+++ This bug was initially created as a clone of Bug #1862111 +++ The mitigation route for OCP customers is to reprovision nodes that may be affected by CVE-2020-10713 To do that, we need to provide new boot images and update the installer to reference them.
This is currently being worked on and work will continue next sprint.
PR: https://github.com/openshift/installer/pull/3984
Verified on registry.svc.ci.openshift.org/ocp/release:4.5.0-0.nightly-2020-08-07-024812 == on bootstrap node shim version is 15.15.el8_2 == [core@ip-10-0-26-247 ~]$ rpm-ostree status State: idle Deployments: ● ostree://f9d88d07921009f524c39773d0935a7d1642a02bd37e0d621696bf4f766a0540 Version: 45.82.202008010929-0 (2020-08-01T09:33:23Z) [core@ip-10-0-26-247 ~]$ rpm -qi shim-x64 Name : shim-x64 Version : 15 Release : 15.el8_2 Architecture: x86_64 Install Date: Sat 01 Aug 2020 09:31:20 AM UTC Group : Unspecified Size : 5252606 License : BSD Signature : RSA/SHA256, Fri 31 Jul 2020 11:10:11 PM UTC, Key ID 199e2f91fd431d51 Source RPM : shim-15-15.el8_2.src.rpm Build Date : Fri 31 Jul 2020 09:18:08 PM UTC Build Host : x86-vm-09.build.eng.bos.redhat.com Relocations : (not relocatable) Packager : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla> Vendor : Red Hat, Inc. URL : https://github.com/rhboot/shim/ Summary : First-stage UEFI bootloader Description : Initial UEFI bootloader that handles chaining to a trusted full bootloader under secure boot environments. This package contains the version signed by the UEFI signing service. == Verify shim-x64 version on cluster and verify bootstrapped version also == $ oc get clusterversion NAME VERSION AVAILABLE PROGRESSING SINCE STATUS version 4.5.0-0.nightly-2020-08-07-024812 True False 15m Cluster version is 4.5.0-0.nightly-2020-08-07-024812 $ oc get nodes NAME STATUS ROLES AGE VERSION ip-10-0-130-6.us-west-2.compute.internal Ready worker 26m v1.18.3+002a51f ip-10-0-159-75.us-west-2.compute.internal Ready master 36m v1.18.3+002a51f ip-10-0-162-129.us-west-2.compute.internal Ready worker 26m v1.18.3+002a51f ip-10-0-186-157.us-west-2.compute.internal Ready master 36m v1.18.3+002a51f ip-10-0-201-90.us-west-2.compute.internal Ready worker 26m v1.18.3+002a51f ip-10-0-202-63.us-west-2.compute.internal Ready master 36m v1.18.3+002a51f $ oc debug node/ip-10-0-159-75.us-west-2.compute.internal -- chroot /host rpm-ostree status Starting pod/ip-10-0-159-75us-west-2computeinternal-debug ... To use host binaries, run `chroot /host` State: idle Deployments: * pivot://quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:e0fcc62bdd3af70a30c3c87ff653b16f1768c8ea3b7754007249a51a25eec5e4 CustomOrigin: Managed by machine-config-operator Version: 45.82.202008062229-0 (2020-08-06T22:33:24Z) ostree://f9d88d07921009f524c39773d0935a7d1642a02bd37e0d621696bf4f766a0540 Version: 45.82.202008010929-0 (2020-08-01T09:33:23Z) Removing debug pod ... $ oc debug node/ip-10-0-159-75.us-west-2.compute.internal -- chroot /host rpm -qi shim-x64 Starting pod/ip-10-0-159-75us-west-2computeinternal-debug ... To use host binaries, run `chroot /host` Name : shim-x64 Version : 15 Release : 15.el8_2 Architecture: x86_64 Install Date: Thu Aug 6 22:31:21 2020 Group : Unspecified Size : 5252606 License : BSD Signature : RSA/SHA256, Fri Jul 31 23:10:11 2020, Key ID 199e2f91fd431d51 Source RPM : shim-15-15.el8_2.src.rpm Build Date : Fri Jul 31 21:18:08 2020 Build Host : x86-vm-09.build.eng.bos.redhat.com Relocations : (not relocatable) Packager : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla> Vendor : Red Hat, Inc. URL : https://github.com/rhboot/shim/ Summary : First-stage UEFI bootloader Description : Initial UEFI bootloader that handles chaining to a trusted full bootloader under secure boot environments. This package contains the version signed by the UEFI signing service. Removing debug pod ... $ oc debug node/ip-10-0-130-6.us-west-2.compute.internal -- chroot /host rpm-ostree status Starting pod/ip-10-0-130-6us-west-2computeinternal-debug ... To use host binaries, run `chroot /host` State: idle Deployments: * pivot://quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:e0fcc62bdd3af70a30c3c87ff653b16f1768c8ea3b7754007249a51a25eec5e4 CustomOrigin: Managed by machine-config-operator Version: 45.82.202008062229-0 (2020-08-06T22:33:24Z) ostree://f9d88d07921009f524c39773d0935a7d1642a02bd37e0d621696bf4f766a0540 Version: 45.82.202008010929-0 (2020-08-01T09:33:23Z) Removing debug pod ... $ oc debug node/ip-10-0-130-6.us-west-2.compute.internal -- chroot /host rpm -qi shim-x64 Starting pod/ip-10-0-130-6us-west-2computeinternal-debug ... To use host binaries, run `chroot /host` Name : shim-x64 Version : 15 Release : 15.el8_2 Architecture: x86_64 Install Date: Thu Aug 6 22:31:21 2020 Group : Unspecified Size : 5252606 License : BSD Signature : RSA/SHA256, Fri Jul 31 23:10:11 2020, Key ID 199e2f91fd431d51 Source RPM : shim-15-15.el8_2.src.rpm Build Date : Fri Jul 31 21:18:08 2020 Build Host : x86-vm-09.build.eng.bos.redhat.com Relocations : (not relocatable) Packager : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla> Vendor : Red Hat, Inc. URL : https://github.com/rhboot/shim/ Summary : First-stage UEFI bootloader Description : Initial UEFI bootloader that handles chaining to a trusted full bootloader under secure boot environments. This package contains the version signed by the UEFI signing service. Removing debug pod ... $ oc debug node/ip-10-0-130-6.us-west-2.compute.internal -- chroot /host rpm-ostree db list f9d88d07921009f524c39773d0935a7d1642a02bd37e0d621696bf4f766a0540 | grep shim-x64 Starting pod/ip-10-0-130-6us-west-2computeinternal-debug ... To use host binaries, run `chroot /host` Removing debug pod ... shim-x64-15-15.el8_2.x86_64
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (OpenShift Container Platform 4.5.6 bug fix update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2020:3330