Bug 1255120 (CVE-2015-5222)

Summary: CVE-2015-5222 OpenShift3: Exec operations should be forbidden to privileged pods such as builder pods
Product: [Other] Security Response Reporter: Kurt Seifried <kseifried>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: bleanhar, ccoleman, dmcphers, jdetiber, jialiu, jkeck, jokerman, jrusnack, kseifried, lmeyer, mmccomas
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
An improper permission check issue was discovered in the server admission control component in OpenShift. A user with build permissions could use this flaw to execute arbitrary shell commands on a build pod with the privileges of the root user.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2015-08-20 19:36:57 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1255022    
Bug Blocks: 1255125    

Description Kurt Seifried 2015-08-19 17:02:17 UTC 
Cesar Wong of Red Hat reports:

Exec operations should be forbidden to privileged pods such as builder pods 
because they have privileged access to nodes. Currently, you can exec into any 
builder pod, getting privileged root access to the node it's running on.
Comment 1 Kurt Seifried 2015-08-19 19:52:45 UTC 
Acknowledgements:

This issue was discovered by Cesar Wong of the Red Hat OpenShift Enterprise Team.
Comment 2 errata-xmlrpc 2015-08-20 19:25:30 UTC 
This issue has been addressed in the following products:

  RHEL 7 Version of OpenShift Enterprise 3.0

Via RHSA-2015:1650 https://access.redhat.com/errata/RHSA-2015:1650