTTP Basic authentication is used 1145877 - Console should show downloadable cartridge with vendor name to distinguish with original cartridge. 1146224 - Update haproxy15side to 1.5.4 1148170 - CVE-2014-3674 OpenShift Enterprise: gears fail to properly isolate network traffic 1148192 - Race condition in `oo-httpd-singular graceful` when using apache-vhost 1150971 - Console failed to add restricted gear size cartridge to scalable app with different gear size. 1151244 - Files placed in the .cartridge_repository will break mcollective on a node 1152698 - PostGresSQL Logging datetime 1152699 - Proper SSL setup for custom domain 1152700 - node - skip partial deployments 1153750 - oo-iptables-port-proxy should have "showproxy" instead of "showproxies" in its usage 1154026 - syntax error in /usr/lib/ruby/site_ruby/1.8/ose-upgrade/node/upgrades/4/maintenance_mode/02-poodle-disable-SSLv3 1154471 - OSE install failed due to wrong incompatible rsyslog7-7.4.10-3.el6_6.x86_64 installation 1156200 - oo-admin-ctl-iptables-port-proxy is needlessly slow under DNS failures 1156613 - routing-daemon.conf has NGINX_PLUS settings on by default, they should commented out