Bug 1443003 (CVE-2017-7534)

Summary: CVE-2017-7534 openshift: XSS in log viewer for a pod
Product: [Other] Security Response Reporter: Adam Mariš <amaris>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED CURRENTRELEASE QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: abhgupta, ahardin, amaris, bleanhar, ccoleman, cshereme, dedgar, dmcphers, dominik.mierzejewski, eparis, jforrest, jgoulding, jialiu, jkeck, joelsmith, jokerman, jshepherd, kseifried, mchappel, mmccomas, security-response-team, smunilla, spadgett, swells, tdawson, tiwillia, xtian, yapei
Target Milestone: ---Keywords: NeedsTestCase, Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
OpenShift Enterprise is vulnerable to a stored XSS via the log viewer for pods. The flaw is due to lack of sanitation of user input, specifically terminal escape characters, and the creation of clickable links automatically when viewing the log files for a pod.
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-07-19 18:30:55 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 1470437, 1470438, 1470439, 1470440, 1565709, 1575101, 1575102, 1575103, 1575104    
Bug Blocks: 1443004    

Description Adam Mariš 2017-04-18 09:24:03 UTC
It was found that log viewer for a pod doesn't properly handle terminal escape characters and automatic generation of clickable links from output, leading to XSS vulnerability.

Comment 1 Adam Mariš 2017-04-18 09:24:12 UTC
Acknowledgments:

Name: Jeandre Le Roux (LSD Information Technology)

Comment 12 Yadan Pei 2018-04-17 01:49:30 UTC
Could you also share the reproducer to me as well so QE could verify the fix?

Comment 13 Yadan Pei 2018-04-17 02:36:14 UTC
Cancelling the request because I've got the reproducer from xiaoli

Comment 15 Shawn Wells 2018-07-10 23:09:35 UTC
Hello - Friendly nudge on this. Is there a timeline for when this CVE will be patched?

Comment 16 Shawn Wells 2018-07-10 23:11:24 UTC
(In reply to Shawn Wells from comment #15)
> Hello - Friendly nudge on this. Is there a timeline for when this CVE will
> be patched?

Context: Customer is doing a security evaluation of OpenShift and we're getting dinged on OpenShift having known XSS vulnerabilities that have remained unpatched for several months. Red Hat's ability to provide security patches for products is being challenged.

Comment 20 Jason Shepherd 2018-07-11 23:45:10 UTC
This issue has been fixed in:
- 3.9 https://access.redhat.com/errata/RHBA-2018:1566
- 3.7 https://access.redhat.com/errata/RHBA-2018:1576
- 3.6 https://access.redhat.com/errata/RHBA-2018:1579
- 3.4 https://access.redhat.com/errata/RHBA-2018:1236

Unfortunately those errata were not done as security errata so the CVE page has not been automatically updated with the links.

Comment 21 Shawn Wells 2018-07-19 03:49:23 UTC
Thanks for the fast responses everyone! Immediate needs were addressed.

Since errata was issued for this BZ, how do we get it closed? Currently shows as a public (known) vulnerability for OpenShift. Thanks to Jason's comments we can now point to security errata though!

Comment 22 Brenton Leanhardt 2018-07-19 18:30:55 UTC
We apologize for the confusion around this bug and we've taken steps to avoid it in the future.  If there's anything needed from us to update the CVE page just let us know.

Comment 23 Shawn Wells 2018-07-19 18:36:38 UTC
Currently NIST shows this CVE as having no patches from Red Hat:
https://nvd.nist.gov/vuln/detail/CVE-2017-7534

The NIST page does point back to this BZ so truly interested parties can read the discussion and get the errata links. However because NIST shows no patches as being released customers are still getting vulnerability reports showing OpenShift was never patched/currently is vulnerable. Means each OpenShift deployment that's being scanned with tools like Tenable Security Center have to track this down.

I think there are two questions:
- How do we get the NIST webpage updated to reflect patches were released?
- How do we get Red Hat's CVE page [0] updated to reflect patches were released?

[0] https://access.redhat.com/security/cve/cve-2017-7534

Comment 24 Dominik Mierzejewski 2018-08-06 14:34:57 UTC
Is 3.2 affected by this, too?

Comment 25 Jason Shepherd 2018-08-07 00:58:47 UTC
It was decided that OCP 3.2 was not affected because this is actually a problem in ansi_up, not in the openshift code itself.

Comment 26 Samuel Padgett 2018-08-07 15:28:31 UTC
ansi_up was added to OpenShift web console in 3.2, so 3.2 is affected.