It was found that log viewer for a pod doesn't properly handle terminal escape characters and automatic generation of clickable links from output, leading to XSS vulnerability.
Name: Jeandre Le Roux (LSD Information Technology)
Could you also share the reproducer to me as well so QE could verify the fix?
Cancelling the request because I've got the reproducer from xiaoli
Hello - Friendly nudge on this. Is there a timeline for when this CVE will be patched?
(In reply to Shawn Wells from comment #15)
> Hello - Friendly nudge on this. Is there a timeline for when this CVE will
> be patched?
Context: Customer is doing a security evaluation of OpenShift and we're getting dinged on OpenShift having known XSS vulnerabilities that have remained unpatched for several months. Red Hat's ability to provide security patches for products is being challenged.
This issue has been fixed in:
- 3.9 https://access.redhat.com/errata/RHBA-2018:1566
- 3.7 https://access.redhat.com/errata/RHBA-2018:1576
- 3.6 https://access.redhat.com/errata/RHBA-2018:1579
- 3.4 https://access.redhat.com/errata/RHBA-2018:1236
Unfortunately those errata were not done as security errata so the CVE page has not been automatically updated with the links.
Thanks for the fast responses everyone! Immediate needs were addressed.
Since errata was issued for this BZ, how do we get it closed? Currently shows as a public (known) vulnerability for OpenShift. Thanks to Jason's comments we can now point to security errata though!
We apologize for the confusion around this bug and we've taken steps to avoid it in the future. If there's anything needed from us to update the CVE page just let us know.
Currently NIST shows this CVE as having no patches from Red Hat:
The NIST page does point back to this BZ so truly interested parties can read the discussion and get the errata links. However because NIST shows no patches as being released customers are still getting vulnerability reports showing OpenShift was never patched/currently is vulnerable. Means each OpenShift deployment that's being scanned with tools like Tenable Security Center have to track this down.
I think there are two questions:
- How do we get the NIST webpage updated to reflect patches were released?
- How do we get Red Hat's CVE page  updated to reflect patches were released?
Is 3.2 affected by this, too?
It was decided that OCP 3.2 was not affected because this is actually a problem in ansi_up, not in the openshift code itself.
ansi_up was added to OpenShift web console in 3.2, so 3.2 is affected.