Bug 1566191 (CVE-2017-15137)
Summary: | CVE-2017-15137 atomic-openshift: image import whitelist can be bypassed by creating an imagestream or using oc tag | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Kurt Seifried <kseifried> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | unspecified | CC: | ahardin, bleanhar, bparees, ccoleman, cshereme, dedgar, dominik.mierzejewski, jgoulding, jokerman, jshepherd, kseifried, mchappel, security-response-team |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | If docs needed, set a value | |
Doc Text: |
The OpenShift image import whitelist failed to enforce restrictions correctly when running commands such as "oc tag", for example. This could allow a user with access to OpenShift to run images from registries that should not be allowed.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2018-04-11 18:22:30 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1505315, 1566192, 1619682 | ||
Bug Blocks: | 1513925 |
Description
Kurt Seifried
2018-04-11 18:08:23 UTC
Acknowledgments: Name: Ben Parees (Red Hat) This was fixed in the release of OpenShift 3.9 via RHBA-2018:0489 Is OpenShift 3.7 affected as well? Dominik: Yes, Would you like to request a backport of this issue? It is only rated moderate so please provide the reason while you require it. Thanks for confirmation, Jason. Please have the corresponding security advisory (https://access.redhat.com/security/cve/cve-2017-15137) updated with this information, then. I'll open a case requesting a backport. According to our support lifecycle for Openshift Container Platform Red Hat not obliged to backport moderate issues to earlier minor versions. It states "Customers are expected to upgrade their OpenShift environment to the most current supported version". Is there any reason you can't upgrade, or do you think the impact rating needs to be reviewed? https://access.redhat.com/support/policy/updates/openshift I've confirmed that this vulnerability doesn't affect OCP 3.7 because the ability to whitelist image repositories was only added in 3.9. I've added a statement to https://access.redhat.com/security/cve/cve-2017-15137 to that affect. |