Bug 1921450 (CVE-2021-3344)

Summary: CVE-2021-3344 openshift/builder: privilege escalation during container image builds via mounted secrets
Product: [Other] Security Response Reporter: Sam Fowler <sfowler>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: adam.kaplan, admiller, aos-bugs, bmontgom, bparees, ccoleman, dramseur, eparis, gmontero, jburrell, jcajka, jhunter, jminter, jokerman, kmitts, mgala, mjudeiki, nalin, nstielau, security-response-team, sfowler, sponnaga
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: github.com/openshift/builder v0.0.0-20210125201112-7901cb396121 Doc Type: If docs needed, set a value
Doc Text:
A privilege escalation flaw was found in OpenShift builder. During build time, credentials outside the build context are automatically mounted into the container image under construction. An OpenShift user, able to execute code during build time inside this container can re-use the credentials to overwrite arbitrary container images in internal registries and/or escalate their privileges. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2021-02-08 14:41:55 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1916897, 1920626, 1921965, 1921966, 1951569    
Bug Blocks: 1921172, 1922165    

Description Sam Fowler 2021-01-28 02:18:27 UTC 
In OpenShift Container Platform 4, a privilege escalation path exists in Builds via the re-use of credentials mounted into /run/secrets. An OpenShift user able to execute code in a build container can re-use the credentials to overwrite arbitrary container images in internal registries and potentially execute arbitrary code.
Comment 12 Sam Fowler 2021-02-04 06:17:40 UTC 
Upstream fix:

https://github.com/openshift/builder/pull/206
Comment 14 errata-xmlrpc 2021-02-08 13:50:41 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.6

Via RHSA-2021:0308 https://access.redhat.com/errata/RHSA-2021:0308
Comment 15 Product Security DevOps Team 2021-02-08 14:41:55 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-3344
Comment 16 Sam Fowler 2021-02-10 01:31:52 UTC 
Mitigation:

The affected build strategies include docker, source and custom builds, hence these can be disabled as per the documentation[1]. This does however, exclude the Jenkins build strategy as it is not affected and does not have to be disabled. 

[1] https://docs.openshift.com/container-platform/4.6/builds/securing-builds-by-strategy.html

On clusters where builds are allowed only grant permissions to perform builds to users who you wish to be to able to view, modify and edit all cluster resources.
Comment 17 errata-xmlrpc 2021-03-03 04:40:30 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.5

Via RHSA-2021:0428 https://access.redhat.com/errata/RHSA-2021:0428