Bug 2181765 (CVE-2023-1636)
Summary: | CVE-2023-1636 openstack-barbican: incomplete container isolation | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Nick Tait <ntait> |
Component: | vulnerability | Assignee: | Nobody <nobody> |
Status: | NEW --- | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | unspecified | CC: | alee, carnil, dmendiza, dwilde, eglynn, ggrasza, jjoyce, jjung, jschluet, lhh, lsvaty, mburns, mgarciac, pgrist, spower, ytale |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | If docs needed, set a value | |
Doc Text: |
A vulnerability was found in OpenStack Barbican containers. This vulnerability is only applicable to deployments that utilize an all-in-one configuration. Barbican containers share the same CGROUP, USER, and NET namespace with the host system and other OpenStack services. If any service is compromised, it could gain access to the data transmitted to and from Barbican.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | Type: | --- | |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 2188735, 2183651, 2183652, 2183653, 2183654 | ||
Bug Blocks: | 2170395 |
Description
Nick Tait
2023-03-25 18:22:06 UTC
Created openstack-barbican tracking bugs for this issue: Affects: openstack-rdo [bug 2188735] Hi (In reply to Nick Tait from comment #0) > A container isolation flaw was discovered in Red Hat OpenStack, allowing an > attacker with limited authentication and access to Barbican containers to > potentially access other OpenStack containers and services. This is possible > as they share common CGROUP and namespace. I'm trying to evaluate/triage this CVE (CVE-2023-1636) in context of a downstream distribution and this bugzilla entry was the only reference associated. The above does only give little information, is this a barbican upstream issue? Is it reported upstream and is there a respective fix available? Can you please provide more information on the issue? Thanks already in advance, Regards, Salvatore |