Bug 1255536

Summary: OpenShift3: SecurityContextConstraints name reuse leading to privilege escalation
Product: [Other] Security Response Reporter: Kurt Seifried <kseifried>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: bleanhar, ccoleman, dmcphers, jdetiber, jialiu, jkeck, jokerman, kseifried, lmeyer, mmccomas, pweil
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-09-10 18:17:58 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1255338    
Bug Blocks: 1255539    

Description Kurt Seifried 2015-08-20 20:44:03 UTC 
Aleksandar Kostadinov of Red Hat reports:

In OpenShift v3 you can create a SCC (SecurityContextConstraints) to allow 
privileged docker containers in a project. If that project is later deleted the 
SCC is left in the system and is not deleted. If another project is then created
with the same name as the original project the exisitng privileged SCC will be 
applied to it.
Comment 1 Paul Weil 2015-09-10 18:16:19 UTC 
This is operating as expected.  It is up to the administrator to manage the SCC.  They may choose to make entries in the SCC for users, groups, or service accounts that may or may not exist at the time.  Cleaning unknown references would prevent that workflow.

Currently, administrators may also exercise more control over this by not allowing project administrators to delete projects.

Created a card to add an optional finalizer as an enhancement: https://trello.com/c/KicH8TSC/513-scc-optional-finalizer
Comment 2 Adam Mariš 2015-09-14 08:30:14 UTC 
CVE was rejected.