Bug 1131680 (CVE-2014-3602)
| Summary: | CVE-2014-3602 OpenShift: /proc/net/tcp information disclosure | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Kurt Seifried <kseifried> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | low | Docs Contact: | |
| Priority: | low | ||
| Version: | unspecified | CC: | bleanhar, ccoleman, dmcphers, erich, jdetiber, jhonce, jialiu, jkeck, jokerman, jrusnack, kseifried, lmeyer, miguel, mmccomas, mmcgrath, pablo.iranzo, pep, rchopra |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: |
It was found that OpenShift Enterprise did not restrict access to the /proc/net/tcp file in gears, which allowed local users to view all listening connections and connected sockets. This could result in remote system's IP or port numbers in use to be exposed, which may be useful for further targeted attacks.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2015-01-17 04:38:05 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1131804, 1151561, 1165395 | ||
| Bug Blocks: | 1024531, 767033, 1131681, 1148171 | ||
|
Description
Kurt Seifried
2014-08-19 19:49:43 UTC
*** Bug 817596 has been marked as a duplicate of this bug. *** *** Bug 1147598 has been marked as a duplicate of this bug. *** This issue has been addressed in the following products: RHEL 6 Version of OpenShift Enterprise 2.2 Via RHSA-2014:1796 https://rhn.redhat.com/errata/RHSA-2014-1796.html IssueDescription: It was found that OpenShift Enterprise did not restrict access to the /proc/net/tcp file in gears, which allowed local users to view all listening connections and connected sockets. This could result in remote system's IP or port numbers in use to be exposed, which may be useful for further targeted attacks. This issue has been addressed in the following products: RHEL 6 Version of OpenShift Enterprise 2.1 Via RHSA-2014:1906 https://rhn.redhat.com/errata/RHSA-2014-1906.html |