OpenShift Enterprise by Red Hat is the company’s cloud computing Platform-as-a-Service (PaaS) solution designed for on-premise or private cloud deployments. It was reported that OpenShift Enterprise 2.2 did not properly restrict access to services running on different gears. This could allow an attacker to access unprotected network resources running in another user’s gear. OpenShift Enterprise 2.2 introduces the oo-gear-firewall command which creates firewall rules and SELinux policy to contain services running on gears to their own internal gear IPs. The command is invoked by default during new installations of OpenShift Enterprise 2.2 to prevent this security issue. Administrators should run the following on node hosts in existing deployments after upgrading to 2.2 to address this security issue: # oo-gear-firewall -i enable -s enable Please see the man page for the oo-gear-firewall command for more details. (CVE-2014-3674) It was reported that OpenShift Enterprise did not restrict access to the /proc/net/tcp file on gears, which allowed local users to view all listening connections and connected sockets. This could result in remote systems IP or port numbers in use being exposed which may be useful for further targeted attacks. Note that for local listeners, OSE restricts connections to within the gear by default, so even with the knowledge of the local port and IP the attacker is unable to connect. This bug fix updates the SELinux policy on node hosts to prevent this gear information from being accessed by local users. (CVE-2014-3602) The OpenShift Enterprise 2.2 Release Notes provide information about new features and notable technical changes in this release, as well as notes on initial installations. For more information about OpenShift Enterprise, see the documentation available at: https://access.redhat.com/site/documentation/en-US/OpenShift_Enterprise/2/ All OpenShift Enterprise users are advised to upgrade to release 2.2.
rhn.redhat.com/errata/RHSA-2014-1796.html
rhn.redhat.com/errata/RHSA-2014-1906.html
access.redhat.com/errata/RHSA-2014:1796
access.redhat.com/errata/RHSA-2014:1906
access.redhat.com/security/cve/CVE-2014-3674
access.redhat.com/security/updates/classification/#moderate
access.redhat.com/site/documentation/en-US/OpenShift_Enterprise/2/
bugzilla.redhat.com/show_bug.cgi?id=1004479
bugzilla.redhat.com/show_bug.cgi?id=1093192
bugzilla.redhat.com/show_bug.cgi?id=1100102
bugzilla.redhat.com/show_bug.cgi?id=1121195
bugzilla.redhat.com/show_bug.cgi?id=1123850
bugzilla.redhat.com/show_bug.cgi?id=1130347
bugzilla.redhat.com/show_bug.cgi?id=1131167
bugzilla.redhat.com/show_bug.cgi?id=1131190
bugzilla.redhat.com/show_bug.cgi?id=1133075
bugzilla.redhat.com/show_bug.cgi?id=1134139
bugzilla.redhat.com/show_bug.cgi?id=1140289
bugzilla.redhat.com/show_bug.cgi?id=1144057
bugzilla.redhat.com/show_bug.cgi?id=1144940
bugzilla.redhat.com/show_bug.cgi?id=1145810
bugzilla.redhat.com/show_bug.cgi?id=1145877
bugzilla.redhat.com/show_bug.cgi?id=1146224
bugzilla.redhat.com/show_bug.cgi?id=1148170
bugzilla.redhat.com/show_bug.cgi?id=1148192
bugzilla.redhat.com/show_bug.cgi?id=1150971
bugzilla.redhat.com/show_bug.cgi?id=1151244
bugzilla.redhat.com/show_bug.cgi?id=1152698
bugzilla.redhat.com/show_bug.cgi?id=1152699
bugzilla.redhat.com/show_bug.cgi?id=1152700
bugzilla.redhat.com/show_bug.cgi?id=1153750
bugzilla.redhat.com/show_bug.cgi?id=1154026
bugzilla.redhat.com/show_bug.cgi?id=1154471
bugzilla.redhat.com/show_bug.cgi?id=1156200
bugzilla.redhat.com/show_bug.cgi?id=1156613
rhn.redhat.com/errata/RHSA-2014-1796.html