Bugzilla will be upgraded to version 5.0 on a still to be determined date in the near future. The original upgrade date has been delayed.
First Last Prev Next    This bug is not in your last search results.
Bug 1065198 - (CVE-2014-0084) CVE-2014-0084 rubygem-openshift-origin-node: cron.daily/cron.weekly denial of service
CVE-2014-0084 rubygem-openshift-origin-node: cron.daily/cron.weekly denial of...
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
low Severity low
: ---
: ---
Assigned To: Red Hat Product Security
impact=low,public=20140214,reported=2...
: Security
Depends On: 1065045 1065205 1065206
Blocks: 1065209
  Show dependency treegraph
 
Reported: 2014-02-14 00:24 EST by Kurt Seifried
Modified: 2015-02-22 14:49 EST (History)
11 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2014-07-18 15:14:53 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

  None (edit)
Description Kurt Seifried 2014-02-14 00:24:38 EST 
Andy Grimm of Red Hat reports:

OpenShift uses /etc/cron.daily/openshift-origin-cron-daily to run:

/usr/bin/oo-scheduled-jobs run daily &> /dev/null

This in turn runs all the user gears cron.daily content. If these cron jobs
take a long time to run it will prevent further OpenShift gears cron.daily 
from being run in a timely manner if at all. The same goes for /etc/cron.weekly/openshift-origin-cron-weekly
Comment 3 Kurt Seifried 2014-02-14 01:05:20 EST 
Acknowledgements:

This issue was discovered by Andy Grimm of Red Hat.
Comment 5 Tim Kramer 2014-03-19 17:07:17 EDT 
Kurt,
      It looks like this should be set for
Product:  OpenShift Online
Component:  Cartridge

and not security response.  I could be wrong but I don't think the developers will see it in this state.


I see in brew:
https://brewweb.devel.redhat.com/buildinfo?buildID=344773

Michal was the last person to make a change to that RPM.
Comment 6 Michal Fojtik 2014-03-19 17:39:35 EDT 
I fixed LD_LIBRARY_PATH problem there that cause problem when users have SCLized python/ruby/whatever inside cronjob, that env var was not exported properly.

Kurt: There is a timeout inside the cron_runjob.sh script that is responsible for executing users scripts. This script have 'timeout' command in places as executor. See here:

https://github.com/openshift/origin-server/blob/master/cartridges/openshift-origin-cartridge-cron/bin/cron_runjobs.sh#L72
Comment 7 Kurt Seifried 2014-03-19 22:26:26 EDT 
(In reply to Tim Kramer from comment #5)
> Kurt,
>       It looks like this should be set for
> Product:  OpenShift Online
> Component:  Cartridge
> 
> and not security response.  I could be wrong but I don't think the
> developers will see it in this state.

This is the CVE bug, what you're describing is the tracking bug https://bugzilla.redhat.com/show_bug.cgi?id=1065045 where the changes can be made.
Comment 9 Kurt Seifried 2014-07-17 21:43:02 EDT 
This was fixed publicly:

https://github.com/openshift/origin-server/pull/4764
Comment 10 Brenton Leanhardt 2014-07-18 08:14:55 EDT 
For what it's worth, this shipped as part of the OpenShift Enterprise 2.1 rebase.
Comment 11 Kurt Seifried 2014-07-18 15:14:53 EDT 
This issue has been addressed in following products:

  RHEL 6 Version of OpenShift Enterprise 2.1

Via RHBA-2014:0487 https://rhn.redhat.com/errata/RHBA-2014-0487.html
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.