Icp-mongodb security vulnerability patch for IBM Cloud Private Version 3.1.1.0 clusters - Readme file

Readme file for: icp-mongodb security vulnerability patch for IBM Cloud Private Version 3.1.1.0 clusters

Product Release: 3.1.1.0

Publication date: March 5, 2019

Last modified date: February 26, 2019

Overview
Applying the patch
How to verify the patch
Rolling back the patch
List of files
Copyright and trademark information

Overview

This patch fixes security vulnerabilities that affect IBM Cloud Private.

Vulnerability Details: CVE-2018-18065 https://exchange.xforce.ibmcloud.com/vulnerabilities/150994

For information on Security Vulnerabilities affecting IBM Cloud Private, see the IBM PSIRT Blog - https://www.ibm.com/blogs/psirt/.

The following image versions have changed:

icp-mongodb:4.0-f1-rhel
icp-mongodb-install:3.1.1-f1-rhel

The following services are restarted when you apply the patch:

icp-mongodb

The following platforms are supported:

Red Hat Enterprise Linux OpenShift

Applying the patch

Download the patch file icp-mongodb-3.1.1-f1-3.1.1.0-20668-20190220-rhos.tar.gz from IBM Fix Central.
Copy the patch file icp-mongodb-3.1.1-f1-3.1.1.0-20668-20190220-rhos.tar.gz to your master node.
Configure cloudctl on your master node. For more information, see Installing the IBM Cloud Private CLI.

cloudctl login -a https://<cluster_CA_domain>:<router_https_port> --skip-ssl-validation

Get the cluster_CA_domain and router_https_port values from the cluster_CA_domain and router_https_port parameters that are in the /<installation_directory>/cluster/config.yaml file.
Log in to the IBM Cloud Private 3.1.1.0 clusters' private registry as as a user with ClusterAdministrator access by entering the following command:

docker login docker-registry.default.svc:5000

Note: Depending on your environment, the private registry may instead be docker-registry-default.<cluster_CA_domain>
Load the PPA archive.

cloudctl catalog load-archive --archive icp-mongodb-3.1.1-f1-3.1.1.0-20668-20190220-rhos.tar.gz --registry docker-registry.default.svc:5000/<namespace> --repo mgmt-charts

<namespace> is the namespace where icp-mongodb is installed.

Note: Depending on your environment, the private registry may instead be docker-registry-default.<cluster_CA_domain>
Upgrade icp-mongodb.

Upgrade the release for icp-mongodb by using the Helm CLI. For more information, see Installing the Helm CLI (helm).
- Add the mgmt-charts repository to the Helm CLI known repositories:
```
  export HELM_HOME=~/.helm
  helm init -c --skip-refresh
  helm repo add mgmt-charts http://<cluster_CA_domain>:<router_http_port>/mgmt-repo/charts --ca-file $HELM_HOME/ca.pem  --cert-file $HELM_HOME/cert.pem --key-file $HELM_HOME/key.pem
```
  Note: On RedHat OpenShift use http:// and the http port.
- Get the existing values.yaml file:
  
  helm get values icp-mongodb --tls > values-old.yaml
- Update the values-old.yaml file to change the parameter values. Run the following command to edit:
  
  vim values-old.yaml
- Set the following values:
  - set image.repository to docker-registry.default.svc:5000/<namespace>/icp-mongodb
  - set image.tag to 4.0-f1-rhel
  - set installImage.repository to docker-registry.default.svc:5000/<namespace>/icp-mongodb-install
  - set installImage.tag to 3.1.1-f1-rhel
  Note: If the Red Hat OpenShift private registry url in the exported values-old.yaml file does not use docker-registry.default.svc:5000, keep the original value. <namespace> is the namespace where icp-mongodb is installed and where the patch was loaded.
  
  Example: See the following values.yaml file sample that contains the changed values.
```
   image
     repository: docker-registry.default.svc:5000/<namespace>/icp-mongodb
     tag: 4.0-f1-rhel
   installImage
     repository: docker-registry.default.svc:5000/<namespace>/icp-mongodb-install
     tag: 3.1.1-f1-rhel
```
- Upgrade the icp-mongodb release.
  
  helm upgrade icp-mongodb "http://<cluster_CA_domain>:<router_http_port>/mgmt-repo/requiredAssets/icp-mongodb-3.1.1-f1-rhel.tgz" --force -f values-old.yaml --tls
  
  Note: On Red Hat OpenShift use http:// and the http port when specifying the chart Do not specify the --version argument.

NOTE: Do not use the IBM Cloud Private management console to upgrade to the patch level. The --force option is required for reliable operation.

How to verify the patch

Verify that the patch is installed correctly by using the IBM Cloud Private management console:

In the navigation menu, select Workloads > Helm Releases.
Find icp-mongodb in the table and check the Current Version and Status.

Verify that the patch is installed correctly by using the Helm CLI. For more information, see Installing the Helm CLI (helm)

Check the history of the icp-mongodb release:
```
 helm history --tls icp-mongodb
```
Check the status of the helm-repo release:
```
 helm status --tls icp-mongodb
```

Rolling back the patch

Rolling back the patch manually

List the history of the icp-mongodb release and find the release revision number that is one version earlier than the current release.

helm history --tls icp-mongodb
Roll back the helm-repo release to the revision number that you found in the previous step.

helm rollback --tls --force icp-mongodb <revision>

Rolling back the patch by using the IBM Cloud Private management console.

Log in to the console as a user with ClusterAdministrator access.
In the navigation menu, select Workloads > Helm Releases.
Open the Action menu on the row for the icp-mongodb release and select Upgrade. The current version in the Version drop-down is the patch version.
Select the previous version of icp-mongodb in the Version drop-down list and select Rollback.
Select the old version of chart, then click Rollback.

List of files

Table 1. List of IBM Cloud Private 3.1.1.0 patch files

Description	File name	File extension
icp-mongodb security vulnerability patch for IBM Cloud Private Version 3.1.1.0 clusters	icp-mongodb-3.1.1-f1-3.1.1.0-20668-20190220-rhos	.tar.gz
icp-mongodb security vulnerability patch for IBM Cloud Private Version 3.1.1.0 clusters - Readme	icp-mongodb-3.1.1-f1-3.1.1.0-20668-20190220-rhos-readme	.html

Copyright and trademark information

U.S. Government Users Restricted Rights - Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp.

IBM®, the IBM logo and ibm.com® are trademarks of International Business Machines Corp., registered in many jurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of IBM trademarks is available on the Web at "Copyright and trademark information" at www.ibm.com/legal/copytrade.shtml.