Bugzilla will be upgraded to version 5.0 on a still to be determined date in the near future. The original upgrade date has been delayed.
Bug List: (6 of 6) First Last Prev Next   Show last search results
Bug 1131680 - (CVE-2014-3602) CVE-2014-3602 OpenShift: /proc/net/tcp information disclosure
CVE-2014-3602 OpenShift: /proc/net/tcp information disclosure
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
low Severity low
: ---
: ---
Assigned To: Red Hat Product Security
impact=low,public=20140819,reported=2...
: Security
: 817596 (view as bug list)
Depends On: 1131804 1151561 1165395
Blocks: 1024531 767033 1131681 1148171
  Show dependency treegraph
 
Reported: 2014-08-19 15:49 EDT by Kurt Seifried
Modified: 2015-07-27 09:27 EDT (History)
18 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
It was found that OpenShift Enterprise did not restrict access to the /proc/net/tcp file in gears, which allowed local users to view all listening connections and connected sockets. This could result in remote system's IP or port numbers in use to be exposed, which may be useful for further targeted attacks.
Story Points: ---
Clone Of:
Environment:
Last Closed: 2015-01-16 23:38:05 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2014:1796 normal SHIPPED_LIVE Moderate: Red Hat OpenShift Enterprise 2.2 Release Advisory 2014-11-03 19:52:02 EST
Red Hat Product Errata RHSA-2014:1906 normal SHIPPED_LIVE Moderate: Red Hat OpenShift Enterprise 2.1.9 security, bug fix, and enhancement update 2014-11-25 18:19:05 EST

  None (edit)
Description Kurt Seifried 2014-08-19 15:49:43 EDT 
OpenShift fails to restrict access to /proc/net/tcp which allows local users 
to view all listening connections and connected sockets. This can result in
remote systems IP/port numbers in use being exposed which may be useful for 
further targeted attacks. Please note that for local listeners OpenShift 
restricts connections to within the cartridge by default, so even with the 
knowledge of the local port and ip the attacker will not be able to connect.
Comment 4 Kurt Seifried 2014-08-20 12:41:48 EDT 
*** Bug 817596 has been marked as a duplicate of this bug. ***
Comment 5 Kurt Seifried 2014-09-29 17:46:00 EDT 
*** Bug 1147598 has been marked as a duplicate of this bug. ***
Comment 10 errata-xmlrpc 2014-11-03 14:54:46 EST 
This issue has been addressed in the following products:

  RHEL 6 Version of OpenShift Enterprise 2.2

Via RHSA-2014:1796 https://rhn.redhat.com/errata/RHSA-2014-1796.html
Comment 14 Martin Prpič 2014-11-19 05:27:52 EST 
IssueDescription:

It was found that OpenShift Enterprise did not restrict access to the /proc/net/tcp file in gears, which allowed local users to view all listening connections and connected sockets. This could result in remote system's IP or port numbers in use to be exposed, which may be useful for further targeted attacks.
Comment 15 errata-xmlrpc 2014-11-25 13:19:29 EST 
This issue has been addressed in the following products:

  RHEL 6 Version of OpenShift Enterprise 2.1

Via RHSA-2014:1906 https://rhn.redhat.com/errata/RHSA-2014-1906.html
Note You need to log in before you can comment on or make changes to this bug.
Bug List: (6 of 6) First Last Prev Next   Show last search results