1915110 – (CVE-2021-20182) CVE-2021-20182 openshift: builder allows read and write of block devices

Bug 1915110 (CVE-2021-20182) - CVE-2021-20182 openshift: builder allows read and write of block devices

Summary: CVE-2021-20182 openshift: builder allows read and write of block devices

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2021-20182
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	1915136 1915137 1915138 1915139 1916815 1916816
Blocks:	1914946
TreeView+	depends on / blocked

Reported:	2021-01-12 01:20 UTC by Jason Shepherd
Modified:	2024-03-25 17:48 UTC (History)
CC List:	18 users (show)
Fixed In Version:	github.com/openshift/builder v0.0.0-20210118193943-6d10f5202a76
Clone Of:
Environment:
Last Closed:	2021-02-03 14:41:39 UTC
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2021:0281	0	None	None	None	2021-02-03 10:11:36 UTC

Description Jason Shepherd 2021-01-12 01:20:37 UTC

A privilege escalation vulnerability exists in the build functionality of OpenShift Container Platform. An attacker with 'admin' role in a project is able to escalate privileges to cluster-admin cluster role if builds are enabled.

Comment 1 Jason Shepherd 2021-01-12 01:20:40 UTC

Acknowledgments:

Name: Philippe Suzzoni (Bell Canada)

Comment 7 Jason Shepherd 2021-01-15 01:08:31 UTC

Upstream Commit:

https://github.com/openshift/builder/pull/202

Comment 9 Jason Shepherd 2021-01-15 01:13:53 UTC

Builds in OCP 3.11 use a different method to that in OCP 4.x and therefore don't expose this vulnerability.

Comment 13 Eric Christensen 2021-01-21 16:08:47 UTC

Mitigation:

The affected build strategies include docker, source and custom builds, hence these can be disabled as per the documentation[1]. This does however, exclude the Jenkins build strategy as it is not affected and does not have to be disabled. 

[1] https://docs.openshift.com/container-platform/4.6/builds/securing-builds-by-strategy.html

On clusters where builds are allowed only grant permissions to perform builds to users who you wish to be to able to view, modify and edit all cluster resources.

Comment 15 Mark Cooper 2021-02-02 05:01:21 UTC

Used fixcvenames on OCP 4.6 tracker as this got released: https://access.redhat.com/errata/RHBA-2021:0235

Comment 17 Mark Cooper 2021-02-03 00:41:10 UTC

Used fixcvenames on OCP 4.5 tracker as this got released: https://access.redhat.com/errata/RHBA-2021:0231

Comment 18 errata-xmlrpc 2021-02-03 10:11:32 UTC

This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.4

Via RHSA-2021:0281 https://access.redhat.com/errata/RHSA-2021:0281

Comment 19 Product Security DevOps Team 2021-02-03 14:41:39 UTC

This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-20182

Note You need to log in before you can comment on or make changes to this bug.