Bug 1291963 (CVE-2015-7561) - CVE-2015-7561 OpenShift3: Private Docker images can be used by any user, once they are pulled to a node
Summary: CVE-2015-7561 OpenShift3: Private Docker images can be used by any user, once...
Alias: CVE-2015-7561
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Depends On: 1288094
Blocks: 1291965
TreeView+ depends on / blocked
Reported: 2015-12-16 04:50 UTC by Kurt Seifried
Modified: 2019-09-29 13:40 UTC (History)
11 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2016-11-01 23:52:16 UTC

Attachments (Terms of Use)

Description Kurt Seifried 2015-12-16 04:50:57 UTC
Miheer Salunke of Red Hat reports:

When a private image is pulled to a node any other user on the node can use 
this private image if they know the name of the image. It should be noted that 
the image name typically includes a SHA hash in the value making it difficult
to guess.

Comment 1 Trevor Jay 2016-09-06 23:54:43 UTC

Doing some follow-up, can you (or anyone really) point me at a commit for this?


Comment 2 Andy Goldstein 2016-11-01 19:05:25 UTC
Kube PR for AlwaysPullImages admission controller: https://github.com/kubernetes/kubernetes/pull/18909

Kube Docs: http://kubernetes.io/docs/admin/admission-controllers/#alwayspullimages

Example showing how to enable it in OpenShift config: https://docs.openshift.com/container-platform/3.3/architecture/additional_concepts/admission_controllers.html

Note You need to log in before you can comment on or make changes to this bug.