Bug 1566191 – CVE-2017-15137 atomic-openshift: image import whitelist can be bypassed by creating an imagestream or using oc tag

Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.

Bug 1566191 - (CVE-2017-15137) CVE-2017-15137 atomic-openshift: image import whitelist can be bypassed by creating an imagestream or using oc tag

Summary:	CVE-2017-15137 atomic-openshift: image import whitelist can be bypassed by cr...

Status:	CLOSED ERRATA

Aliases:	CVE-2017-15137

Product:	Security Response
Classification:	Other
Component:	vulnerability (Show other bugs)
Sub Component:
Version:	unspecified
Hardware:	All Linux

Priority	medium Severity medium
Target Milestone:	---
Target Release:	---
Assigned To:	Red Hat Product Security
QA Contact:
Docs Contact:

URL:
Whiteboard:	impact=moderate,public=20180328,repor...
Keywords:	Security

Depends On:	1505315 1566192 1619682
Blocks:	1513925
	Show dependency tree / graph

Reported:	2018-04-11 14:08 EDT by Kurt Seifried
Modified:	2018-08-21 09:21 EDT (History)
CC List:	14 users (show)

See Also:
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:	The OpenShift image import whitelist failed to enforce restrictions correctly when running commands such as "oc tag", for example. This could allow a user with access to OpenShift to run images from registries that should not be allowed.
Story Points:	---
Clone Of:
Environment:
Last Closed:	2018-04-11 14:22:30 EDT
Type:	---
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Groups: None (edit)

Description Kurt Seifried 2018-04-11 14:08:23 EDT

The image import whitelist is enforced when running "oc import-image someregistry.com/someimage"

but the whitelist is not enforced when running
"oc tag someregistry.com:foo some:tag"

nor is it enforced when directly creating an imagestream tag that references a non-whitelisted registry.

Comment 1 Kurt Seifried 2018-04-11 14:08:32 EDT

Acknowledgments:

Name: Ben Parees (Red Hat)

Comment 3 Kurt Seifried 2018-04-11 14:22:30 EDT

This was fixed in the release of OpenShift 3.9 via RHBA-2018:0489

Comment 4 Dominik Mierzejewski 2018-08-01 07:31:38 EDT

Is OpenShift 3.7 affected as well?

Comment 7 Jason Shepherd 2018-08-02 21:25:14 EDT

Dominik: Yes, Would you like to request a backport of this issue? It is only rated moderate so please provide the reason while you require it.

Comment 8 Dominik Mierzejewski 2018-08-03 07:59:56 EDT

Thanks for confirmation, Jason. Please have the corresponding security advisory (https://access.redhat.com/security/cve/cve-2017-15137) updated with this information, then. I'll open a case requesting a backport.

Comment 10 Jason Shepherd 2018-08-05 21:26:42 EDT

According to our support lifecycle for Openshift Container Platform Red Hat not obliged to backport moderate issues to earlier minor versions. It states "Customers are expected to upgrade their OpenShift environment to the most current supported version". Is there any reason you can't upgrade, or do you think the impact rating needs to be reviewed?

https://access.redhat.com/support/policy/updates/openshift

Comment 13 Jason Shepherd 2018-08-08 20:12:20 EDT

I've confirmed that this vulnerability doesn't affect OCP 3.7 because the ability to whitelist image repositories was only added in 3.9. I've added a statement to https://access.redhat.com/security/cve/cve-2017-15137 to that affect.

Note You need to log in before you can comment on or make changes to this bug.