It is reported that a command injection flaw exists in OpenShift's Broker API which can lead to arbitrary code execution within the OpenShift Broker. This issue can only be exploited by authenticated OpenShift users with access to connect to the broker (e.g. to start cartridge and gear instances). OpenShift version 3 is not affected.
This issue has been addressed in the following products: RHEL 6 Version of OpenShift Enterprise 2.2 Via RHSA-2015:1808 https://rhn.redhat.com/errata/RHSA-2015-1808.html