Bug 1065198 (CVE-2014-0084)
Summary: | CVE-2014-0084 rubygem-openshift-origin-node: cron.daily/cron.weekly denial of service | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Kurt Seifried <kseifried> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | low | Docs Contact: | |
Priority: | low | ||
Version: | unspecified | CC: | bleanhar, ccoleman, dmcphers, jdetiber, jialiu, jrusnack, kseifried, lmeyer, mfojtik, mmcgrath, security-response-team |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2014-07-18 19:14:53 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1065045, 1065205, 1065206 | ||
Bug Blocks: | 1065209 |
Description
Kurt Seifried
2014-02-14 05:24:38 UTC
Acknowledgements: This issue was discovered by Andy Grimm of Red Hat. Kurt, It looks like this should be set for Product: OpenShift Online Component: Cartridge and not security response. I could be wrong but I don't think the developers will see it in this state. I see in brew: https://brewweb.devel.redhat.com/buildinfo?buildID=344773 Michal was the last person to make a change to that RPM. I fixed LD_LIBRARY_PATH problem there that cause problem when users have SCLized python/ruby/whatever inside cronjob, that env var was not exported properly. Kurt: There is a timeout inside the cron_runjob.sh script that is responsible for executing users scripts. This script have 'timeout' command in places as executor. See here: https://github.com/openshift/origin-server/blob/master/cartridges/openshift-origin-cartridge-cron/bin/cron_runjobs.sh#L72 (In reply to Tim Kramer from comment #5) > Kurt, > It looks like this should be set for > Product: OpenShift Online > Component: Cartridge > > and not security response. I could be wrong but I don't think the > developers will see it in this state. This is the CVE bug, what you're describing is the tracking bug https://bugzilla.redhat.com/show_bug.cgi?id=1065045 where the changes can be made. This was fixed publicly: https://github.com/openshift/origin-server/pull/4764 For what it's worth, this shipped as part of the OpenShift Enterprise 2.1 rebase. This issue has been addressed in following products: RHEL 6 Version of OpenShift Enterprise 2.1 Via RHBA-2014:0487 https://rhn.redhat.com/errata/RHBA-2014-0487.html |