Bug 1065198 (CVE-2014-0084)

Summary: CVE-2014-0084 rubygem-openshift-origin-node: cron.daily/cron.weekly denial of service
Product: [Other] Security Response Reporter: Kurt Seifried <kseifried>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: bleanhar, ccoleman, dmcphers, jdetiber, jialiu, jrusnack, kseifried, lmeyer, mfojtik, mmcgrath, security-response-team
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-07-18 19:14:53 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1065045, 1065205, 1065206    
Bug Blocks: 1065209    

Description Kurt Seifried 2014-02-14 05:24:38 UTC 
Andy Grimm of Red Hat reports:

OpenShift uses /etc/cron.daily/openshift-origin-cron-daily to run:

/usr/bin/oo-scheduled-jobs run daily &> /dev/null

This in turn runs all the user gears cron.daily content. If these cron jobs
take a long time to run it will prevent further OpenShift gears cron.daily 
from being run in a timely manner if at all. The same goes for /etc/cron.weekly/openshift-origin-cron-weekly
Comment 3 Kurt Seifried 2014-02-14 06:05:20 UTC 
Acknowledgements:

This issue was discovered by Andy Grimm of Red Hat.
Comment 5 Tim Kramer 2014-03-19 21:07:17 UTC 
Kurt,
      It looks like this should be set for
Product:  OpenShift Online
Component:  Cartridge

and not security response.  I could be wrong but I don't think the developers will see it in this state.


I see in brew:
https://brewweb.devel.redhat.com/buildinfo?buildID=344773

Michal was the last person to make a change to that RPM.
Comment 6 Michal Fojtik 2014-03-19 21:39:35 UTC 
I fixed LD_LIBRARY_PATH problem there that cause problem when users have SCLized python/ruby/whatever inside cronjob, that env var was not exported properly.

Kurt: There is a timeout inside the cron_runjob.sh script that is responsible for executing users scripts. This script have 'timeout' command in places as executor. See here:

https://github.com/openshift/origin-server/blob/master/cartridges/openshift-origin-cartridge-cron/bin/cron_runjobs.sh#L72
Comment 7 Kurt Seifried 2014-03-20 02:26:26 UTC 
(In reply to Tim Kramer from comment #5)
> Kurt,
>       It looks like this should be set for
> Product:  OpenShift Online
> Component:  Cartridge
> 
> and not security response.  I could be wrong but I don't think the
> developers will see it in this state.

This is the CVE bug, what you're describing is the tracking bug https://bugzilla.redhat.com/show_bug.cgi?id=1065045 where the changes can be made.
Comment 9 Kurt Seifried 2014-07-18 01:43:02 UTC 
This was fixed publicly:

https://github.com/openshift/origin-server/pull/4764
Comment 10 Brenton Leanhardt 2014-07-18 12:14:55 UTC 
For what it's worth, this shipped as part of the OpenShift Enterprise 2.1 rebase.
Comment 11 Kurt Seifried 2014-07-18 19:14:53 UTC 
This issue has been addressed in following products:

  RHEL 6 Version of OpenShift Enterprise 2.1

Via RHBA-2014:0487 https://rhn.redhat.com/errata/RHBA-2014-0487.html