Icp-mongodb security vulnerability patch for IBM Cloud Private Version 3.1.1.0 clusters - Readme file

Readme file for: icp-mongodb security vulnerability patch for IBM Cloud Private Version 3.1.1.0 clusters

Product Release: 3.1.1.0

Publication date: March 5, 2019

Last modified date: February 26, 2019

Overview
Applying the patch
How to verify the patch
Rolling back the patch
List of files
Copyright and trademark information

Overview

This patch fixes security vulnerabilities that affect IBM® Cloud Private.

Vulnerability Details: CVE-2018-18065 https://exchange.xforce.ibmcloud.com/vulnerabilities/150994

For information on Security Vulnerabilities affecting IBM Cloud Private, see the IBM PSIRT Blog - https://www.ibm.com/blogs/psirt/.

The following image versions have changed:

icp-mongodb:4.0-f1
icp-mongodb-install:3.1.1-f1

The following services are restarted when you apply the patch:

icp-mongodb

The following platforms are supported:

Linux 64-bit
Linux on Power
Linux on Z

Applying the patch

Download the patch file icp-mongodb-3.1.1-f1-3.1.1.0-20668-20190211.tar.gz from IBM Fix Central.
Copy the patch file icp-mongodb-3.1.1-f1-3.1.1.0-20668-20190211.tar.gz to your master node.
Configure cloudctl on your master node. For more information, see Installing the IBM Cloud Private CLI.

cloudctl login -a https://<cluster_CA_domain>:<router_https_port> --skip-ssl-validation

Get the cluster_CA_domain and router_https_port values from the cluster_CA_domain and router_https_port parameters that are in the /<installation_directory>/cluster/config.yaml file.
Log in to the IBM Cloud Private 3.1.1.0 clusters' private registry as as a user with ClusterAdministrator access by entering the following command:

docker login <cluster_CA_domain>:8500
Load the PPA archive.

cloudctl catalog load-archive --archive icp-mongodb-3.1.1-f1-3.1.1.0-20668-20190211.tar.gz --registry <cluster_CA_domain>:8500/<namespace> --repo mgmt-charts

<namespace> is the namespace where icp-mongodb is installed.
Upgrade icp-mongodb.

Upgrade the release for icp-mongodb by using the Helm CLI. For more information, see Installing the Helm CLI (helm).
- Add the mgmt-charts repository to the Helm CLI known repositories:
```
 export HELM_HOME=~/.helm
 helm init -c --skip-refresh
 helm repo add mgmt-charts https://<cluster_CA_domain>:<router_https_port>/mgmt-repo/charts --ca-file $HELM_HOME/ca.pem  --cert-file $HELM_HOME/cert.pem --key-file $HELM_HOME/key.pem
```
- Get the existing values.yaml file:
  
  helm get values icp-mongodb --tls > values-old.yaml
- Update the values-old.yaml file to change the parameter values. Run the following command to edit:
  
  vim values-old.yaml
- Set the following values:
  - set image.repository to <cluster_CA_domain>:8500/<namespace>/icp-mongodb
  - set image.tag to 4.0-f1
  - set installImage.repository to <cluster_CA_domain>:8500/<namespace>/icp-mongodb-install
  - set installImage.tag to 3.1.1-f1
  Where <cluster_CA_domain> is a parameter in the /<installation_directory>/cluster/config.yaml file and <namespace> is the namespace where icp-mongodb is installed.
  
  Example: See the following values.yaml file sample that contains the changed values
```
  image
    repository: <cluster_CA_domain>:8500/<namespace>/icp-mongodb
    tag: 4.0-f1
  installImage
    repository: <cluster_CA_domain>:8500/<namespace>/icp-mongodb-install
    tag: 3.1.1-f1
```
- Upgrade the icp-mongodb release.
  
  helm upgrade icp-mongodb mgmt-charts/icp-mongodb --force -f values-old.yaml --version <version> --tls
  
  Where <version> is the version of the patch helm chart.

Note: Do not use the IBM Cloud Private management console to upgrade to the patch level. The --force option is required for reliable operation.

How to verify the patch

Verify that the patch is correctly installed by using the IBM Cloud Private management console:

In the navigation menu, select Workloads > Helm Releases.
Find icp-mongodb in the table and check the Current Version and Status.

Verify that the patch is correctly installed by using the Helm CLI. For more information, see Installing the Helm CLI (helm)

Check the history of the icp-mongodb release:
```
 helm history --tls icp-mongodb
```
Check the status of the helm-repo release:
```
 helm status --tls icp-mongodb
```

Rolling back the patch

Rolling back the patch manually

List the history of the icp-mongodb release and find the release revision number that is one version earlier than the current release.

helm history --tls icp-mongodb
Roll back the helm-repo release to the revision number that you found in the previous step.

helm rollback --tls --force icp-mongodb <revision>

Rolling back the patch by using the IBM Cloud Private management console.

Log in to the console as a user with ClusterAdministrator access.
In the navigation menu, select Workloads > Helm Releases.
Open the Action menu on the row for the icp-mongodb release and select Upgrade. The current version in the Version drop-down is the patch version.
Select the previous version of icp-mongodb in the Version drop-down list and select Rollback.
Select the old version of chart, then click Rollback.

List of files

Table 1. List of IBM Cloud Private 3.1.1.0 patch files

Description	File name	File extension
icp-mongodb security vulnerability patch for IBM Cloud Private Version 3.1.1.0 clusters	icp-mongodb-3.1.1-f1-3.1.1.0-20668-20190211	.tar.gz
icp-mongodb security vulnerability patch for IBM Cloud Private Version 3.1.1.0 clusters - Readme	icp-mongodb-3.1.1-f1-3.1.1.0-20668-20190211-readme	.html

Copyright and trademark information

U.S. Government Users Restricted Rights - Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp.

IBM®, the IBM logo and ibm.com® are trademarks of International Business Machines Corp., registered in many jurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of IBM trademarks is available on the Web at "Copyright and trademark information" at www.ibm.com/legal/copytrade.shtml.