Jeremy Choi (jechoi) reports:
Requests to the /broker/rest/domains/dom/applications OpenShift components
include a URL that points to a cartridge file to be loaded. Requests are not
restricted and can be sent to any host, also no rate limiting is placed on the
number or rate of requests. This can be used to download a large amount of
information or to potentially bypass firewall rules as the requests would
originate from the OpenShift server.
Statement:
Red Hat OpenShift Enterprise 1.2 is now in Production 1 Phase of the support
and maintenance life cycle. This has been rated as having Moderate security
impact and is not currently planned to be addressed in future updates. For
additional information, refer to the Red Hat OpenShift Enterprise Life Cycle:
https://access.redhat.com/site/support/policy/updates/openshift.