|Summary:||CVE-2017-7534 openshift: XSS in log viewer for a pod|
|Product:||[Other] Security Response||Reporter:||Adam Mariš <amaris>|
|Component:||vulnerability||Assignee:||Red Hat Product Security <security-response-team>|
|Status:||CLOSED CURRENTRELEASE||QA Contact:|
|Version:||unspecified||CC:||abhgupta, ahardin, amaris, bleanhar, ccoleman, cshereme, dedgar, dmcphers, dominik.mierzejewski, eparis, jforrest, jgoulding, jialiu, jkeck, joelsmith, jokerman, jshepherd, kseifried, mchappel, mmccomas, security-response-team, smunilla, spadgett, swells, tdawson, tiwillia, xtian, yapei|
|Target Milestone:||---||Keywords:||NeedsTestCase, Security|
|Fixed In Version:||Doc Type:||If docs needed, set a value|
OpenShift Enterprise is vulnerable to a stored XSS via the log viewer for pods. The flaw is due to lack of sanitation of user input, specifically terminal escape characters, and the creation of clickable links automatically when viewing the log files for a pod.
|Last Closed:||2018-07-19 18:30:55 UTC||Type:||---|
|oVirt Team:||---||RHEL 7.3 requirements from Atomic Host:|
|Cloudforms Team:||---||Target Upstream Version:|
|Bug Depends On:||1470437, 1470438, 1470439, 1470440, 1565709, 1575101, 1575102, 1575103, 1575104|
Description Adam Mariš 2017-04-18 09:24:03 UTC
It was found that log viewer for a pod doesn't properly handle terminal escape characters and automatic generation of clickable links from output, leading to XSS vulnerability.
Comment 1 Adam Mariš 2017-04-18 09:24:12 UTC
Acknowledgments: Name: Jeandre Le Roux (LSD Information Technology)
Comment 12 Yadan Pei 2018-04-17 01:49:30 UTC
Could you also share the reproducer to me as well so QE could verify the fix?
Comment 13 Yadan Pei 2018-04-17 02:36:14 UTC
Cancelling the request because I've got the reproducer from xiaoli
Comment 15 Shawn Wells 2018-07-10 23:09:35 UTC
Hello - Friendly nudge on this. Is there a timeline for when this CVE will be patched?
Comment 16 Shawn Wells 2018-07-10 23:11:24 UTC
(In reply to Shawn Wells from comment #15) > Hello - Friendly nudge on this. Is there a timeline for when this CVE will > be patched? Context: Customer is doing a security evaluation of OpenShift and we're getting dinged on OpenShift having known XSS vulnerabilities that have remained unpatched for several months. Red Hat's ability to provide security patches for products is being challenged.
Comment 20 Jason Shepherd 2018-07-11 23:45:10 UTC
This issue has been fixed in: - 3.9 https://access.redhat.com/errata/RHBA-2018:1566 - 3.7 https://access.redhat.com/errata/RHBA-2018:1576 - 3.6 https://access.redhat.com/errata/RHBA-2018:1579 - 3.4 https://access.redhat.com/errata/RHBA-2018:1236 Unfortunately those errata were not done as security errata so the CVE page has not been automatically updated with the links.
Comment 21 Shawn Wells 2018-07-19 03:49:23 UTC
Thanks for the fast responses everyone! Immediate needs were addressed. Since errata was issued for this BZ, how do we get it closed? Currently shows as a public (known) vulnerability for OpenShift. Thanks to Jason's comments we can now point to security errata though!
Comment 22 Brenton Leanhardt 2018-07-19 18:30:55 UTC
We apologize for the confusion around this bug and we've taken steps to avoid it in the future. If there's anything needed from us to update the CVE page just let us know.
Comment 23 Shawn Wells 2018-07-19 18:36:38 UTC
Currently NIST shows this CVE as having no patches from Red Hat: https://nvd.nist.gov/vuln/detail/CVE-2017-7534 The NIST page does point back to this BZ so truly interested parties can read the discussion and get the errata links. However because NIST shows no patches as being released customers are still getting vulnerability reports showing OpenShift was never patched/currently is vulnerable. Means each OpenShift deployment that's being scanned with tools like Tenable Security Center have to track this down. I think there are two questions: - How do we get the NIST webpage updated to reflect patches were released? - How do we get Red Hat's CVE page  updated to reflect patches were released?  https://access.redhat.com/security/cve/cve-2017-7534
Comment 24 Dominik Mierzejewski 2018-08-06 14:34:57 UTC
Is 3.2 affected by this, too?
Comment 25 Jason Shepherd 2018-08-07 00:58:47 UTC
It was decided that OCP 3.2 was not affected because this is actually a problem in ansi_up, not in the openshift code itself.
Comment 26 Samuel Padgett 2018-08-07 15:28:31 UTC
ansi_up was added to OpenShift web console in 3.2, so 3.2 is affected.