It has been found that the container automationbroker/apb (in all versions up to 2.0.4-1) grants all users sudoer permissions. An attacker with access to the running container can exploit this to escalate their own privileges.
The apb dockerfile runs sudo for adding users and groups to the image. https://github.com/automationbroker/apb/blob/master/apb-wrapper#L30-L39 We'll need to fix the above script so we don't have to do that. Then remove the sudoers line from the Dockerfile https://github.com/automationbroker/apb/blob/master/Dockerfile#L10 The affected repo is: https://github.com/automationbroker/apb/ 3.11 uses apb-1.9.8: https://github.com/automationbroker/apb/tree/release-1.9 4.x uses apb-2.0.x: https://github.com/automationbroker/apb
Acknowledgments: Name: Mark Cooper (Red Hat)
Statement: By default this vulnerability is not exploitable in un-privileged containers running on OpenShift Container Platform. This is because the system call SETUID and SETGID is blocked by the default seccomp policy. In OpenShift 4.4 the container openshift-enterprise-abp-tools has been removed and hence is not affected by this flaw.