This service will be undergoing maintenance at 00:00 UTC, 2017-10-23 It is expected to last about 30 minutes
Bug 1255536 - OpenShift3: SecurityContextConstraints name reuse leading to privilege escalation
OpenShift3: SecurityContextConstraints name reuse leading to privilege escala...
Status: CLOSED NOTABUG
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
impact=moderate,public=20150820,repor...
: Security
Depends On: 1255338
Blocks: 1255539
  Show dependency treegraph
 
Reported: 2015-08-20 16:44 EDT by Kurt Seifried
Modified: 2016-11-08 11:28 EST (History)
11 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2015-09-10 14:17:58 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Kurt Seifried 2015-08-20 16:44:03 EDT
Aleksandar Kostadinov of Red Hat reports:

In OpenShift v3 you can create a SCC (SecurityContextConstraints) to allow 
privileged docker containers in a project. If that project is later deleted the 
SCC is left in the system and is not deleted. If another project is then created
with the same name as the original project the exisitng privileged SCC will be 
applied to it.
Comment 1 Paul Weil 2015-09-10 14:16:19 EDT
This is operating as expected.  It is up to the administrator to manage the SCC.  They may choose to make entries in the SCC for users, groups, or service accounts that may or may not exist at the time.  Cleaning unknown references would prevent that workflow.

Currently, administrators may also exercise more control over this by not allowing project administrators to delete projects.

Created a card to add an optional finalizer as an enhancement: https://trello.com/c/KicH8TSC/513-scc-optional-finalizer
Comment 2 Adam Mariš 2015-09-14 04:30:14 EDT
CVE was rejected.

Note You need to log in before you can comment on or make changes to this bug.