Bug 1862113

Summary: [4.4.z] update boot images to address CVE-2020-10713
Product: OpenShift Container Platform Reporter: Micah Abbott <miabbott>
Component: RHCOSAssignee: Micah Abbott <miabbott>
Status: CLOSED ERRATA QA Contact: Michael Nguyen <mnguyen>
Severity: medium Docs Contact:
Priority: high    
Version: 4.4CC: bbreard, dornelas, imcleod, jligon, mnguyen, nstielau, smilner
Target Milestone: ---   
Target Release: 4.4.z   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: 1862112
: 1862114 (view as bug list) Environment:
Last Closed: 2020-08-18 11:45:28 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1862111, 1862112    
Bug Blocks: 1186913, 1862114    

Description Micah Abbott 2020-07-30 13:35:55 UTC 
+++ This bug was initially created as a clone of Bug #1862112 +++

+++ This bug was initially created as a clone of Bug #1862111 +++

The mitigation route for OCP customers is to reprovision nodes that may be affected by CVE-2020-10713

To do that, we need to provide new boot images and update the installer to reference them.
Comment 1 Micah Abbott 2020-07-30 19:48:58 UTC 
This is currently being worked on and work will continue next sprint.
Comment 2 Steve Milner 2020-08-04 21:11:44 UTC 
PR: https://github.com/openshift/installer/pull/3985
Comment 5 Michael Nguyen 2020-08-07 14:08:52 UTC 
Verified on registry.svc.ci.openshift.org/ocp/release:4.4.0-0.nightly-2020-08-07-080430

== on bootstrap node shim version is 15.15.el8_2 ==
[core@ip-10-0-8-133 ~]$ rpm-ostree status
State: idle
AutomaticUpdates: disabled
Deployments:
● ostree://a0f9f9a7ccdf6ac8a7d83abcdae42f05c9295c172a8635e466be6804f94d33d5
                   Version: 44.82.202008011133-0 (2020-08-01T11:39:22Z)
[core@ip-10-0-8-133 ~]$ rpm -qi shim-x64
Name        : shim-x64
Version     : 15
Release     : 15.el8_2
Architecture: x86_64
Install Date: Sat 01 Aug 2020 11:37:17 AM UTC
Group       : Unspecified
Size        : 5252606
License     : BSD
Signature   : RSA/SHA256, Fri 31 Jul 2020 11:10:11 PM UTC, Key ID 199e2f91fd431d51
Source RPM  : shim-15-15.el8_2.src.rpm
Build Date  : Fri 31 Jul 2020 09:18:08 PM UTC
Build Host  : x86-vm-09.build.eng.bos.redhat.com
Relocations : (not relocatable)
Packager    : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla>
Vendor      : Red Hat, Inc.
URL         : https://github.com/rhboot/shim/
Summary     : First-stage UEFI bootloader
Description :
Initial UEFI bootloader that handles chaining to a trusted full
bootloader under secure boot environments. This package contains the
version signed by the UEFI signing service.

== Verify shim-x64 version on cluster and verify bootstrapped version also ==

$ oc get clusterversion
NAME      VERSION                             AVAILABLE   PROGRESSING   SINCE   STATUS
version   4.4.0-0.nightly-2020-08-07-080430   True        False         8m43s   Cluster version is 4.4.0-0.nightly-2020-08-07-080430
$ oc get nodes
NAME                                         STATUS   ROLES    AGE   VERSION
ip-10-0-135-43.us-west-2.compute.internal    Ready    master   33m   v1.17.1+4803e5f
ip-10-0-158-164.us-west-2.compute.internal   Ready    worker   19m   v1.17.1+4803e5f
ip-10-0-165-243.us-west-2.compute.internal   Ready    worker   19m   v1.17.1+4803e5f
ip-10-0-167-139.us-west-2.compute.internal   Ready    master   32m   v1.17.1+4803e5f
ip-10-0-193-27.us-west-2.compute.internal    Ready    worker   18m   v1.17.1+4803e5f
ip-10-0-221-31.us-west-2.compute.internal    Ready    master   32m   v1.17.1+4803e5f
$ oc debug node/ip-10-0-135-43.us-west-2.compute.internal -- chroot /host rpm-ostree status
Starting pod/ip-10-0-135-43us-west-2computeinternal-debug ...
To use host binaries, run `chroot /host`
State: idle
AutomaticUpdates: disabled
Deployments:
* pivot://quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:b625356e670b0dcf6cbf2387fd2bc906c5760ff8271fb2511ce7430f014555a4
              CustomOrigin: Managed by machine-config-operator
                   Version: 44.82.202008070230-0 (2020-08-07T02:36:13Z)

  ostree://a0f9f9a7ccdf6ac8a7d83abcdae42f05c9295c172a8635e466be6804f94d33d5
                   Version: 44.82.202008011133-0 (2020-08-01T11:39:22Z)

