Bug 2181765 (CVE-2023-1636)

Summary: CVE-2023-1636 openstack-barbican: incomplete container isolation
Product: [Other] Security Response Reporter: Nick Tait <ntait>
Component: vulnerabilityAssignee: Nobody <nobody>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: alee, carnil, dmendiza, dwilde, eglynn, ggrasza, jjoyce, jjung, jschluet, lhh, lsvaty, mburns, mgarciac, pgrist, spower, ytale
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
A vulnerability was found in OpenStack Barbican containers. This vulnerability is only applicable to deployments that utilize an all-in-one configuration. Barbican containers share the same CGROUP, USER, and NET namespace with the host system and other OpenStack services. If any service is compromised, it could gain access to the data transmitted to and from Barbican.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2188735, 2183651, 2183652, 2183653, 2183654    
Bug Blocks: 2170395    

Description Nick Tait 2023-03-25 18:22:06 UTC 
A container isolation flaw was discovered in Red Hat OpenStack, allowing an attacker with limited authentication and access to Barbican containers to potentially access other OpenStack containers and services. This is possible as they share common CGROUP and namespace.
Comment 5 Nick Tait 2023-04-21 22:50:05 UTC 
Created openstack-barbican tracking bugs for this issue:

Affects: openstack-rdo [bug 2188735]
Comment 6 Salvatore Bonaccorso 2023-04-24 19:32:57 UTC 
Hi

(In reply to Nick Tait from comment #0)
> A container isolation flaw was discovered in Red Hat OpenStack, allowing an
> attacker with limited authentication and access to Barbican containers to
> potentially access other OpenStack containers and services. This is possible
> as they share common CGROUP and namespace.

I'm trying to  evaluate/triage this CVE (CVE-2023-1636) in context of a downstream distribution and this bugzilla entry was the only  reference associated.  The above
does only give little information, is this a barbican upstream issue? Is it reported
upstream and is there a respective fix available?

Can you please provide more information on the issue?

Thanks already in advance,

Regards,
Salvatore