Red Hat OpenShift Enterprise release 2.1.9, which fixes two securityissues, several bugs, and add one enhancement, is now available.Red Hat Product Security has rated this update as having Moderate securityimpact. Common Vulnerability Scoring System (CVSS) base scores, which givedetailed severity ratings, are available for each vulnerability from theCVE links in the References section.

OpenShift Enterprise by Red Hat is the company’s cloud computingPlatform-as-a-Service (PaaS) solution designed for on-premise or privatecloud deployments.It was found that OpenShift Enterprise 2.1 did not properly restrict accessto services running on different gears. This could allow an attacker toaccess unprotected network resources running in another user’s gear.In a previous update, OpenShift Enterprise 2.2 introduced theoo-gear-firewall command, which creates firewall rules and SELinux policyto contain services running on gears to their own internal gear IPs.The command is invoked by default during new installations of OpenShiftEnterprise 2.2 to prevent this security issue. This update backports thecommand to OpenShift Enterprise 2.1.; administrators should run thefollowing command on node hosts in existing OpenShift Enterprise 2.1deployments after applying this update to address this security issue:# oo-gear-firewall -i enable -s enablePlease see the man page of the oo-gear-firewall command for more details.(CVE-2014-3674)It was found that OpenShift Enterprise did not restrict access to the/proc/net/tcp file in gears, which allowed local users to view alllistening connections and connected sockets. This could result in remotesystem’s IP or port numbers in use to be exposed, which may be useful forfurther targeted attacks.Note that for local listeners, OpenShift Enterprise restricts connectionsto within the gear by default, so even with the knowledge of the local portand IP, the attacker is unable to connect. The SELinux policy on node hostshas been updated to prevent this gear information from being accessed bylocal users.Due to the closing of this access, JBoss-based cartridges that relied on itpreviously must be upgraded according to the standard procedure. This is acompatible cartridge upgrade and therefore does not require a restart.(CVE-2014-3602)Space precludes documenting all of the bug fixes and enhancements in thisadvisory. See the OpenShift Enterprise Technical Notes linked to in theReferences section, which will be updated shortly for release 2.1.9, fordetails about these changes.All OpenShift Enterprise users are advised to upgrade to these updatedpackages.
Before applying this update, make sure all previously released erratarelevant to your system have been applied.See the OpenShift Enterprise 2.1 Release Notes linked to in the Referencessection, which will be updated shortly for release 2.1.9, for importantinstructions on how to fully apply this asynchronous errata update.This update is available via the Red Hat Network. Details on how to use theRed Hat Network to apply this update are available athttps://access.redhat.com/site/articles/11258.Red Hat OpenShift Enterprise 2

