The Restricted Security Context Constraints (SCC) allows pods to craft custom network packets. An attacker can use this flaw to cause a denial of service attack on an OpenShift Container Platform cluster if they have the ability to deploy pods.
Acknowledgments: Name: Yuval Kashtan (Red Hat)
While removing CAP_NET_RAW from the default capability set is a great change, I think it is better tracked as security hardening issue rather than a CVE. It's a stretch IMO to consider the inclusion of this capability a flaw on it's own, considering that other projects also include it by default, e.g. Docker: https://docs.docker.com/engine/reference/run/#runtime-privilege-and-linux-capabilities libcontainer: https://github.com/opencontainers/runc/blob/master/libcontainer/SPEC.md#security I think we want to avoid setting a precedent of CVE assignment everytime a project changes its capability set.
In OpenShift Container Platform 3.11 if you are using an alternative CNI [1] you are at greater risk of exploitation. [1] https://docs.openshift.com/container-platform/3.11/architecture/networking/network_plugins.html
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.5 Via RHSA-2020:4320 https://access.redhat.com/errata/RHSA-2020:4320
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-14336
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.6 Via RHSA-2020:4298 https://access.redhat.com/errata/RHSA-2020:4298
Mitigation: On OCP 3.11 create a custom SCC based on 'restricted' and also drop the NET_RAW capability[1]. Assign this custom SCC to any users, or groups which create pods you want to protect. See the documentation for more information [2]. [1] https://access.redhat.com/solutions/5611521 [2] https://docs.openshift.com/container-platform/3.11/admin_guide/manage_scc.html
Statement: By default, the OpenShift Container Platform uses the OpenShift SDN network interface. This interface makes this attack impractical by implementing IPTable rules on the host side of the virtual network interface, isolating network traffic to within the pod. If the OpenShift Container Platform has the sriov-network-operator deployed, it is at a greater risk for exploitation. If installing a new OCP 4.6 cluster no changes are required. If upgrading a cluster from an earlier version to 4.5.16 be sure to delete 99-worker-generated-crio-capabilities and 99-master-generated-crio-capabilities machine controllers once you have tested that dropping NET_RAW does not break your cluster workload.