OpenShift Container Platform and OpenShift Online have a flaw in the source-to-image functionality. An attacker that can create images with the 'io.openshift.s2i.assemble-user' LABEL set to 'root' can execute arbitrary code with full privileges in the builder pod during S2I build.
Name: Jeremy Choi (Red Hat)
This issue has been addressed in the following products:
Red Hat OpenShift Container Platform 3.9
Via RHSA-2018:2013 https://access.redhat.com/errata/RHSA-2018:2013
RHSCL release was packaged before io.openshift.s2i.assemble-user functionality was added to source-to-image.