SRPMS:
openshift-enterprise-upgrade-2.1.9-1.el6op.src.rpm
    MD5: 52eac55a45837dfed8b2609ce3aae778SHA-256: c229e46fb34368175813a0aa6029d383594e4577468694dc448fd42a792c5e5e
openshift-origin-broker-1.16.1.14-1.el6op.src.rpm
    MD5: 20d60f34139d83fd7fe317d019da7151SHA-256: bc84424a7209ca469a24533a214f3874ecebadf3702419b317cf471841abc0c6
openshift-origin-broker-util-1.23.8.14-1.el6op.src.rpm
    MD5: b9914d9575de4b22d9f16c2be91e0401SHA-256: 36e016c63be2b25c664a7b8750514e8300faffb05a8f1a1c72868f2236075b3d
openshift-origin-cartridge-jbosseap-2.16.3.7-1.el6op.src.rpm
    MD5: 4c6ba31a2d3c9ad7bb80cd5d6079418fSHA-256: b64d6a8affcc92ec640e68be1658ec3407edd9a7bf7ce4f1215bb8b870f1d4aa
openshift-origin-cartridge-jbossews-1.22.3.7-1.el6op.src.rpm
    MD5: 4f3856632efbc3f483490a1df0cc20c4SHA-256: 6652c7204796fe842dafa4f318fb5547238dc39a1e0f4ceebaa7a3cc5a7f4b23
openshift-origin-msg-node-mcollective-1.22.2.3-1.el6op.src.rpm
    MD5: afd59551ffb5202b73e3f5185ac135cdSHA-256: b4297610c6f846e1836760557c64094455dbb39572ead65f3b89fdca18659f9e
openshift-origin-node-util-1.22.20.5-1.el6op.src.rpm
    MD5: f2ff0fab096ba9a3d89db4662743c40aSHA-256: 6a06b0f05d49a37e2ed87800553e58ab6090b1b233694b7e024be04be61143e2
rubygem-openshift-origin-controller-1.23.10.15-1.el6op.src.rpm
    MD5: eccaf9106ac85bbccbc549b222e6c028SHA-256: 170f82d70905d15d7ee63f9f6aa538edb649e02508c6bcea590a48b4884e7aac
rubygem-openshift-origin-frontend-apache-mod-rewrite-0.5.2.2-1.el6op.src.rpm
    MD5: e3777620701fd780b5d6dd5f9c9f3e3dSHA-256: 9f255633ee5f1ad1d3106da83cac5fd13a9f37b92dea9823fef07670ce24e6f0
rubygem-openshift-origin-frontend-apache-vhost-0.5.2.6-1.el6op.src.rpm
    MD5: 9bd85ec6855296ee9cbbf3695e1ce8b8SHA-256: b2219a6f21cc425c4fadcc7c6d5c69107f21a25e91b7427d492e0f5b32459454
rubygem-openshift-origin-frontend-apachedb-0.4.1.2-1.el6op.src.rpm
    MD5: 2805c0087a272d2efe692abbdb3a1c73SHA-256: a10b70e1a68a63f19c07ff60aadb368c83a16afc54da53cfb528e374101dbf3b
rubygem-openshift-origin-frontend-haproxy-sni-proxy-0.3.2.2-1.el6op.src.rpm
    MD5: c6c07df58bc371fd24a08e82f0269398SHA-256: 118ed1c8edc121c714943c8c3c26249a22b7b85d910d327f08df9aa7ce3cc810
rubygem-openshift-origin-msg-broker-mcollective-1.23.3.6-1.el6op.src.rpm
    MD5: 19f2d79bf0052bcf16ea752bf5573d0fSHA-256: 7c9d9cd95552f6da80022e18a531ee653cc08ccea0271186aaf1c7e0eccdeabb
rubygem-openshift-origin-node-1.23.9.26-1.el6op.src.rpm
    MD5: 8b24cf2244ec5f002d0f4612f0ddfd69SHA-256: c44aefd623c5a3342305ea172a88cc66fe095c789f139aed49b58d86158a110a
 
