Bug 1625885 (CVE-2018-14632) - CVE-2018-14632 atomic-openshift: oc patch with json causes masterapi service crash
Summary: CVE-2018-14632 atomic-openshift: oc patch with json causes masterapi service ...
Status: CLOSED CURRENTRELEASE
Alias: CVE-2018-14632
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=important,public=20180906,repo...
Keywords: Security
Depends On: 1625943 1626305 1625939 1625940 1625941 1625942 1625944 1625945 1626309 1626310 1626311 1626312 1626779
Blocks: 1614951
TreeView+ depends on / blocked
 
Reported: 2018-09-06 07:48 UTC by Jason Shepherd
Modified: 2019-06-04 05:59 UTC (History)
15 users (show)

(edit)
An out of bounds write can occur when patching an Openshift object using the 'oc patch' functionality in OpenShift Container Platform 3.x. An attacker can use this flaw to cause a denial of service attack on the Openshift master API service which provides cluster management.
Clone Of:
(edit)
Last Closed: 2018-11-28 06:11:55 UTC


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2018:2654 None None None 2018-09-26 04:10 UTC
Red Hat Product Errata RHSA-2018:2709 None None None 2018-11-11 16:39 UTC
Red Hat Product Errata RHSA-2018:2906 None None None 2018-11-21 11:56 UTC
Red Hat Product Errata RHSA-2018:2908 None None None 2018-11-20 03:11 UTC

Description Jason Shepherd 2018-09-06 07:48:43 UTC
A out of bound write can occur when patching a Openshift object using the 'oc patch' functionality in OpenShift Container Platform 3.6 and earlier. An attacker can use this flaw to cause a denial of service attack on the Openshift master api service which provides cluster management.

Comment 1 Jason Shepherd 2018-09-06 07:50:48 UTC
.

Comment 6 Andrej Nemec 2018-09-06 09:13:28 UTC
Upstream commit which fixes this issue in json-patch:

https://github.com/evanphx/json-patch/commit/4c9aadca8f89e349c999f04e28199e96e81aba03#diff-65c563bba473be9d94ce4d033f74810e

Comment 7 Jason Shepherd 2018-09-06 09:14:53 UTC
Upstream commit which fixes this issue in json-patch, which is used by OpenShift Container Platform.

https://github.com/evanphx/json-patch/commit/4c9aadca8f89e349c999f04e28199e96e81aba03#diff-65c563bba473be9d94ce4d033f74810e

Comment 11 Jason Shepherd 2018-09-07 01:28:20 UTC
Acknowledgments:

Name: Lars Haugan

Comment 16 Jason Shepherd 2018-09-10 22:52:22 UTC
Statement:

A multi-master Openshift Container Platform cluster is more resilient, however a sustained attack would still have an important impact.

Comment 17 Dominik Mierzejewski 2018-09-11 13:33:43 UTC
(In reply to Jason Shepherd from comment #1)
> This issue is fixed in OpenShift Container Platform 3.7 and later.

Judging by later comments and the fact that the referenced commit is tagged only for 4.0.0, I don't think the above statement is true. RH Security page for this CVE lists all 3.x versions as Affected.

Comment 18 Dominik Mierzejewski 2018-09-25 13:10:41 UTC
Jason?

Comment 19 Jason Shepherd 2018-09-25 23:26:34 UTC
Hi Dominik,

I've removed comment #1 now. You are correct that the issue is not fixed in OCP 3.7 and later. At the time when I wrote that it was believed that it was true, however a subsequent issue was discovered that had the same impact on all released OCP versions. 

Regards,
Jason

Comment 20 errata-xmlrpc 2018-09-26 04:10:43 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 3.6

Via RHSA-2018:2654 https://access.redhat.com/errata/RHSA-2018:2654

Comment 21 errata-xmlrpc 2018-11-11 16:39:09 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 3.10

Via RHSA-2018:2709 https://access.redhat.com/errata/RHSA-2018:2709

Comment 23 errata-xmlrpc 2018-11-20 03:11:40 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 3.9

Via RHSA-2018:2908 https://access.redhat.com/errata/RHSA-2018:2908

Comment 24 errata-xmlrpc 2018-11-21 11:56:20 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 3.7

Via RHSA-2018:2906 https://access.redhat.com/errata/RHSA-2018:2906

Comment 25 Dominik Mierzejewski 2018-12-07 11:27:15 UTC
Is this fixed in 3.11? https://access.redhat.com/security/cve/cve-2018-14632 is still listing 3.11 as affected with no fix available.

Comment 26 Sam Fowler 2018-12-11 04:00:14 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 3.11

Via RHBA-2018:2652 https://access.redhat.com/errata/RHBA-2018:2652


Note You need to log in before you can comment on or make changes to this bug.