Bug 1862111 - update boot images to address CVE-2020-10713
Summary: update boot images to address CVE-2020-10713
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: RHCOS
Version: 4.6
Hardware: Unspecified
OS: Unspecified
high
medium
Target Milestone: ---
: 4.6.0
Assignee: Micah Abbott
QA Contact: Michael Nguyen
URL:
Whiteboard:
Depends On:
Blocks: 1186913 1862112 1862113
TreeView+ depends on / blocked
 
Reported: 2020-07-30 13:34 UTC by Micah Abbott
Modified: 2020-10-27 16:21 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
: 1862112 (view as bug list)
Environment:
Last Closed: 2020-10-27 16:21:22 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github openshift installer pull 3983 0 None closed Bug 1862111: bump RHCOS images for CVE-2020-10713 2020-09-15 22:30:32 UTC
Red Hat Product Errata RHBA-2020:4196 0 None None None 2020-10-27 16:21:49 UTC

Description Micah Abbott 2020-07-30 13:34:25 UTC
The mitigation route for OCP customers is to reprovision nodes that may be affected by CVE-2020-10713

To do that, we need to provide new boot images and update the installer to reference them.

Comment 1 Micah Abbott 2020-07-30 19:42:39 UTC
This is currently being worked on and work will continue next sprint.

Comment 2 Steve Milner 2020-08-04 21:14:30 UTC
PR: https://github.com/openshift/installer/pull/3983

Comment 5 Michael Nguyen 2020-08-06 13:01:46 UTC
Verified on 4.6.0-0.nightly-2020-08-06-093209.

$ oc get clusterversion
NAME      VERSION                             AVAILABLE   PROGRESSING   SINCE   STATUS
version   4.6.0-0.nightly-2020-08-06-093209   True        False         12m     Cluster version is 4.6.0-0.nightly-2020-08-06-093209

== log into the bootstrap node and check shim package ==

[core@ip-10-0-18-90 ~]$ rpm -qa | grep shim
shim-x64-15-15.el8_2.x86_64
[core@ip-10-0-18-90 ~]$ rpm-ostree status
State: idle
Deployments:
● ostree://eada9e31e3e23e864b7c06bafa7b7756c0eceb38c1aa1e76e6bcf347d3663533
                   Version: 46.82.202008030340-0 (2020-08-03T03:44:50Z)
[core@ip-10-0-18-90 ~]$ rpm -ql shim-x64
/boot/efi/EFI/BOOT/BOOTX64.EFI
/boot/efi/EFI/BOOT/fbx64.efi
/boot/efi/EFI/redhat/BOOTX64.CSV
/boot/efi/EFI/redhat/mmx64.efi
/boot/efi/EFI/redhat/shimx64-redhat.efi
/boot/efi/EFI/redhat/shimx64.efi
[core@ip-10-0-18-90 ~]$ rpm -qi shim-x64
Name        : shim-x64
Version     : 15
Release     : 15.el8_2
Architecture: x86_64
Install Date: Mon 03 Aug 2020 03:42:30 AM UTC
Group       : Unspecified
Size        : 5252606
License     : BSD
Signature   : RSA/SHA256, Fri 31 Jul 2020 11:10:11 PM UTC, Key ID 199e2f91fd431d51
Source RPM  : shim-15-15.el8_2.src.rpm
Build Date  : Fri 31 Jul 2020 09:18:08 PM UTC
Build Host  : x86-vm-09.build.eng.bos.redhat.com
Relocations : (not relocatable)
Packager    : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla>
Vendor      : Red Hat, Inc.
URL         : https://github.com/rhboot/shim/
Summary     : First-stage UEFI bootloader
Description :
Initial UEFI bootloader that handles chaining to a trusted full
bootloader under secure boot environments. This package contains the
version signed by the UEFI signing service.
[core@ip-10-0-18-90 ~]$ 