x86_64:
openshift-enterprise-release-2.1.9-1.el6op.noarch.rpm
    MD5: 400b3bb79ad39c611ec5f787b8749681SHA-256: c2b7d6e104e88a383cf7f8c51322998fae346b30e25038eafab3e6a9b71c9f89
openshift-enterprise-upgrade-broker-2.1.9-1.el6op.noarch.rpm
    MD5: 146126e30d1cd8f0bfefacb3328fc14dSHA-256: 83ca853e031fa800dfb7a3e94f2cc18616304099e9df376d961a3bad7e45b4b0
openshift-enterprise-upgrade-node-2.1.9-1.el6op.noarch.rpm
    MD5: 69043ff2203887512540f1d60eec9a56SHA-256: a594b34b612fd9a6cce2bc4cfed28f41e22b7e87975b47af52a1edc5c49089c3
openshift-enterprise-yum-validator-2.1.9-1.el6op.noarch.rpm
    MD5: 5cda4774f3d32f6dda4eaf3efd00dae8SHA-256: ac55324db52f2c50cd22fb7ad53c0d79c6bc75e87e5019e33191da5fb86e7cfd
openshift-origin-broker-1.16.1.14-1.el6op.noarch.rpm
    MD5: 380f2cd88c4394cce526ead67f92bdc6SHA-256: e7b64582508060957331dcf98de57a1974ab27bf6cfa3dc44829081580243b87
openshift-origin-broker-util-1.23.8.14-1.el6op.noarch.rpm
    MD5: 4c04610ef21803147cdb7370298e6e15SHA-256: 5f7fb68c89710083d0922304d32a3810c6030a16248bd05d315881d4a930e1ae
openshift-origin-cartridge-jbosseap-2.16.3.7-1.el6op.noarch.rpm
    MD5: c586da8bfc424b5346aabe34fade7a47SHA-256: 76644cfd36daa3bfe21655ab7c6bf5fbfe3ee82fa83840828eb953e635e3652c
openshift-origin-cartridge-jbossews-1.22.3.7-1.el6op.noarch.rpm
    MD5: 53b74236d30b11f65d417183e9aec6a3SHA-256: 6fd932d88e347cee75efe0602ac3e71caaedc5a42e288b854c6021d0d09fbc41
openshift-origin-msg-node-mcollective-1.22.2.3-1.el6op.noarch.rpm
    MD5: 0398fb831d50b2269ca19530df73789bSHA-256: e18e6990304e627eb9f55ade433957a0edf04c7ba727b0f946f024965809cd78
openshift-origin-node-util-1.22.20.5-1.el6op.noarch.rpm
    MD5: 4894a748f696d4441e4f563e3e7b57d1SHA-256: a7010d2eed749c666241af5334772d5c60a696c1b12a3844b167702fd0895f9f
rubygem-openshift-origin-controller-1.23.10.15-1.el6op.noarch.rpm
    MD5: 0f2fb316162861d41c7318a5df9b125dSHA-256: 2dc64473b54e612adacc0b553b7fb3d0f68382564f89d24af28d90c8128bf33c
rubygem-openshift-origin-frontend-apache-mod-rewrite-0.5.2.2-1.el6op.noarch.rpm
    MD5: 86bab8f4b5cdabba3a7bdea0f6bc3549SHA-256: 592ad8dbc9a4194793f55d8ed88fb8e8276102f19295f7b4dbd7a8a5346725f6
rubygem-openshift-origin-frontend-apache-vhost-0.5.2.6-1.el6op.noarch.rpm
    MD5: 3e9647ae67838d2288e257e4595259fdSHA-256: 1cc7eefc3f23eacfcc1dd5ec3e2be7001f902c263a9734f46b77a2bd78cd9fbb
rubygem-openshift-origin-frontend-apachedb-0.4.1.2-1.el6op.noarch.rpm
    MD5: 077682157ff3b3b5ae08a93fb1f28165SHA-256: 73275d7606314341d79b7e73f9d5eee7f5105f9ae13a9fe806b0c38e5efe0b87
rubygem-openshift-origin-frontend-haproxy-sni-proxy-0.3.2.2-1.el6op.noarch.rpm
    MD5: ffda936779f8c6e2472806c447b1513bSHA-256: 2a3f3b8d961ca7b3eca7f9d7a5811176d361607b0b24dadafc46718ab399ffa0
rubygem-openshift-origin-msg-broker-mcollective-1.23.3.6-1.el6op.noarch.rpm
    MD5: e02c4b9b54fc73da1f3653feda89ba24SHA-256: 13e143ca5364dffc8846cfe103ca32654e2a5af84f8df27491821aa50b95cfff
rubygem-openshift-origin-node-1.23.9.26-1.el6op.noarch.rpm
    MD5: 8b327f31e621059777e963ce5b3e3d4aSHA-256: cca17f3d6099f1b173a9a93a8e1f1ad3a8919a572a30a310239793de2356fbbb
 
(The unlinked packages above are only available from the Red Hat Network)
1131680 – CVE-2014-3602 OpenShift: /proc/net/tcp information disclosure1143991 – [2.1 backport] Expose haproxy-sni-proxy mapped ports as environmental variables1148170 – CVE-2014-3674 OpenShift Enterprise: gears fail to properly isolate network traffic1149837 – [2.1 backport] oo-accept-systems: improve cartridge integrity checks1153319 – [2.1 backport] Disable SSLv3 to mitigate POODLE CVE- 2014- 35661155794 – [2.1 backport] Race condition in `oo-httpd-singular graceful` when using apache-vhost1163502 – Remove explicit dependency on RHEL 6.6’s subscription-manager package

These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from:

Leave a Reply