1566212 – (CVE-2017-15138) CVE-2017-15138 atomic-openshift: cluster-reader can escalate to creating builds via webhooks in any project

Bug 1566212 (CVE-2017-15138) - CVE-2017-15138 atomic-openshift: cluster-reader can escalate to creating builds via webhooks in any project

Summary: CVE-2017-15138 atomic-openshift: cluster-reader can escalate to creating buil...

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2017-15138
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	1504819 1566213 1619863 1619864
Blocks:	1513392
TreeView+	depends on / blocked

Reported:	2018-04-11 19:18 UTC by Kurt Seifried
Modified:	2021-02-17 00:31 UTC (History)
CC List:	13 users (show)
Fixed In Version:	atomic-openshift-3.9.14
Doc Type:	If docs needed, set a value
Doc Text:	An improper authorization flaw in the atomic-openshift component of Openshift Container Platform 3.7 and earlier allows a user with cluster-reader project viewer permissions to trigger an application build. An attacker could use this flaw to trigger a build of an application when that should be restricted.
Clone Of:
Environment:
Last Closed:	2018-04-11 19:22:01 UTC
Embargoed:

Attachments	(Terms of Use)

Description Kurt Seifried 2018-04-11 19:18:12 UTC

It is reported that as a result of cluster-reader having view access on all builds in all projects, the cluster reader is able to escalate to also create builds in all projects since they have access to the secret key for the webhook.

A project viewer has the same ability to escalate but is obviously scoped to the single project.

The main problem is that we have confidential information (webhook tokens) that lives in a non-confidential resource.

Comment 1 Kurt Seifried 2018-04-11 19:18:22 UTC

Acknowledgments:

Name: Jessica Forrester (Red Hat)

Comment 4 Kurt Seifried 2018-04-11 19:22:01 UTC

This was fixed in the release of OpenShift 3.9 via RHBA-2018:0489

Comment 5 Dominik Mierzejewski 2018-08-17 12:51:30 UTC

Are 3.2 and 3.7 affected as well?

Comment 11 Jason Shepherd 2018-08-22 00:30:07 UTC

This issue also affects all OCP 3.x versions prior to 3.9. If you don't make use of the cluster-reader, or project viewer roles this issue

Comment 13 Jason Shepherd 2018-08-22 00:34:31 UTC

Mitigation:

Don't use webhook tokens to trigger builds. Alternatively don't rely on project viewer, or cluster-reader permissions from preventing those users from running builds.

Comment 15 Mauro Matteo Cascella 2020-02-21 15:53:07 UTC

Statement:

The OpenShift Enterprise cluster-read can access webhook tokens, [1], which would allow an attacker with cluster-reader permissions, [2], or project viewer, [3], to view confidential webhook tokens. 

[1] https://docs.openshift.com/container-platform/3.7/dev_guide/builds/triggering_builds.html#webhook-triggers

[2] https://docs.openshift.com/container-platform/3.7/admin_guide/manage_rbac.html

[3] https://docs.openshift.com/container-platform/3.7/admin_solutions/user_role_mgmt.html#adding-a-role-to-a-user

Note You need to log in before you can comment on or make changes to this bug.