Skip to navigation

Security Advisory Important: Red Hat OpenShift Enterprise 1.1 update

Advisory: RHSA-2013:0220-1
Type: Security Advisory
Severity: Important
Issued on: 2013-01-31
Last updated on: 2013-01-31
Affected Products: Red Hat OpenShift Enterprise 1
CVEs (cve.mitre.org): CVE-2012-5658
CVE-2012-6072
CVE-2012-6073
CVE-2012-6074
CVE-2012-6496
CVE-2013-0158
CVE-2013-0164

Details

Red Hat OpenShift Enterprise 1.1 is now available.

The Red Hat Security Response Team has rated this update as having
important security impact. Common Vulnerability Scoring System (CVSS) base
scores, which give detailed severity ratings, are available for each
vulnerability from the CVE links in the References section.

Red Hat OpenShift Enterprise is a cloud computing Platform-as-a-Service
(PaaS) solution designed for on-premise or private cloud deployments.

Refer to the Red Hat OpenShift Enterprise 1.1 Release Notes for information
about the changes in this release. The Release Notes will be available
shortly from https://access.redhat.com/knowledge/docs/

This update also fixes the following security issues:

It was found that the master cryptographic key of Jenkins could be
retrieved via the HTTP server that is hosting Jenkins. A remote attacker
could use this flaw to access the server and execute arbitrary code with
the privileges of the user running Jenkins. Note that this issue only
affected Jenkins instances that had slaves attached and that also allowed
anonymous read access (not the default configuration). Manual action is
also required to correct this issue. Refer to "Jenkins Security Advisory
2013-01-04", linked to in the References, for further information.
(CVE-2013-0158)

When the rhc-chk script was run in debug mode, its output included
sensitive information, such as database passwords, in plain text. As this
script is commonly used when troubleshooting, this flaw could lead to users
unintentionally exposing sensitive information in support channels (for
example, a Bugzilla report). This update removes the rhc-chk script.
(CVE-2012-5658)

Multiple flaws in the Jenkins web interface could allow a remote attacker
to perform HTTP response splitting and cross-site scripting (XSS) attacks,
as well as redirecting a victim to an arbitrary page by utilizing an open
redirect flaw. (CVE-2012-6072, CVE-2012-6074, CVE-2012-6073)

A flaw was found in the way rubygem-activerecord dynamic finders extracted
options from method parameters. A remote attacker could possibly use this
flaw to perform SQL injection attacks against applications using the Active
Record dynamic finder methods. (CVE-2012-6496)

The openshift-port-proxy-cfg program created a temporary file in an
insecure way. A local attacker could use this flaw to perform a symbolic
link attack, overwriting an arbitrary file accessible to the root user with
a "0" or a "1", which could lead to a denial of service. By default,
OpenShift uses polyinstantiation (per user) for the /tmp/ directory,
minimizing the risk of exploitation by local attackers. (CVE-2013-0164)

The CVE-2013-0164 issue was discovered by Michael Scherer of the Red Hat
Regional IT team.

Users of Red Hat OpenShift Enterprise 1.0 are advised to upgrade to Red Hat
OpenShift Enterprise 1.1.


Solution

Before applying this update, make sure all previously-released errata
relevant to your system have been applied.

This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
https://access.redhat.com/knowledge/articles/11258

