+++ This bug was initially created as a clone of Bug #1862113 +++ +++ This bug was initially created as a clone of Bug #1862112 +++ +++ This bug was initially created as a clone of Bug #1862111 +++ The mitigation route for OCP customers is to reprovision nodes that may be affected by CVE-2020-10713 To do that, we need to provide new boot images and update the installer to reference them.
This is currently being worked on and work will continue next sprint.
PR: https://github.com/openshift/installer/pull/3987
Verified on 4.3.0-0.nightly-2020-08-11-083910 $ oc get clusterversion NAME VERSION AVAILABLE PROGRESSING SINCE STATUS version 4.3.0-0.nightly-2020-08-11-083910 True False 14m Cluster version is 4.3.0-0.nightly-2020-08-11-083910 $ oc get nodes NAME STATUS ROLES AGE VERSION ci-ln-krlsv-m-0.c.openshift-gce-devel-ci.internal Ready master 35m v1.16.2+295f6e6 ci-ln-krlsv-m-1.c.openshift-gce-devel-ci.internal Ready master 35m v1.16.2+295f6e6 ci-ln-krlsv-m-2.c.openshift-gce-devel-ci.internal Ready master 34m v1.16.2+295f6e6 ci-ln-krlsv-w-b-7r8zt.c.openshift-gce-devel-ci.internal Ready worker 25m v1.16.2+295f6e6 ci-ln-krlsv-w-c-gbkfc.c.openshift-gce-devel-ci.internal Ready worker 25m v1.16.2+295f6e6 == check shim version on master node is 15.15.el8_2== $ oc debug node/ci-ln-krlsv-m-0.c.openshift-gce-devel-ci.internal -- chroot /host rpm-ostree status Starting pod/ci-ln-krlsv-m-0copenshift-gce-devel-ciinternal-debug ... To use host binaries, run `chroot /host` State: idle AutomaticUpdates: disabled Deployments: * pivot://quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:cd39c4055f5899e85f7ee3108825247a55ad6f0b1082c45af2346d5b848d5cd5 CustomOrigin: Managed by machine-config-operator Version: 43.82.202008102153.0 (2020-08-10T21:59:01Z) ostree://737befacb1f80b6842b4f165d8ba07d4854a358333e76af1533d5659c90ddd5e Version: 43.82.202008010953.0 (2020-08-01T09:59:17Z) Removing debug pod ... $ oc debug node/ci-ln-krlsv-m-0.c.openshift-gce-devel-ci.internal -- chroot /host rpm -qi shim-x64 Starting pod/ci-ln-krlsv-m-0copenshift-gce-devel-ciinternal-debug ... To use host binaries, run `chroot /host` Name : shim-x64 Version : 15 Release : 15.el8_2 Architecture: x86_64 Install Date: Mon Aug 10 21:57:10 2020 Group : Unspecified Size : 5252606 License : BSD Signature : RSA/SHA256, Fri Jul 31 23:10:11 2020, Key ID 199e2f91fd431d51 Source RPM : shim-15-15.el8_2.src.rpm Build Date : Fri Jul 31 21:18:08 2020 Build Host : x86-vm-09.build.eng.bos.redhat.com Relocations : (not relocatable) Packager : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla> Vendor : Red Hat, Inc. URL : https://github.com/rhboot/shim/ Summary : First-stage UEFI bootloader Description : Initial UEFI bootloader that handles chaining to a trusted full bootloader under secure boot environments. This package contains the version signed by the UEFI signing service. Removing debug pod ... == check shim version on worker node is 15.15.el8_2 == $ oc debug node/ci-ln-krlsv-w-b-7r8zt.c.openshift-gce-devel-ci.internal -- chroot /host rpm-ostree status Starting pod/ci-ln-krlsv-w-b-7r8ztcopenshift-gce-devel-ciinternal-debug ... To use host binaries, run `chroot /host` State: idle AutomaticUpdates: disabled Deployments: * pivot://quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:cd39c4055f5899e85f7ee3108825247a55ad6f0b1082c45af2346d5b848d5cd5 CustomOrigin: Managed by machine-config-operator Version: 43.82.202008102153.0 (2020-08-10T21:59:01Z) ostree://737befacb1f80b6842b4f165d8ba07d4854a358333e76af1533d5659c90ddd5e Version: 43.82.202008010953.0 (2020-08-01T09:59:17Z) Removing debug pod ... $ oc debug node/ci-ln-krlsv-w-b-7r8zt.c.openshift-gce-devel-ci.internal -- chroot /host rpm -qi shim-x64 Starting pod/ci-ln-krlsv-w-b-7r8ztcopenshift-gce-devel-ciinternal-debug ... To use host binaries, run `chroot /host` Name : shim-x64 Version : 15 Release : 15.el8_2 Architecture: x86_64 Install Date: Mon Aug 10 21:57:10 2020 Group : Unspecified Size : 5252606 License : BSD Signature : RSA/SHA256, Fri Jul 31 23:10:11 2020, Key ID 199e2f91fd431d51 Source RPM : shim-15-15.el8_2.src.rpm Build Date : Fri Jul 31 21:18:08 2020 Build Host : x86-vm-09.build.eng.bos.redhat.com Relocations : (not relocatable) Packager : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla> Vendor : Red Hat, Inc. URL : https://github.com/rhboot/shim/ Summary : First-stage UEFI bootloader Description : Initial UEFI bootloader that handles chaining to a trusted full bootloader under secure boot environments. This package contains the version signed by the UEFI signing service. Removing debug pod ... == Check bootstrap node's shim version == $ oc debug node/ci-ln-krlsv-w-b-7r8zt.c.openshift-gce-devel-ci.internal -- chroot /host rpm-ostree db list 737befacb1f80b6842b4f165d8ba07d4854a358333e76af1533d5659c90ddd5e | grep shim-x64 Starting pod/ci-ln-krlsv-w-b-7r8ztcopenshift-gce-devel-ciinternal-debug ... To use host binaries, run `chroot /host` shim-x64-15-15.el8_2.x86_64 Removing debug pod ...
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (OpenShift Container Platform 4.3.33 bug fix update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2020:3259