Bug 1443003 (CVE-2017-7534)
Summary: | CVE-2017-7534 openshift: XSS in log viewer for a pod | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Adam Mariš <amaris> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED CURRENTRELEASE | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | unspecified | CC: | abhgupta, ahardin, amaris, bleanhar, ccoleman, cshereme, dedgar, dmcphers, dominik.mierzejewski, eparis, jforrest, jgoulding, jialiu, jkeck, joelsmith, jokerman, jshepherd, kseifried, mchappel, mmccomas, security-response-team, smunilla, spadgett, swells, tdawson, tiwillia, xtian, yapei |
Target Milestone: | --- | Keywords: | NeedsTestCase, Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | If docs needed, set a value | |
Doc Text: |
OpenShift Enterprise is vulnerable to a stored XSS via the log viewer for pods. The flaw is due to lack of sanitation of user input, specifically terminal escape characters, and the creation of clickable links automatically when viewing the log files for a pod.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2018-07-19 18:30:55 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1470437, 1470438, 1470439, 1470440, 1565709, 1575101, 1575102, 1575103, 1575104 | ||
Bug Blocks: | 1443004 |
Description
Adam Mariš
2017-04-18 09:24:03 UTC
Acknowledgments: Name: Jeandre Le Roux (LSD Information Technology) Could you also share the reproducer to me as well so QE could verify the fix? Cancelling the request because I've got the reproducer from xiaoli Hello - Friendly nudge on this. Is there a timeline for when this CVE will be patched? (In reply to Shawn Wells from comment #15) > Hello - Friendly nudge on this. Is there a timeline for when this CVE will > be patched? Context: Customer is doing a security evaluation of OpenShift and we're getting dinged on OpenShift having known XSS vulnerabilities that have remained unpatched for several months. Red Hat's ability to provide security patches for products is being challenged. This issue has been fixed in: - 3.9 https://access.redhat.com/errata/RHBA-2018:1566 - 3.7 https://access.redhat.com/errata/RHBA-2018:1576 - 3.6 https://access.redhat.com/errata/RHBA-2018:1579 - 3.4 https://access.redhat.com/errata/RHBA-2018:1236 Unfortunately those errata were not done as security errata so the CVE page has not been automatically updated with the links. Thanks for the fast responses everyone! Immediate needs were addressed. Since errata was issued for this BZ, how do we get it closed? Currently shows as a public (known) vulnerability for OpenShift. Thanks to Jason's comments we can now point to security errata though! We apologize for the confusion around this bug and we've taken steps to avoid it in the future. If there's anything needed from us to update the CVE page just let us know. Currently NIST shows this CVE as having no patches from Red Hat: https://nvd.nist.gov/vuln/detail/CVE-2017-7534 The NIST page does point back to this BZ so truly interested parties can read the discussion and get the errata links. However because NIST shows no patches as being released customers are still getting vulnerability reports showing OpenShift was never patched/currently is vulnerable. Means each OpenShift deployment that's being scanned with tools like Tenable Security Center have to track this down. I think there are two questions: - How do we get the NIST webpage updated to reflect patches were released? - How do we get Red Hat's CVE page [0] updated to reflect patches were released? [0] https://access.redhat.com/security/cve/cve-2017-7534 Is 3.2 affected by this, too? It was decided that OCP 3.2 was not affected because this is actually a problem in ansi_up, not in the openshift code itself. ansi_up was added to OpenShift web console in 3.2, so 3.2 is affected. |