Bug 1291963 - (CVE-2015-7561) CVE-2015-7561 OpenShift3: Private Docker images can be used by any user, once they are pulled to a node
CVE-2015-7561 OpenShift3: Private Docker images can be used by any user, once...
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
All Linux
low Severity low
: ---
: ---
Assigned To: Red Hat Product Security
: Security
Depends On: 1288094
Blocks: 1291965
  Show dependency treegraph
Reported: 2015-12-15 23:50 EST by Kurt Seifried
Modified: 2016-11-01 19:52 EDT (History)
11 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2016-11-01 19:52:16 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Kurt Seifried 2015-12-15 23:50:57 EST
Miheer Salunke of Red Hat reports:

When a private image is pulled to a node any other user on the node can use 
this private image if they know the name of the image. It should be noted that 
the image name typically includes a SHA hash in the value making it difficult
to guess.
Comment 1 Trevor Jay 2016-09-06 19:54:43 EDT

Doing some follow-up, can you (or anyone really) point me at a commit for this?

Comment 2 Andy Goldstein 2016-11-01 15:05:25 EDT
Kube PR for AlwaysPullImages admission controller: https://github.com/kubernetes/kubernetes/pull/18909

Kube Docs: http://kubernetes.io/docs/admin/admission-controllers/#alwayspullimages

Example showing how to enable it in OpenShift config: https://docs.openshift.com/container-platform/3.3/architecture/additional_concepts/admission_controllers.html

Note You need to log in before you can comment on or make changes to this bug.