Bug 1297916 (CVE-2016-1906)

Summary: CVE-2016-1906 Kubernetes api server: build config to a strategy that isn't allowed by policy
Product: [Other] Security Response Reporter: Kurt Seifried <kseifried>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: bleanhar, carnil, ccoleman, dmcphers, jburrell, jchaloup, jialiu, jkeck, jokerman, kseifried, lmeyer, mmccomas, slong
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
An authorization flaw was discovered in Kubernetes; the API server did not properly check user permissions when handling certain build-configuration strategies. A remote attacker could create build configurations with strategies that violate policy. Although the attacker could not launch the build themselves (launch fails when the policy is violated), if the build configuration files were later launched by other privileged services (such as automated triggers), user privileges could be bypassed allowing attacker escalation.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2016-03-22 04:37:12 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1297917, 1297918    
Bug Blocks: 1297922, 1298133    

Description Kurt Seifried 2016-01-12 18:43:02 UTC 
Kubernetes api server: build config to a strategy that isn't allowed by policy

External reference:
https://github.com/openshift/origin/issues/6556
https://github.com/openshift/origin/pull/6576
Comment 2 Kurt Seifried 2016-01-13 18:39:14 UTC 
*** Bug 1298128 has been marked as a duplicate of this bug. ***
Comment 3 errata-xmlrpc 2016-01-26 19:21:01 UTC 
This issue has been addressed in the following products:

  RHEL 7 Version of OpenShift Enterprise 3.1

Via RHSA-2016:0070 https://access.redhat.com/errata/RHSA-2016:0070
Comment 4 errata-xmlrpc 2016-03-03 16:23:01 UTC 
This issue has been addressed in the following products:

  RHEL 7 Version of OpenShift Enterprise 3.0

Via RHSA-2016:0351 https://access.redhat.com/errata/RHSA-2016:0351