A vulnerability was found in OpenShift builds. Builds which extract source from a container image bypass TLS hostname verification. An attacker can take advantage of this by launching a man-in-the-middle attack and injecting malicious content. References: https://github.com/openshift/builder/blob/04c78176099139a5d229578a9a98ed2e1d17a19d/pkg/build/builder/source.go#L383-L385
Acknowledgments: Name: Miloslav Trmač (Red Hat)
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.2 Via RHSA-2019:4101 https://access.redhat.com/errata/RHSA-2019:4101
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2019-14845
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.1 Via RHSA-2019:4237 https://access.redhat.com/errata/RHSA-2019:4237