Bug 1262518 - (CVE-2015-5274) CVE-2015-5274 OpenShift 2.2: API command injection vulnerability
CVE-2015-5274 OpenShift 2.2: API command injection vulnerability
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
All Linux
high Severity high
: ---
: ---
Assigned To: Red Hat Product Security
: Security
Depends On: 1262519 1262520
Blocks: 1262521
  Show dependency treegraph
Reported: 2015-09-12 00:34 EDT by Kurt Seifried
Modified: 2016-11-08 11:03 EST (History)
13 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
A command injection flaw was found in the OpenShift Origin Management Console. A remote, authenticated user permitted to send requests to the Broker could use this flaw to execute arbitrary commands with elevated privileges on the Red Hat OpenShift server.
Story Points: ---
Clone Of:
Last Closed: 2015-09-16 15:44:38 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Kurt Seifried 2015-09-12 00:34:12 EDT
It is reported that a command injection flaw exists in OpenShift's Broker API 
which can lead to arbitrary code execution within the OpenShift Broker. This 
issue can only be exploited by authenticated OpenShift users with access to 
connect to the broker (e.g. to start cartridge and gear instances). OpenShift 
version 3 is not affected.
Comment 3 errata-xmlrpc 2015-09-16 15:06:27 EDT
This issue has been addressed in the following products:

  RHEL 6 Version of OpenShift Enterprise 2.2

Via RHSA-2015:1808 https://rhn.redhat.com/errata/RHSA-2015-1808.html

Note You need to log in before you can comment on or make changes to this bug.