Bug 1732508 (CVE-2019-10214)
| Summary: | CVE-2019-10214 containers/image: not enforcing TLS when sending username+password credentials to token servers leading to credential disclosure | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Marian Rehak <mrehak> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | adam.kaplan, ahardin, ajia, aos-bugs, bbaude, bleanhar, bmontgom, ccoleman, dedgar, dwalsh, eparis, jburrell, jgoulding, jligon, jnovy, jokerman, jshepherd, lsm5, mchappel, mheon, mitr, mpatel, nmavrogi, nstielau, rphillips, security-response-team, sponnaga, wzheng |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | containers-image 3.0.0 | Doc Type: | If docs needed, set a value |
| Doc Text: |
The containers/image library used by the container tools Podman, Buildah, and Skopeo in Red Hat Enterprise Linux version 8 and CRI-O in OpenShift Container Platform, does not enforce TLS connections to the container registry authorization service. An attacker could use this vulnerability to launch a MiTM attack and steal login credentials or bearer tokens.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2019-09-24 00:45:36 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1734645, 1734646, 1734647, 1734648, 1734649, 1734650, 1734651, 1734652, 1734653, 1734654, 1734655, 1734656, 1734657, 1734658, 1734659, 1734660, 1752741, 1752742, 1752822, 1752823, 1752834, 1754695, 1754696, 1755411 | ||
| Bug Blocks: | 1732509 | ||
|
Description
Marian Rehak
2019-07-23 13:56:10 UTC
Acknowledgments: Name: Miloslav Trmač (Red Hat) All tracking bugs are now in MODIFIED state. This issue has been addressed in the following products: Red Hat OpenShift Container Platform 3.11 Via RHSA-2019:2817 https://access.redhat.com/errata/RHSA-2019:2817 This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2019-10214 This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.1 Via RHSA-2019:2825 https://access.redhat.com/errata/RHSA-2019:2825 This issue has been addressed in the following products: Red Hat OpenShift Container Platform 3.10 Via RHSA-2019:2989 https://access.redhat.com/errata/RHSA-2019:2989 This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.1 Via RHSA-2019:3007 https://access.redhat.com/errata/RHSA-2019:3007 This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2019:3403 https://access.redhat.com/errata/RHSA-2019:3403 This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2019:3494 https://access.redhat.com/errata/RHSA-2019:3494 This issue has been addressed in the following products: Red Hat OpenShift Container Platform 3.9 Via RHSA-2019:3812 https://access.redhat.com/errata/RHSA-2019:3812 |