+++ This bug was initially created as a clone of Bug #1862112 +++ +++ This bug was initially created as a clone of Bug #1862111 +++ The mitigation route for OCP customers is to reprovision nodes that may be affected by CVE-2020-10713 To do that, we need to provide new boot images and update the installer to reference them.
This is currently being worked on and work will continue next sprint.
PR: https://github.com/openshift/installer/pull/3985
Verified on registry.svc.ci.openshift.org/ocp/release:4.4.0-0.nightly-2020-08-07-080430 == on bootstrap node shim version is 15.15.el8_2 == [core@ip-10-0-8-133 ~]$ rpm-ostree status State: idle AutomaticUpdates: disabled Deployments: ● ostree://a0f9f9a7ccdf6ac8a7d83abcdae42f05c9295c172a8635e466be6804f94d33d5 Version: 44.82.202008011133-0 (2020-08-01T11:39:22Z) [core@ip-10-0-8-133 ~]$ rpm -qi shim-x64 Name : shim-x64 Version : 15 Release : 15.el8_2 Architecture: x86_64 Install Date: Sat 01 Aug 2020 11:37:17 AM UTC Group : Unspecified Size : 5252606 License : BSD Signature : RSA/SHA256, Fri 31 Jul 2020 11:10:11 PM UTC, Key ID 199e2f91fd431d51 Source RPM : shim-15-15.el8_2.src.rpm Build Date : Fri 31 Jul 2020 09:18:08 PM UTC Build Host : x86-vm-09.build.eng.bos.redhat.com Relocations : (not relocatable) Packager : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla> Vendor : Red Hat, Inc. URL : https://github.com/rhboot/shim/ Summary : First-stage UEFI bootloader Description : Initial UEFI bootloader that handles chaining to a trusted full bootloader under secure boot environments. This package contains the version signed by the UEFI signing service. == Verify shim-x64 version on cluster and verify bootstrapped version also == $ oc get clusterversion NAME VERSION AVAILABLE PROGRESSING SINCE STATUS version 4.4.0-0.nightly-2020-08-07-080430 True False 8m43s Cluster version is 4.4.0-0.nightly-2020-08-07-080430 $ oc get nodes NAME STATUS ROLES AGE VERSION ip-10-0-135-43.us-west-2.compute.internal Ready master 33m v1.17.1+4803e5f ip-10-0-158-164.us-west-2.compute.internal Ready worker 19m v1.17.1+4803e5f ip-10-0-165-243.us-west-2.compute.internal Ready worker 19m v1.17.1+4803e5f ip-10-0-167-139.us-west-2.compute.internal Ready master 32m v1.17.1+4803e5f ip-10-0-193-27.us-west-2.compute.internal Ready worker 18m v1.17.1+4803e5f ip-10-0-221-31.us-west-2.compute.internal Ready master 32m v1.17.1+4803e5f $ oc debug node/ip-10-0-135-43.us-west-2.compute.internal -- chroot /host rpm-ostree status Starting pod/ip-10-0-135-43us-west-2computeinternal-debug ... To use host binaries, run `chroot /host` State: idle AutomaticUpdates: disabled Deployments: * pivot://quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:b625356e670b0dcf6cbf2387fd2bc906c5760ff8271fb2511ce7430f014555a4 CustomOrigin: Managed by machine-config-operator Version: 44.82.202008070230-0 (2020-08-07T02:36:13Z) ostree://a0f9f9a7ccdf6ac8a7d83abcdae42f05c9295c172a8635e466be6804f94d33d5 Version: 44.82.202008011133-0 (2020-08-01T11:39:22Z) Removing debug pod ... $ oc debug node/ip-10-0-135-43.us-west-2.compute.internal -- chroot /host rpm -qi shim-x64 Starting pod/ip-10-0-135-43us-west-2computeinternal-debug ... To use host binaries, run `chroot /host` Name : shim-x64 Version : 15 Release : 15.el8_2 Architecture: x86_64 Install Date: Fri Aug 7 02:34:12 2020 Group : Unspecified Size : 5252606 License : BSD Signature : RSA/SHA256, Fri Jul 31 23:10:11 2020, Key ID 199e2f91fd431d51 Source RPM : shim-15-15.el8_2.src.rpm Build Date : Fri Jul 31 21:18:08 2020 Build Host : x86-vm-09.build.eng.bos.redhat.com Relocations : (not relocatable) Packager : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla> Vendor : Red Hat, Inc. URL : https://github.com/rhboot/shim/ Summary : First-stage UEFI bootloader Description : Initial UEFI bootloader that handles chaining to a trusted full bootloader under secure boot environments. This package contains the version signed by the UEFI signing service. Removing debug pod ... $ oc debug node/ip-10-0-158-164.us-west-2.compute.internal -- chroot /host rpm-ostree status Starting pod/ip-10-0-158-164us-west-2computeinternal-debug ... To use host binaries, run `chroot /host` State: idle AutomaticUpdates: disabled Deployments: * pivot://quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:b625356e670b0dcf6cbf2387fd2bc906c5760ff8271fb2511ce7430f014555a4 CustomOrigin: Managed by machine-config-operator Version: 44.82.202008070230-0 (2020-08-07T02:36:13Z) ostree://a0f9f9a7ccdf6ac8a7d83abcdae42f05c9295c172a8635e466be6804f94d33d5 Version: 44.82.202008011133-0 (2020-08-01T11:39:22Z) Removing debug pod ... $ oc debug node/ip-10-0-158-164.us-west-2.compute.internal -- chroot /host rpm -qi shim-x64 Starting pod/ip-10-0-158-164us-west-2computeinternal-debug ... To use host binaries, run `chroot /host` Name : shim-x64 Version : 15 Release : 15.el8_2 Architecture: x86_64 Install Date: Fri Aug 7 02:34:12 2020 Group : Unspecified Size : 5252606 License : BSD Signature : RSA/SHA256, Fri Jul 31 23:10:11 2020, Key ID 199e2f91fd431d51 Source RPM : shim-15-15.el8_2.src.rpm Build Date : Fri Jul 31 21:18:08 2020 Build Host : x86-vm-09.build.eng.bos.redhat.com Relocations : (not relocatable) Packager : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla> Vendor : Red Hat, Inc. URL : https://github.com/rhboot/shim/ Summary : First-stage UEFI bootloader Description : Initial UEFI bootloader that handles chaining to a trusted full bootloader under secure boot environments. This package contains the version signed by the UEFI signing service. Removing debug pod ... $ oc debug node/ip-10-0-158-164.us-west-2.compute.internal -- chroot /host rpm-ostree db list a0f9f9a7ccdf6ac8a7d83abcdae42f05c9295c172a8635e466be6804f94d33d5 | grep shim-x64 Starting pod/ip-10-0-158-164us-west-2computeinternal-debug ... To use host binaries, run `chroot /host` shim-x64-15-15.el8_2.x86_64 Removing debug pod ...
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (OpenShift Container Platform 4.4.17 bug fix update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2020:3334