Bug 1862114 - [4.3.z] update boot images to address CVE-2020-10713
Summary: [4.3.z] update boot images to address CVE-2020-10713
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: RHCOS
Version: 4.3.z
Hardware: Unspecified
OS: Unspecified
high
medium
Target Milestone: ---
: 4.3.z
Assignee: Micah Abbott
QA Contact: Michael Nguyen
URL:
Whiteboard:
Depends On: 1862113
Blocks: 1186913
TreeView+ depends on / blocked
 
Reported: 2020-07-30 13:36 UTC by Micah Abbott
Modified: 2020-08-19 11:10 UTC (History)
8 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of: 1862113
Environment:
Last Closed: 2020-08-19 11:10:15 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Github openshift installer pull 3987 None closed Bug 1862114: bump RHCOS images for CVE-2020-10713 2020-08-26 19:54:04 UTC
Red Hat Product Errata RHBA-2020:3259 None None None 2020-08-19 11:10:50 UTC

Description Micah Abbott 2020-07-30 13:36:32 UTC
+++ This bug was initially created as a clone of Bug #1862113 +++

+++ This bug was initially created as a clone of Bug #1862112 +++

+++ This bug was initially created as a clone of Bug #1862111 +++

The mitigation route for OCP customers is to reprovision nodes that may be affected by CVE-2020-10713

To do that, we need to provide new boot images and update the installer to reference them.

Comment 1 Micah Abbott 2020-07-30 19:49:06 UTC
This is currently being worked on and work will continue next sprint.

Comment 2 Steve Milner 2020-08-04 21:12:44 UTC
PR: https://github.com/openshift/installer/pull/3987

Comment 5 Kelvin Fan 2020-08-11 16:11:24 UTC
Verified on 4.3.0-0.nightly-2020-08-11-083910


$ oc get clusterversion 
NAME      VERSION                             AVAILABLE   PROGRESSING   SINCE   STATUS
version   4.3.0-0.nightly-2020-08-11-083910   True        False         14m     Cluster version is 4.3.0-0.nightly-2020-08-11-083910


$ oc get nodes
NAME                                                      STATUS   ROLES    AGE   VERSION
ci-ln-krlsv-m-0.c.openshift-gce-devel-ci.internal         Ready    master   35m   v1.16.2+295f6e6
ci-ln-krlsv-m-1.c.openshift-gce-devel-ci.internal         Ready    master   35m   v1.16.2+295f6e6
ci-ln-krlsv-m-2.c.openshift-gce-devel-ci.internal         Ready    master   34m   v1.16.2+295f6e6
ci-ln-krlsv-w-b-7r8zt.c.openshift-gce-devel-ci.internal   Ready    worker   25m   v1.16.2+295f6e6
ci-ln-krlsv-w-c-gbkfc.c.openshift-gce-devel-ci.internal   Ready    worker   25m   v1.16.2+295f6e6

== check shim version on master node is 15.15.el8_2==
$ oc debug node/ci-ln-krlsv-m-0.c.openshift-gce-devel-ci.internal -- chroot /host rpm-ostree status
Starting pod/ci-ln-krlsv-m-0copenshift-gce-devel-ciinternal-debug ...
To use host binaries, run `chroot /host`
State: idle
AutomaticUpdates: disabled
Deployments:
* pivot://quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:cd39c4055f5899e85f7ee3108825247a55ad6f0b1082c45af2346d5b848d5cd5
              CustomOrigin: Managed by machine-config-operator
                   Version: 43.82.202008102153.0 (2020-08-10T21:59:01Z)

  ostree://737befacb1f80b6842b4f165d8ba07d4854a358333e76af1533d5659c90ddd5e
                   Version: 43.82.202008010953.0 (2020-08-01T09:59:17Z)

