Red Hat Bugzilla – Bug 1316267
CVE-2016-2149 OpenShift Enterprise 3: logs from a deleted namespace can be revealed if a new namespace with the same name is created
Last modified: 2016-05-12 12:45:32 EDT
Wesley Hearn of Red Hat reports:
Description of problem:
Users are able to access logs of a deleted namespace if recreated with the same name regardless if they were the previous owner.
Steps to Reproduce:
1. User A creates a namespace and populates logs
2. User A deletes namespace
3. User B creates a new namespace with the same name
User B can access logs from User A's namespace
User B should be restricted to logs generated from the pods he created in his new namespace.
Name: Wesley Hearn (Red Hat)
This issue has been addressed in the following products:
Red Hat OpenShift Enterprise 3.2
Via RHSA-2016:1064 https://access.redhat.com/errata/RHSA-2016:1064