Bug 964013 (CVE-2013-2103)

Summary: CVE-2013-2103 OpenShift cartridge: remote URL retrieval
Product: [Other] Security Response Reporter: Kurt Seifried <kseifried>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED WONTFIX QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: bleanhar, ccoleman, dmcphers, jdetiber, jechoi, jhonce, jialiu, khong, lmeyer, mmcgrath, security-response-team
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-06-25 07:51:04 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 963607, 964015, 964016    
Bug Blocks: 964014    

Description Kurt Seifried 2013-05-17 04:28:53 UTC 
Jeremy Choi (jechoi) reports:

Requests to the /broker/rest/domains/dom/applications OpenShift components 
include a URL that points to a cartridge file to be loaded. Requests are not
restricted and can be sent to any host, also no rate limiting is placed on the
number or rate of requests. This can be used to download a large amount of 
information or to potentially bypass firewall rules as the requests would
originate from the OpenShift server.
Comment 3 Kurt Seifried 2014-06-25 07:51:04 UTC 
Statement:

Red Hat OpenShift Enterprise 1.2 is now in Production 1 Phase of the support
and maintenance life cycle. This has been rated as having Moderate security
impact and is not currently planned to be addressed in future updates. For
additional information, refer to the Red Hat OpenShift Enterprise Life Cycle:
https://access.redhat.com/site/support/policy/updates/openshift.