Updated packages

Red Hat OpenShift Enterprise 1

SRPMS:
jenkins-1.498-1.1.el6op.src.rpm
File outdated by:  RHSA-2013:0700
    MD5: 79d9adfae6f4406080e8c5dc90ee2ff5
SHA-256: 9bd6b362da4a4b49f96d948e01334e76faf7722d9ec635b99aa1ab1bab507c62
mongodb-2.0.2-6.el6op.src.rpm     MD5: df7da81ab0bde9205d5a05ee3d806ec3
SHA-256: 5bd378b3ce9fdf62cf312699e7b32e2eb145918b9df816f95cf58b6da13f03ac
openshift-console-0.0.13-2.el6op.src.rpm
File outdated by:  RHBA-2013:0694
    MD5: 81c36829ca1075cc372923ea176ca986
SHA-256: c2e700011838fada1999f07ac50c1e96ee0c0784ad3bc8daf447a4297f540a41
openshift-origin-broker-1.0.10-1.el6op.src.rpm
File outdated by:  RHBA-2013:0694
    MD5: 8fa9d918961b36cc10a886e538737497
SHA-256: 412ded93fc67f5fdf2908e0553826d8b2a487d91bf152da239cd1bbc31004e04
openshift-origin-broker-util-1.0.14-1.el6op.src.rpm
File outdated by:  RHBA-2013:0694
    MD5: 5d849a3cb7000d46f667248166f1dc4b
SHA-256: b27da29e09a187bed160b1ae9a94b3f8f1f87dac54b6517192a851db6bc03843
openshift-origin-cartridge-haproxy-1.4-1.0.3-1.el6op.src.rpm
File outdated by:  RHBA-2013:0694
    MD5: 121fe5203b7681980cd11dcecf499b90
SHA-256: 06635cb4e06cfa129e75ccae4f6bca63b47cb3c5874f06a0fa8357bbe8db102d
openshift-origin-cartridge-ruby-1.8-1.0.5-1.el6op.src.rpm
File outdated by:  RHBA-2013:0694
    MD5: 34142969fb1dbaaec7b14695698adbd7
SHA-256: 8c51b6442c78091dbae3ed3a0ada1df372bf31981374f41882aab6e150a732b2
openshift-origin-cartridge-ruby-1.9-scl-1.0.5-1.el6op.src.rpm
File outdated by:  RHBA-2013:0694
    MD5: 7d35d9f4f4dbb38ed1009f862ff63bf5
SHA-256: 839b826d775e74e56cbf87c0cc89e89838d88983307409e5fae1859c6a45fe33
openshift-origin-msg-node-mcollective-1.0.2-1.el6op.src.rpm
File outdated by:  RHBA-2013:0723
    MD5: 34fe081c69097f7e3483b252f660fb3a
SHA-256: 593dbda8dbafd2e664fdc5a37831a33891271321edf794cc8786d4146a8cab3a
openshift-origin-node-util-1.0.7-1.el6op.src.rpm
File outdated by:  RHBA-2013:0694
    MD5: 231b55e17dda3a166f5a5b391c30eaa3
SHA-256: 08438d8ada485e827c24b09f4ff3053a8280d546e64726c3a194adb4d8a19c60
openshift-origin-port-proxy-1.0.3-1.el6op.src.rpm     MD5: d13b68ab9a3b646f9d314d072d876c96
