|Summary:||CVE-2014-0084 rubygem-openshift-origin-node: cron.daily/cron.weekly denial of service|
|Product:||[Other] Security Response||Reporter:||Kurt Seifried <kseifried>|
|Component:||vulnerability||Assignee:||Red Hat Product Security <security-response-team>|
|Status:||CLOSED ERRATA||QA Contact:|
|Version:||unspecified||CC:||bleanhar, ccoleman, dmcphers, jdetiber, jialiu, jrusnack, kseifried, lmeyer, mfojtik, mmcgrath, security-response-team|
|Fixed In Version:||Doc Type:||Bug Fix|
|Doc Text:||Story Points:||---|
|Last Closed:||2014-07-18 19:14:53 UTC||Type:||---|
|oVirt Team:||---||RHEL 7.3 requirements from Atomic Host:|
|Cloudforms Team:||---||Target Upstream Version:|
|Bug Depends On:||1065045, 1065205, 1065206|
Description Kurt Seifried 2014-02-14 05:24:38 UTC
Andy Grimm of Red Hat reports: OpenShift uses /etc/cron.daily/openshift-origin-cron-daily to run: /usr/bin/oo-scheduled-jobs run daily &> /dev/null This in turn runs all the user gears cron.daily content. If these cron jobs take a long time to run it will prevent further OpenShift gears cron.daily from being run in a timely manner if at all. The same goes for /etc/cron.weekly/openshift-origin-cron-weekly
Comment 3 Kurt Seifried 2014-02-14 06:05:20 UTC
Acknowledgements: This issue was discovered by Andy Grimm of Red Hat.
Comment 5 Tim Kramer 2014-03-19 21:07:17 UTC
Kurt, It looks like this should be set for Product: OpenShift Online Component: Cartridge and not security response. I could be wrong but I don't think the developers will see it in this state. I see in brew: https://brewweb.devel.redhat.com/buildinfo?buildID=344773 Michal was the last person to make a change to that RPM.
Comment 6 Michal Fojtik 2014-03-19 21:39:35 UTC
I fixed LD_LIBRARY_PATH problem there that cause problem when users have SCLized python/ruby/whatever inside cronjob, that env var was not exported properly. Kurt: There is a timeout inside the cron_runjob.sh script that is responsible for executing users scripts. This script have 'timeout' command in places as executor. See here: https://github.com/openshift/origin-server/blob/master/cartridges/openshift-origin-cartridge-cron/bin/cron_runjobs.sh#L72
Comment 7 Kurt Seifried 2014-03-20 02:26:26 UTC
(In reply to Tim Kramer from comment #5) > Kurt, > It looks like this should be set for > Product: OpenShift Online > Component: Cartridge > > and not security response. I could be wrong but I don't think the > developers will see it in this state. This is the CVE bug, what you're describing is the tracking bug https://bugzilla.redhat.com/show_bug.cgi?id=1065045 where the changes can be made.
Comment 9 Kurt Seifried 2014-07-18 01:43:02 UTC
This was fixed publicly: https://github.com/openshift/origin-server/pull/4764
Comment 10 Brenton Leanhardt 2014-07-18 12:14:55 UTC
For what it's worth, this shipped as part of the OpenShift Enterprise 2.1 rebase.