Bug 1083858 (CVE-2014-0163)
Summary: | CVE-2014-0163 Openshift: Multiple shell command injection flaws | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Garth Mollett <gmollett> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED WONTFIX | QA Contact: | |
Severity: | high | Docs Contact: | |
Priority: | high | ||
Version: | unspecified | CC: | bleanhar, ccoleman, dmcphers, jdetiber, jialiu, jkeck, jrusnack, lmeyer, mmcgrath, security-response-team |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2014-12-04 06:19:37 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1082972, 1160122, 1187463 | ||
Bug Blocks: | 1083866 |
Description
Garth Mollett
2014-04-03 06:06:44 UTC
This issue is only exploitable if the attacker has shell access to the broker node, which should never be allowed in production. As such the impact has been downgraded from critical to important. Statement: This issue affects the versions of rubygem-openshift-origin-node as shipped with Red Hat OpenShift Enterprise 2. Red Hat Product Security has rated this issue as having Important security impact, however this issue only affects systems using a non supported configuration (e.g. broker and node on the same host, or untrusted users on the broker servers). A future update may address this issue. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/. Created rubygem-openshift-origin-node tracking bugs for this issue: Affects: fedora-all [bug 1187463] |