SHA-256: 8a2971540eb64ee4c7b60cc8cbbe462bf159c3fab4efe46fe9698f7b87c1052a
rhc-1.3.2-1.3.el6op.src.rpm     MD5: 5b256afd523917c06e2e8adcb0291efb
SHA-256: 51601a459fb1524093f1535a99fbde01c19b122226a42b9eab4f5975b0940214
ruby193-rubygem-activerecord-3.2.8-2.el6.src.rpm
File outdated by:  RHSA-2013:0699
    MD5: ec949956b0eaff30381bf2c86b441b3f
SHA-256: 6cac60fa438a50a73273763cbd80f2b99e8e170a16f53d6eb6ff052414e0b361
ruby193-rubygem-passenger-3.0.12-21.el6op.src.rpm     MD5: bbcb77dadbd013a6a7b16673ca980de3
SHA-256: 24a2ce83798814388cf0653289f25106d4b5bbe49133c5b9d37394bf4f36a7a9
rubygem-activerecord-3.0.13-3.el6op.src.rpm
File outdated by:  RHSA-2013:0582
    MD5: 34e38e749d82a8ffd099d0bdcf7040df
SHA-256: 3d887a27c82f3bf1135359ddf4e595637ee7678412ef872d1ce3ec4e9675d0a6
rubygem-openshift-origin-auth-remote-user-1.0.4-2.el6op.src.rpm
File outdated by:  RHSA-2013:0582
    MD5: d694a64aad92a6ea64ce607adb8b766b
SHA-256: 0ee3d24fd6716af0124d6090d4ffc9333336785b6684a5419658bbdf42415a4e
rubygem-openshift-origin-common-1.0.2-1.el6op.src.rpm     MD5: f6ad18f12b4c96fa7c248f69a84bf4f4
SHA-256: 7ffa377be6e756ca8ab647af7bdfecc8dd41108dc626d732384750f2a3e01b26
rubygem-openshift-origin-console-1.0.6-1.el6op.src.rpm
File outdated by:  RHSA-2013:0582
    MD5: b88facadc80d3504deb3ded75c349732
SHA-256: 46b1d170b42c781792234788d5b94ee996c289471ba449a6d343a7e7d294ba6a
rubygem-openshift-origin-controller-1.0.11-1.el6op.src.rpm
File outdated by:  RHBA-2013:0694
    MD5: d9620db6f6bdc7b752966b0118fe7126
SHA-256: 4993fcd849198ba439c7c0a1f5d639e4fe0fce3e5d292e7164204406fb4988c8
rubygem-openshift-origin-dns-bind-1.0.2-1.el6op.src.rpm     MD5: 1a3aeec37d9e010c70f3f64ba7287839
SHA-256: 2cfec1cef2a6d9ad45dc3eac09dd0ea6dd92c1b487dc426c5efb611414521687
rubygem-openshift-origin-msg-broker-mcollective-1.0.4-1.el6op.src.rpm
File outdated by:  RHBA-2013:0694
    MD5: 39117812cd48a280ca857f462279a379
SHA-256: aa0d380d267020073c4a3fa20c09c321ff18c04ca8851761294ecd6f966ebee7
rubygem-openshift-origin-node-1.0.10-6.el6op.src.rpm
File outdated by:  RHBA-2013:0694
    MD5: 37bf44bd0e8a649604e58a4b22a01fb0
SHA-256: 3c4c474491846d27fdb1030a97a31406c0ef7c60376414b0edbcadba178474af
 