Removing debug pod ...
$ oc debug node/ip-10-0-135-43.us-west-2.compute.internal -- chroot /host rpm -qi shim-x64
Starting pod/ip-10-0-135-43us-west-2computeinternal-debug ...
To use host binaries, run `chroot /host`
Name        : shim-x64
Version     : 15
Release     : 15.el8_2
Architecture: x86_64
Install Date: Fri Aug  7 02:34:12 2020
Group       : Unspecified
Size        : 5252606
License     : BSD
Signature   : RSA/SHA256, Fri Jul 31 23:10:11 2020, Key ID 199e2f91fd431d51
Source RPM  : shim-15-15.el8_2.src.rpm
Build Date  : Fri Jul 31 21:18:08 2020
Build Host  : x86-vm-09.build.eng.bos.redhat.com
Relocations : (not relocatable)
Packager    : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla>
Vendor      : Red Hat, Inc.
URL         : https://github.com/rhboot/shim/
Summary     : First-stage UEFI bootloader
Description :
Initial UEFI bootloader that handles chaining to a trusted full
bootloader under secure boot environments. This package contains the
version signed by the UEFI signing service.

Removing debug pod ...
$ oc debug node/ip-10-0-158-164.us-west-2.compute.internal -- chroot /host rpm-ostree status
Starting pod/ip-10-0-158-164us-west-2computeinternal-debug ...
To use host binaries, run `chroot /host`
State: idle
AutomaticUpdates: disabled
Deployments:
* pivot://quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:b625356e670b0dcf6cbf2387fd2bc906c5760ff8271fb2511ce7430f014555a4
              CustomOrigin: Managed by machine-config-operator
                   Version: 44.82.202008070230-0 (2020-08-07T02:36:13Z)

  ostree://a0f9f9a7ccdf6ac8a7d83abcdae42f05c9295c172a8635e466be6804f94d33d5
                   Version: 44.82.202008011133-0 (2020-08-01T11:39:22Z)

Removing debug pod ...
$ oc debug node/ip-10-0-158-164.us-west-2.compute.internal -- chroot /host rpm -qi shim-x64
Starting pod/ip-10-0-158-164us-west-2computeinternal-debug ...
To use host binaries, run `chroot /host`
Name        : shim-x64
Version     : 15
Release     : 15.el8_2
Architecture: x86_64
Install Date: Fri Aug  7 02:34:12 2020
Group       : Unspecified
Size        : 5252606
License     : BSD
Signature   : RSA/SHA256, Fri Jul 31 23:10:11 2020, Key ID 199e2f91fd431d51
Source RPM  : shim-15-15.el8_2.src.rpm
Build Date  : Fri Jul 31 21:18:08 2020
Build Host  : x86-vm-09.build.eng.bos.redhat.com
Relocations : (not relocatable)
Packager    : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla>
Vendor      : Red Hat, Inc.
URL         : https://github.com/rhboot/shim/
Summary     : First-stage UEFI bootloader
Description :
Initial UEFI bootloader that handles chaining to a trusted full
bootloader under secure boot environments. This package contains the
version signed by the UEFI signing service.

Removing debug pod ...
$ oc debug node/ip-10-0-158-164.us-west-2.compute.internal -- chroot /host rpm-ostree db list a0f9f9a7ccdf6ac8a7d83abcdae42f05c9295c172a8635e466be6804f94d33d5 | grep shim-x64
Starting pod/ip-10-0-158-164us-west-2computeinternal-debug ...
To use host binaries, run `chroot /host`
 shim-x64-15-15.el8_2.x86_64

Removing debug pod ...
Comment 7 errata-xmlrpc 2020-08-18 11:45:28 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (OpenShift Container Platform 4.4.17 bug fix update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:3334