Jeremy Choi of Red Hat reports: Attackers, with normal user privilege, are able to do OS command injection with *root* by leveraging a downloadable cartridge where its source-URL scheme is 'file'. In cartridge_repository.rb: 532 when 'file' == uri.scheme 533 entries = Dir.glob(PathUtils.join(uri.path, '*'), File::FNM_DO TMATCH) 534 filesystem_copy(entries, target, %w(. ..)) ... 609 Utils.oo_spawn("/bin/cp -ad #{entries.join(' ')} #{target}", 610 expected_exitstatus: 0) OpenShift Origin copies the directory structure from the user specified cartridge when an application is created via 'file' scheme source. Due to this attackers are able to add an arbitrary directory with system commands (e.g. ;reboot;) in their apps and put it to cp, resulting in OS command injection attack with root privileges.
Acknowledgements: This issue was discovered by Jeremy Choi of the Red Hat HSS Pen-test Team.
This issue has been addressed in following products: RHEL 6 Version of OpenShift Enterprise 2.0 Via RHSA-2014:0529 https://rhn.redhat.com/errata/RHSA-2014-0529.html
This issue has been addressed in following products: RHEL 6 Version of OpenShift Enterprise 2.1 Via RHSA-2014:0530 https://rhn.redhat.com/errata/RHSA-2014-0530.html