x86_64:
jenkins-1.498-1.1.el6op.noarch.rpm
File outdated by:  RHSA-2013:0700
    MD5: 693c6951b71b69dd08adfc5c141249a0
SHA-256: 79b173b07d058eba2611c4f8e11adee936ad0cf172523c1900481ac4093cee73
libmongodb-2.0.2-6.el6op.x86_64.rpm     MD5: c7d24c8f27a97318fa0ae6af6b19650a
SHA-256: ff3b6fd1fc382f27bf109a4db6590b898dd919c55329acca735c76294a78e888
mongodb-2.0.2-6.el6op.x86_64.rpm     MD5: 2764330a2ce83c07eabb26d48930ae4e
SHA-256: b73db8cd7495fb3149e9400d999f2094836e5156ec38c108dc242bdc4800bf77
mongodb-debuginfo-2.0.2-6.el6op.x86_64.rpm     MD5: 6b8cd369648fe1788868884e15f00392
SHA-256: 087a338a47e9ae562181aad88126e3656dc31a2829a909f430a4d36d14dbf504
mongodb-devel-2.0.2-6.el6op.x86_64.rpm     MD5: 43a0c408113d9567b7b70560f92fdbb6
SHA-256: 5a57e2b674aa476821fec18675267f59571108aa5c00ff5b872824201d67278e
mongodb-server-2.0.2-6.el6op.x86_64.rpm     MD5: fd11c8d984885b2a7a262c1b95acfbd0
SHA-256: e39834f81766c1e2d70f9090912ea1ea640e74c807f58e0bc0e2fbf5fe653d51
openshift-console-0.0.13-2.el6op.noarch.rpm
File outdated by:  RHBA-2013:0694
    MD5: 241369cfbaa005f89416352ddd1a8338
SHA-256: d12af9aa1e5eadb4a4935c2cfc698f6f001c6d57a507e1c2df5b30dc9dcc54e3
openshift-origin-broker-1.0.10-1.el6op.noarch.rpm
File outdated by:  RHBA-2013:0694
    MD5: 92c3aaf86cec3d95d73527089edee9f2
SHA-256: 8dc9aee545040deb161e64197a6f2494d9f5954513d4d2c80a1bf348d0abed94
openshift-origin-broker-util-1.0.14-1.el6op.noarch.rpm
File outdated by:  RHBA-2013:0694
    MD5: 9e57438f6f041bf98b6d465ab09efb51
SHA-256: b0eff9e27e8b6a1f0264536315fe7668c727268bd1780ed460b47d29f5a2f6a4
openshift-origin-cartridge-haproxy-1.4-1.0.3-1.el6op.noarch.rpm
File outdated by:  RHBA-2013:0694
    MD5: c8ec14e39192826643b6de99834f900e
SHA-256: 3ba9c07f84da053f3b24769a5ade220ff5e76e4d375b0e36745b9029aa2391d0
openshift-origin-cartridge-ruby-1.8-1.0.5-1.el6op.noarch.rpm
File outdated by:  RHBA-2013:0694
    MD5: dbe485e86903772bae101def12569742
SHA-256: f24441e834291be4be842954ce415516db79a4bbcfb217291a097f055ffd397b
openshift-origin-cartridge-ruby-1.9-scl-1.0.5-1.el6op.noarch.rpm
File outdated by:  RHBA-2013:0694
    MD5: 5b8b90754002cd8ef0371ba7bfd374aa
SHA-256: 14a29aa208422e330d84b6d00e8fdfeb12a7b678f27de3fa38b87d367695ea05
openshift-origin-msg-node-mcollective-1.0.2-1.el6op.noarch.rpm
File outdated by:  RHBA-2013:0723
    MD5: 894316210d880eb82434584eb65e9d02
SHA-256: f14fc23113dbbe170d48a28a7a9c3cab0a0a5f68e5b47805510b4a52d5549986
openshift-origin-node-util-1.0.7-1.el6op.noarch.rpm
File outdated by:  RHBA-2013:0694
    MD5: f70ca599b37624caab5fe6bcc8ef1ced
SHA-256: b5416ef67a9e15d3f87b3ed4999722d21d6f342efee466ce336335220f7ea460
openshift-origin-port-proxy-1.0.3-1.el6op.noarch.rpm     MD5: 5dcc09c81e0d6fdd21f0a0d72de55333
SHA-256: 41861ea6931bbf9e3165943408361cdf878164ca99a0408df7603da6d2d65d15
rhc-1.3.2-1.3.el6op.noarch.rpm     MD5: 2424a304081bb5e16bd229970fb639d1
SHA-256: ce1907efc48507e05b67ea2fcea8ac8fcd15f1c1e298f98d694149f71474b317
ruby193-mod_passenger-3.0.12-21.el6op.x86_64.rpm     MD5: a77cfb5e8796820a3084909df94b481d
SHA-256: 0c6c92a88aeb143a6446818da94c05e8396b98ab02f2e3b240b82e6da0088bba
ruby193-rubygem-activerecord-3.2.8-2.el6.noarch.rpm
File outdated by:  RHSA-2013:0699
