Bug 1333461 (CVE-2016-3738)

Summary: CVE-2016-3738 origin: pod update allows docker socket access via build-pod
Product: [Other] Security Response Reporter: Adam Mariš <amaris>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: bleanhar, ccoleman, dmcphers, jialiu, jkeck, jokerman, kseifried, lmeyer, mmccomas, security-response-team
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
A vulnerability was found in the STI build process in OpenShift Enterprise. Access to STI builds was not properly restricted, allowing an attacker to use STI builds to access the Docker socket and escalate their privileges.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2016-05-20 00:21:25 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1333057    
Bug Blocks: 1333463, 1335624    

Description Adam Mariš 2016-05-05 14:58:09 UTC 
It was reported that access to create STI builds is not tightly controlled. STI build has access to the docker socket and regular users are allowed to update pods and change the container image. This can result into regular user creating STI build and updating the pod to run evil image effectively taking control of the node.

Product bug:

https://bugzilla.redhat.com/show_bug.cgi?id=1333057
Comment 1 Adam Mariš 2016-05-05 14:58:16 UTC 
Acknowledgments:

Name: David Eads (Red Hat)
Comment 2 errata-xmlrpc 2016-05-19 20:13:55 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Enterprise 3.2

Via RHSA-2016:1094 https://access.redhat.com/errata/RHSA-2016:1094