''' We've discovered a privilege escalation issue in the OpenShift platform. Conditions for the privilege escalation: - a user must be granted the ability to "update, patch" the "pods/ephemeralcontainers" subresource - by default, NEITHER common users NOR Service Accounts are granted this permission by the platform - with the above permission, a user is able to patch a running pod they've got access to and bypass SCC admission - this means, a user can create a "privileged" container, which allows them obtaining access to the pod's node resources The step-by-step reproducer is described in https://issues.redhat.com/browse/OCPBUGS-7181. Affected OpenShift Container Platform versions: 4.10 and newer. Affected component: kube-apiserver (and the platforms that use it) The bug is located within the apiserver-library-go repository in the following module: https://github.com/openshift/apiserver-library-go/tree/master/pkg/securitycontextconstraints. We are yet to determine how to fix it. The workaround is to remove the permissions to "update, patch" the "pods/ephemeralcontainers" subresource from any low-privileged users, if there are any that currently hold it. ''' From Stanislav Láznička
Hello Team The customer want to know about the CVE process, May I know when we had plan to fix the issue? Thanks
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.12 Via RHSA-2023:3976 https://access.redhat.com/errata/RHSA-2023:3976
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.13 Ironic content for Red Hat OpenShift Container Platform 4.13 Via RHSA-2023:4093 https://access.redhat.com/errata/RHSA-2023:4093
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2023-1260
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.11 Via RHSA-2023:4312 https://access.redhat.com/errata/RHSA-2023:4312
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.10 Via RHSA-2023:4898 https://access.redhat.com/errata/RHSA-2023:4898
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.14 Via RHSA-2023:5008 https://access.redhat.com/errata/RHSA-2023:5008
Dear Redhat team, Can I ask if in the corrected OpenShift version (>=4.11), it is now OK to give these privilege {APIGroups:[""], Resources:["pods/ephemeralcontainers"], Verbs:["patch" "update"]} {APIGroups:[""], Resources:["pods/status"], Verbs:["patch" "update"]} to users without risking escalation privilege as described in this ticket?
Created a new issue https://bugzilla.redhat.com/show_bug.cgi?id=2349782 to ask about granting these privilege by default.