== log into master node and check shim package and bootstrapped shim package ==
$ oc get nodes
NAME                                         STATUS   ROLES    AGE   VERSION
ip-10-0-134-205.us-west-2.compute.internal   Ready    master   29m   v0.0.0-master+$Format:%h$
ip-10-0-148-218.us-west-2.compute.internal   Ready    worker   17m   v0.0.0-master+$Format:%h$
ip-10-0-175-60.us-west-2.compute.internal    Ready    master   29m   v0.0.0-master+$Format:%h$
ip-10-0-188-122.us-west-2.compute.internal   Ready    worker   17m   v0.0.0-master+$Format:%h$
ip-10-0-201-138.us-west-2.compute.internal   Ready    master   28m   v0.0.0-master+$Format:%h$
ip-10-0-211-133.us-west-2.compute.internal   Ready    worker   17m   v0.0.0-master+$Format:%h$
$ oc debug node/ip-10-0-134-205.us-west-2.compute.internal 
Starting pod/ip-10-0-134-205us-west-2computeinternal-debug ...
To use host binaries, run `chroot /host`
If you don't see a command prompt, try pressing enter.
sh-4.2# chroot /host
sh-4.4# rpm-ostree status
State: idle
Deployments:
* pivot://quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:16a8dde4b893ff0b5b4aeb05474f2f5e2ce9cac45d5d3e98b40c4309e23215a7
              CustomOrigin: Managed by machine-config-operator
                   Version: 46.82.202008032211-0 (2020-08-03T22:15:23Z)

  ostree://eada9e31e3e23e864b7c06bafa7b7756c0eceb38c1aa1e76e6bcf347d3663533
                   Version: 46.82.202008030340-0 (2020-08-03T03:44:50Z)
sh-4.4# rpm -q shim-x64
shim-x64-15-15.el8_2.x86_64
sh-4.4# rpm-ostree db list eada9e31e3e23e864b7c06bafa7b7756c0eceb38c1aa1e76e6bcf347d3663533 | grep shim
 shim-x64-15-15.el8_2.x86_64

sh-4.4# exit
exit
sh-4.2# exit
exit

Removing debug pod ...


== log into the worker node and check the shim package and the bootstrapped shim package ==
$ oc get node
NAME                                         STATUS   ROLES    AGE   VERSION
ip-10-0-134-205.us-west-2.compute.internal   Ready    master   33m   v0.0.0-master+$Format:%h$
ip-10-0-148-218.us-west-2.compute.internal   Ready    worker   21m   v0.0.0-master+$Format:%h$
ip-10-0-175-60.us-west-2.compute.internal    Ready    master   33m   v0.0.0-master+$Format:%h$
ip-10-0-188-122.us-west-2.compute.internal   Ready    worker   22m   v0.0.0-master+$Format:%h$
ip-10-0-201-138.us-west-2.compute.internal   Ready    master   33m   v0.0.0-master+$Format:%h$
ip-10-0-211-133.us-west-2.compute.internal   Ready    worker   22m   v0.0.0-master+$Format:%h$
$ oc debug node/ip-10-0-148-218.us-west-2.compute.internal
Starting pod/ip-10-0-148-218us-west-2computeinternal-debug ...
To use host binaries, run `chroot /host`
If you don't see a command prompt, try pressing enter.
sh-4.2# chroot /host
sh-4.4# rpm-ostree status
State: idle
Deployments:
* pivot://quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:16a8dde4b893ff0b5b4aeb05474f2f5e2ce9cac45d5d3e98b40c4309e23215a7
              CustomOrigin: Managed by machine-config-operator
                   Version: 46.82.202008032211-0 (2020-08-03T22:15:23Z)

  ostree://eada9e31e3e23e864b7c06bafa7b7756c0eceb38c1aa1e76e6bcf347d3663533
                   Version: 46.82.202008030340-0 (2020-08-03T03:44:50Z)
sh-4.4# rpm -q shim-x64
shim-x64-15-15.el8_2.x86_64
sh-4.4# rpm-ostree db list eada9e31e3e23e864b7c06bafa7b7756c0eceb38c1aa1e76e6bcf347d3663533 | grep shim
 shim-x64-15-15.el8_2.x86_64
sh-4.4# exit
exit
sh-4.2# exit
exit

Comment 7 errata-xmlrpc 2020-10-27 16:21:22 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (OpenShift Container Platform 4.6 GA Images), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:4196


Note You need to log in before you can comment on or make changes to this bug.