    MD5: 6bf37c57caa597786b9c19481355297e
SHA-256: ce98eb20036e055a6195764d1dbd2255dbabb72a2f3261025ed02e5d3ae64617
ruby193-rubygem-activerecord-doc-3.2.8-2.el6.noarch.rpm
File outdated by:  RHSA-2013:0699
    MD5: 8976095de243c584fdfeb598402d191a
SHA-256: 59959bcad34e833c9d8846a710455658b81337316e107c91b8a965f1a4270e94
ruby193-rubygem-passenger-3.0.12-21.el6op.x86_64.rpm     MD5: 62c4558ac2639588a69f7a81ae7764fd
SHA-256: 7f516f025fd4aa69a24c1192693aa63dd9119ea2ab878765a7939eb2a29ddca2
ruby193-rubygem-passenger-debuginfo-3.0.12-21.el6op.x86_64.rpm     MD5: 79fe1c4d25e801fb56dda8da093acff0
SHA-256: 6b15ef035bac9fddfac368d50607788f8aca6528758381f3b5cf4db590dd2345
ruby193-rubygem-passenger-devel-3.0.12-21.el6op.x86_64.rpm     MD5: 23d81b35b32d613117e2a8cec7c45e6d
SHA-256: 643f0dd5f3564a6045e51ea179192194da5932bd73738b06161c7c7d933594f6
ruby193-rubygem-passenger-doc-3.0.12-21.el6op.x86_64.rpm     MD5: fc752d537bb6a0264237b39177118384
SHA-256: 2f69d369a5cd26451333fc38eff578e0d3b065035be1e82234f65c210c80fd10
ruby193-rubygem-passenger-native-3.0.12-21.el6op.x86_64.rpm     MD5: de19de9b3d943d7eb8e51a13821a380d
SHA-256: 6830a31c58ea14142e59a11610d9609a6098456ac74d7c661ca2ea635b8c7967
ruby193-rubygem-passenger-native-libs-3.0.12-21.el6op.x86_64.rpm     MD5: 4249401942a7fc59609f17645a51acce
SHA-256: a87ed7a0558cd70219ae9ec4e2fc70847481f48367e4a9c015906504e5b6a20c
rubygem-activerecord-3.0.13-3.el6op.noarch.rpm
File outdated by:  RHSA-2013:0582
    MD5: 9e6bbf348d7747e47531708c11293c1b
SHA-256: 2f3a6618bc8d874458dca0d57784be6542143f48ce137e9d5798bb016b6de8c2
rubygem-openshift-origin-auth-remote-user-1.0.4-2.el6op.noarch.rpm
File outdated by:  RHSA-2013:0582
    MD5: 699b0746fe5e71a44aa3639cc747ae9a
SHA-256: 25dea722d0a8d98c1debaf203664aaf3d472ab86f0dfbd7504f910434fe66cc8
rubygem-openshift-origin-common-1.0.2-1.el6op.noarch.rpm     MD5: f6913e2a7c851a7399639fb12a393db8
SHA-256: 3b78e63f32097d4082b0aeae670376eb2189dd91a0476a047101604bb81d4281
rubygem-openshift-origin-console-1.0.6-1.el6op.noarch.rpm
File outdated by:  RHSA-2013:0582
    MD5: 4242a78e63401472224c8f668e0e3d61
SHA-256: c82222a1d9966362b9056697126c5db1327478c836e32ab2c0782ced647bf2fd
rubygem-openshift-origin-console-doc-1.0.6-1.el6op.noarch.rpm
File outdated by:  RHSA-2013:0582
    MD5: 8b8a1dd10eb436b02aab35eb12d1f942
SHA-256: ab7936c4cb4066cbeb62ead5dbe3e4c159b35b13f4cb739e07d11d07d5df8928
rubygem-openshift-origin-controller-1.0.11-1.el6op.noarch.rpm
File outdated by:  RHBA-2013:0694
    MD5: d7b75fe1014e8f0ad74b3f0db1cc19d9
SHA-256: 92c517fb74032b67181e6fc1e5aede54c6801594f8a1de1917c65575ab1cb46e
rubygem-openshift-origin-dns-bind-1.0.2-1.el6op.noarch.rpm     MD5: d209c626fe300ba931febe3bbeb9cbab
SHA-256: 1f07ef660d8de7c31abfd920221f8346255b64ae38f5d418caa317910ad850eb
rubygem-openshift-origin-msg-broker-mcollective-1.0.4-1.el6op.noarch.rpm
File outdated by:  RHBA-2013:0694
    MD5: 19c95f2f7a1add19fb74ed78c557df92
SHA-256: 339c744c229f73af7de12dbb92611a6e22921e8ab4d7651d49da4895231d0bac
rubygem-openshift-origin-node-1.0.10-6.el6op.noarch.rpm
File outdated by:  RHBA-2013:0694
    MD5: 0957e98b1ced8bde82a45d120328089e
SHA-256: 45bbdfdd7413a2fc912fbb700806b111a3b225ca322f97a923cd0b69b3177251
 
