Bug 1443003 (CVE-2017-7534) - CVE-2017-7534 openshift: XSS in log viewer for a pod
Summary: CVE-2017-7534 openshift: XSS in log viewer for a pod
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: CVE-2017-7534
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1470437 1470438 1470439 1470440 1565709 1575101 1575102 1575103 1575104
Blocks: 1443004
TreeView+ depends on / blocked
 
Reported: 2017-04-18 09:24 UTC by Adam Mariš
Modified: 2019-09-29 14:09 UTC (History)
28 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
OpenShift Enterprise is vulnerable to a stored XSS via the log viewer for pods. The flaw is due to lack of sanitation of user input, specifically terminal escape characters, and the creation of clickable links automatically when viewing the log files for a pod.
Clone Of:
Environment:
Last Closed: 2018-07-19 18:30:55 UTC


Attachments (Terms of Use)

Description Adam Mariš 2017-04-18 09:24:03 UTC
It was found that log viewer for a pod doesn't properly handle terminal escape characters and automatic generation of clickable links from output, leading to XSS vulnerability.

Comment 1 Adam Mariš 2017-04-18 09:24:12 UTC
Acknowledgments:

Name: Jeandre Le Roux (LSD Information Technology)

Comment 12 Yadan Pei 2018-04-17 01:49:30 UTC
Could you also share the reproducer to me as well so QE could verify the fix?

Comment 13 Yadan Pei 2018-04-17 02:36:14 UTC
Cancelling the request because I've got the reproducer from xiaoli

Comment 15 Shawn Wells 2018-07-10 23:09:35 UTC
Hello - Friendly nudge on this. Is there a timeline for when this CVE will be patched?

Comment 16 Shawn Wells 2018-07-10 23:11:24 UTC
(In reply to Shawn Wells from comment #15)
> Hello - Friendly nudge on this. Is there a timeline for when this CVE will
> be patched?

Context: Customer is doing a security evaluation of OpenShift and we're getting dinged on OpenShift having known XSS vulnerabilities that have remained unpatched for several months. Red Hat's ability to provide security patches for products is being challenged.

Comment 20 Jason Shepherd 2018-07-11 23:45:10 UTC
This issue has been fixed in:
- 3.9 https://access.redhat.com/errata/RHBA-2018:1566
- 3.7 https://access.redhat.com/errata/RHBA-2018:1576
- 3.6 https://access.redhat.com/errata/RHBA-2018:1579
- 3.4 https://access.redhat.com/errata/RHBA-2018:1236

Unfortunately those errata were not done as security errata so the CVE page has not been automatically updated with the links.

Comment 21 Shawn Wells 2018-07-19 03:49:23 UTC
Thanks for the fast responses everyone! Immediate needs were addressed.

Since errata was issued for this BZ, how do we get it closed? Currently shows as a public (known) vulnerability for OpenShift. Thanks to Jason's comments we can now point to security errata though!

Comment 22 Brenton Leanhardt 2018-07-19 18:30:55 UTC
We apologize for the confusion around this bug and we've taken steps to avoid it in the future.  If there's anything needed from us to update the CVE page just let us know.

Comment 23 Shawn Wells 2018-07-19 18:36:38 UTC
Currently NIST shows this CVE as having no patches from Red Hat:
https://nvd.nist.gov/vuln/detail/CVE-2017-7534

The NIST page does point back to this BZ so truly interested parties can read the discussion and get the errata links. However because NIST shows no patches as being released customers are still getting vulnerability reports showing OpenShift was never patched/currently is vulnerable. Means each OpenShift deployment that's being scanned with tools like Tenable Security Center have to track this down.

I think there are two questions:
- How do we get the NIST webpage updated to reflect patches were released?
- How do we get Red Hat's CVE page [0] updated to reflect patches were released?

[0] https://access.redhat.com/security/cve/cve-2017-7534

Comment 24 Dominik Mierzejewski 2018-08-06 14:34:57 UTC
Is 3.2 affected by this, too?

Comment 25 Jason Shepherd 2018-08-07 00:58:47 UTC
It was decided that OCP 3.2 was not affected because this is actually a problem in ansi_up, not in the openshift code itself.

Comment 26 Samuel Padgett 2018-08-07 15:28:31 UTC
ansi_up was added to OpenShift web console in 3.2, so 3.2 is affected.


Note You need to log in before you can comment on or make changes to this bug.