Bug 1746238 (CVE-2019-14819)

Summary: CVE-2019-14819 openshift-ansible: dockergc service account incorrectly associated with namespace during upgrade
Product: [Other] Security Response Reporter: Jason Shepherd <jshepherd>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: adahiya, ahardin, aos-bugs, bleanhar, bmontgom, ccoleman, dedgar, eparis, jburrell, jgoulding, jokerman, mchappel, nstielau, sponnaga
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
A flaw was found during the upgrade of an existing OpenShift Container Platform 3.x cluster. Using CRI-O, the dockergc service account is assigned to the current namespace of the user performing the upgrade. This flaw can allow an unprivileged user to escalate their privileges to those allowed by the privileged Security Context Constraints.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2019-09-24 00:45:39 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1745202, 1746260    
Bug Blocks: 1745647    

Description Jason Shepherd 2019-08-28 04:03:48 UTC 
During an upgrade of an existing OpenShift Container Platform 3.x cluster which is using CRI-O the dockergc service account is assigned to the current namespace of user performing the upgrade. This would allow an unprivileged user to escalate their privileges to those allowed by the privileged Security Context Constraints.
Comment 1 Jason Shepherd 2019-08-28 05:18:44 UTC 
Upstream fix for OKD 3.11:

https://github.com/openshift/openshift-ansible/pull/11860
Comment 6 Jason Shepherd 2019-08-28 21:57:51 UTC 
Statement:

If an upgrade was run with the openshift_crio_enable_docker_gc ansible variable set to 'False' the cluster won't be affected. The default for the variable was set to 'True' before openshift-ansible-3.11.0-0.28.0, and after 3.10.x. See https://github.com/openshift/openshift-ansible/commit/bf5fbea4138f27313c5e4dcd683821975db8e443
Comment 7 Jason Shepherd 2019-09-20 01:06:52 UTC 
Mitigation:

Make sure your kubeconfig (~/.kube/config) is using the 'default' context when executing, or re-executing a cluster upgrade or install using the ansible playbooks.
Comment 8 Jason Shepherd 2019-09-20 01:11:40 UTC 
This vulnerable code no longer exists in the 4.x branches, see:
https://github.com/openshift/openshift-ansible/tree/release-4.1
Comment 10 errata-xmlrpc 2019-09-23 20:02:18 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 3.11

Via RHSA-2019:2818 https://access.redhat.com/errata/RHSA-2019:2818
Comment 11 Product Security DevOps Team 2019-09-24 00:45:39 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2019-14819