(The unlinked packages above are only available from the Red Hat Network)

Bugs fixed (see bugzilla for more information)

855264 - Can't "rhc app tail" ruby app error_log file when the server's timezone is not EST.
864921 - Exception is seen upon creating domain when no cartridge is installed in node.
872415 - No config setting for default gear capabilities for a new user
873765 - typo in description of man page for oo-admin-ctl-app
873768 - description of man page for oo-admin-ctl-template
874511 - [Installation]"error while loading shared libraries: libruby.so.1.9" is seen in the file /etc/httpd/logs/error_log
874750 - man page for oo-accept-broker defines '-d' for two different options
874751 - man page for oo-accept-broker does not provide acceptable options for auth, storage, and dns switches
874757 - oo-accept-broker usage statement does not match man page options
874799 - oo-admin-chk '-h' option ignored
874845 - oo-admin-ctl-app accepts garbage for a command and returns success.
875657 - [US3036]Some format errors in the prompt message when executing "oo-admin-ctl" and "oo-accept-*"
876324 - httpd ssl.conf and node conf should not intercept requests meant for the broker
876465 - Embedding scalable app (php) with jenkins fails to create a new builder (only via web)
876644 - oo-register-dns is hardcoded to add entries to a BIND server at 127.0.0.1
876937 - Return "FAILED" if trying to stop openshift-console which is already stopped
876939 - Return "FAILED" if trying to stop openshift-port-proxy which is already stopped
877158 - No "log out" button exists for the web console when using basic auth
877407 - [Cartridge] "Node execution failure" when creating app by --enable-jenkins
883527 - Remove oo-setup-bind
885587 - Jenkins server isn't created using option --enable-jenkins without jenkins server name speicified if commander version is 4.0.3
885598 - [client]Should add split charater between each alias-name when execute "rhc domain show" in ruby-1. 8 environment
886159 - Changing the local console port from 3128 to 8118
888043 - Replica set variables in broker.conf not being utilized correctly
888056 - production.rb should not be marked as a conf file
888671 - [Installation]oo-accept-broker or oo-accept-systems will create production.log, the file's permission is wrong.
889062 - CVE-2012-5658 OpenShift Origin: rhc-chk.rb password exposure in log files
889088 - Prompt error message when restore the app
889095 - Database password not printed out when adding db cartridge to applications
889125 - Should remove rhc-chk in rhc client of Enterprise
889649 - CVE-2012-6496 rubygem-activerecord: find_by_* SQL Injection
890607 - CVE-2012-6072 Jenkins: HTTP response splitting
890608 - CVE-2012-6073 Jenkins: open redirect
890612 - CVE-2012-6074 Jenkins: cross-site scripting vulnerability
892781 - Race condition adding multiple SSH keys to gears
892795 - CVE-2013-0158 jenkins: remote unauthenticated retrieval of master cryptographic key (Jenkins Security Advisory 2013-01-04)
892990 - The server address should not be "localhost" on user account info page
893288 - [Console] We should tell them the actual cloud domain they get, not rhcloud.com
893307 - CVE-2013-0164 openshift-origin-port-proxy: openshift-port-proxy-cfg lockwrap() tmp file creation
893895 - "File a bug" link should be Openshift Enterprise
896406 - [Installation]Some warning message when install "rubygem-openshift-origin-node" pacakge.


References



These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:
https://www.redhat.com/security/team/key/#package

The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/