''' We've discovered a privilege escalation issue in the OpenShift platform. Conditions for the privilege escalation: - a user must be granted the ability to "update, patch" the "pods/ephemeralcontainers" subresource - by default, NEITHER common users NOR Service Accounts are granted this permission by the platform - with the above permission, a user is able to patch a running pod they've got access to and bypass SCC admission - this means, a user can create a "privileged" container, which allows them obtaining access to the pod's node resources The step-by-step reproducer is described in https://issues.redhat.com/browse/OCPBUGS-7181. Affected OpenShift Container Platform versions: 4.10 and newer. Affected component: kube-apiserver (and the platforms that use it) The bug is located within the apiserver-library-go repository in the following module: https://github.com/openshift/apiserver-library-go/tree/master/pkg/securitycontextconstraints. We are yet to determine how to fix it. The workaround is to remove the permissions to "update, patch" the "pods/ephemeralcontainers" subresource from any low-privileged users, if there are any that currently hold it. ''' From Stanislav Láznička
Hello Team The customer want to know about the CVE process, May I know when we had plan to fix the issue? Thanks
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.12 Via RHSA-2023:3976 https://access.redhat.com/errata/RHSA-2023:3976
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.13 Ironic content for Red Hat OpenShift Container Platform 4.13 Via RHSA-2023:4093 https://access.redhat.com/errata/RHSA-2023:4093
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2023-1260
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.11 Via RHSA-2023:4312 https://access.redhat.com/errata/RHSA-2023:4312