Bug 1501986 (CVE-2017-12195)

Summary: CVE-2017-12195 OpenShift Enterprise 3: authentication bypass for elasticsearch with external routes
Product: [Other] Security Response Reporter: Kurt Seifried <kseifried>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: ahardin, anli, bleanhar, ccoleman, dbaker, dedgar, dmcphers, jcantril, jgoulding, jkeck, juzhao, kseifried, lrock, mknowles, pportant, rmeggins, security-response-team, smunilla, wsun, xtian
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
An attacker with knowledge of the given name used to authenticate and access Elasticsearch can later access it without the token, bypassing authentication. This attack also requires that the Elasticsearch be configured with an external route, and the data accessed is limited to the indices.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2017-12-15 04:42:30 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1500086, 1501987, 1510117, 1510118, 1518397    
Bug Blocks: 1500758    

Description Kurt Seifried 2017-10-13 16:10:49 UTC 
Rich Megginson of Red Hat reports:

When deploying Openshift with logging using Elasticsearch exposed as an external route it is possible for an attacker to connect to Elasticsearch without authentication.
Comment 1 Kurt Seifried 2017-10-13 16:10:54 UTC 
Acknowledgments:

Name: Rich Megginson (Red Hat)
Comment 10 Rich Megginson 2017-11-02 21:48:09 UTC 
I'm still waiting to hear if I need a separate errata for OSE 3.7, or if it is still possible to get this into 3.7.0.

I will need errata for 3.6, 3.5, and 3.4.  That means I will need bz for those releases.  There is already a 3.5 bz: https://bugzilla.redhat.com/show_bug.cgi?id=1501987

There is another bz attached to this bug: https://bugzilla.redhat.com/show_bug.cgi?id=1500758 I cannot view this - is this a 3.6 or 3.4 bz?
Comment 18 errata-xmlrpc 2017-11-28 21:50:02 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 3.7

Via RHSA-2017:3188 https://access.redhat.com/errata/RHSA-2017:3188
Comment 21 errata-xmlrpc 2017-12-07 07:10:11 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 3.6
  Red Hat OpenShift Container Platform 3.5
  Red Hat OpenShift Container Platform 3.4

Via RHSA-2017:3389 https://access.redhat.com/errata/RHSA-2017:3389
Comment 22 Mark Knowles 2017-12-15 04:42:30 UTC 
Elasicsearch authentication can be bypassed when external routes are used with OpenShift Enterprise.

Upstream bug:

https://github.com/openshift/origin-aggregated-logging/pull/826