Bugzilla will be upgraded to version 5.0 on a still to be determined date in the near future. The original upgrade date has been delayed.
First Last Prev Next    This bug is not in your last search results.
Bug 1566212 - (CVE-2017-15138) CVE-2017-15138 atomic-openshift: cluster-reader can escalate to creating builds via webhooks in any project
CVE-2017-15138 atomic-openshift: cluster-reader can escalate to creating buil...
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
impact=moderate,public=20180411,repor...
: Security
Depends On: 1504819 1566213 1619863 1619864
Blocks: 1513392
  Show dependency treegraph
 
Reported: 2018-04-11 15:18 EDT by Kurt Seifried
Modified: 2018-09-12 10:20 EDT (History)
13 users (show)

See Also:
Fixed In Version: atomic-openshift-3.9.14
Doc Type: If docs needed, set a value
Doc Text:
An improper authorization flaw in the atomic-openshift component of Openshift Container Platform 3.7 and earlier allows a user with cluster-reader project viewer permissions to trigger an application build. An attacker could use this flaw to trigger a build of an application when that should be restricted.
Story Points: ---
Clone Of:
Environment:
Last Closed: 2018-04-11 15:22:01 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

  None (edit)
Description Kurt Seifried 2018-04-11 15:18:12 EDT 
It is reported that as a result of cluster-reader having view access on all builds in all projects, the cluster reader is able to escalate to also create builds in all projects since they have access to the secret key for the webhook.

A project viewer has the same ability to escalate but is obviously scoped to the single project.

The main problem is that we have confidential information (webhook tokens) that lives in a non-confidential resource.
Comment 1 Kurt Seifried 2018-04-11 15:18:22 EDT 
Acknowledgments:

Name: Jessica Forrester (Red Hat)
Comment 4 Kurt Seifried 2018-04-11 15:22:01 EDT 
This was fixed in the release of OpenShift 3.9 via RHBA-2018:0489
Comment 5 Dominik Mierzejewski 2018-08-17 08:51:30 EDT 
Are 3.2 and 3.7 affected as well?
Comment 11 Jason Shepherd 2018-08-21 20:30:07 EDT 
This issue also affects all OCP 3.x versions prior to 3.9. If you don't make use of the cluster-reader, or project viewer roles this issue
Comment 12 Jason Shepherd 2018-08-21 20:30:28 EDT 
Statement:

The OpenShift Enterprise cluster-read can access webhook tokens, [1], which would allow an attacker with cluster-reader permissions, [2], or project viewer, [3], to view confidential webhook tokens. 

[1] https://docs.openshift.com/container-platform/3.7/dev_guide/builds/triggering_builds.html#webhook-triggers
[2] https://docs.openshift.com/container-platform/3.7/admin_guide/manage_rbac.html
[3] https://docs.openshift.com/container-platform/3.7/admin_solutions/user_role_mgmt.html#adding-a-role-to-a-user
Comment 13 Jason Shepherd 2018-08-21 20:34:31 EDT 
Mitigation:

Don't use webhook tokens to trigger builds. Alternatively don't rely on project viewer, or cluster-reader permissions from preventing those users from running builds.
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.