Removing debug pod ...
$ oc debug node/ci-ln-krlsv-m-0.c.openshift-gce-devel-ci.internal -- chroot /host rpm -qi shim-x64
Starting pod/ci-ln-krlsv-m-0copenshift-gce-devel-ciinternal-debug ...
To use host binaries, run `chroot /host`
Name        : shim-x64
Version     : 15
Release     : 15.el8_2
Architecture: x86_64
Install Date: Mon Aug 10 21:57:10 2020
Group       : Unspecified
Size        : 5252606
License     : BSD
Signature   : RSA/SHA256, Fri Jul 31 23:10:11 2020, Key ID 199e2f91fd431d51
Source RPM  : shim-15-15.el8_2.src.rpm
Build Date  : Fri Jul 31 21:18:08 2020
Build Host  : x86-vm-09.build.eng.bos.redhat.com
Relocations : (not relocatable)
Packager    : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla>
Vendor      : Red Hat, Inc.
URL         : https://github.com/rhboot/shim/
Summary     : First-stage UEFI bootloader
Description :
Initial UEFI bootloader that handles chaining to a trusted full
bootloader under secure boot environments. This package contains the
version signed by the UEFI signing service.

Removing debug pod ...

== check shim version on worker node is 15.15.el8_2 ==
$ oc debug node/ci-ln-krlsv-w-b-7r8zt.c.openshift-gce-devel-ci.internal -- chroot /host rpm-ostree status
Starting pod/ci-ln-krlsv-w-b-7r8ztcopenshift-gce-devel-ciinternal-debug ...
To use host binaries, run `chroot /host`
State: idle
AutomaticUpdates: disabled
Deployments:
* pivot://quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:cd39c4055f5899e85f7ee3108825247a55ad6f0b1082c45af2346d5b848d5cd5
              CustomOrigin: Managed by machine-config-operator
                   Version: 43.82.202008102153.0 (2020-08-10T21:59:01Z)

  ostree://737befacb1f80b6842b4f165d8ba07d4854a358333e76af1533d5659c90ddd5e
                   Version: 43.82.202008010953.0 (2020-08-01T09:59:17Z)

Removing debug pod ...
$ oc debug node/ci-ln-krlsv-w-b-7r8zt.c.openshift-gce-devel-ci.internal -- chroot /host rpm -qi shim-x64
Starting pod/ci-ln-krlsv-w-b-7r8ztcopenshift-gce-devel-ciinternal-debug ...
To use host binaries, run `chroot /host`
Name        : shim-x64
Version     : 15
Release     : 15.el8_2
Architecture: x86_64
Install Date: Mon Aug 10 21:57:10 2020
Group       : Unspecified
Size        : 5252606
License     : BSD
Signature   : RSA/SHA256, Fri Jul 31 23:10:11 2020, Key ID 199e2f91fd431d51
Source RPM  : shim-15-15.el8_2.src.rpm
Build Date  : Fri Jul 31 21:18:08 2020
Build Host  : x86-vm-09.build.eng.bos.redhat.com
Relocations : (not relocatable)
Packager    : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla>
Vendor      : Red Hat, Inc.
URL         : https://github.com/rhboot/shim/
Summary     : First-stage UEFI bootloader
Description :
Initial UEFI bootloader that handles chaining to a trusted full
bootloader under secure boot environments. This package contains the
version signed by the UEFI signing service.

Removing debug pod ...

== Check bootstrap node's shim version ==
$ oc debug node/ci-ln-krlsv-w-b-7r8zt.c.openshift-gce-devel-ci.internal -- chroot /host rpm-ostree db list 737befacb1f80b6842b4f165d8ba07d4854a358333e76af1533d5659c90ddd5e | grep shim-x64
Starting pod/ci-ln-krlsv-w-b-7r8ztcopenshift-gce-devel-ciinternal-debug ...
To use host binaries, run `chroot /host`
 shim-x64-15-15.el8_2.x86_64

Removing debug pod ...

Comment 7 errata-xmlrpc 2020-08-19 11:10:15 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (OpenShift Container Platform 4.3.33 bug fix update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:3259


Note You need to log in before you can comment on or make changes to this bug.