Michael Scherer (misc) of Red Hat reports: Description of problem: In the connection hooks set by using a scaled application : https://github.com/openshift/origin-server/blob/master/cartridges/openshift-origin-cartridge-haproxy-1.4/info/connection-hooks/set-proxy#L63 the following code is used : cp -f "$haproxy_cfg" /tmp/haproxy.cfg.$$ sed -i "/\s*server\s*gear-${gear_name}\s.*/d" /tmp/haproxy.cfg.$$ cat /tmp/haproxy.cfg.$$ > "$haproxy_cfg" rm -f /tmp/haproxy.cfg.$$ If someone manage to be able to create enough directories in /tmp/ ( like /tmp/haproxy.cfg.1 to 65000, with a for loop ), since the code never check any return code of the binary, the haproxy configuration will be erased at the 3rd line of the snippet, resulting in a DoS. Another possibility is using enough file in /tmp with 444 mode, so cp would not be able to erase it, but cat would still copy it in the haproxy configuration, thus permitting to inject anything into haproxy configuration ( I can imagine someone redirecting trafic to the wrong host, etc ). This code is called when the application is scaled, if I understand well the documentation. However, I do not know if this can be triggered externally and how. In doubt, I will consider this as a security issue, and let the SRT judge if that's right or not You will find a non tested patch attached to this bug report against latest HEAD. instead of copying and then modifying using sed, it would be better to directly modify the file. I am not sure the code is correct as I suspect it may fail in weird in case of concurrent editing, but I think the previous one would also had a issue with that case. As all others bug I opened this evening/afternoon, this is mitigated by the usage of polyinstanciated /tmp directory on openshift online, so the problem would just be for enterprise users who do not follow the security recommendation ( or people setting up origin by themselves ).
Acknowledgements: This issue was discovered by Michael Scherer of the Red Hat Regional IT team.
So in total we have: ./openshift-origin-cartridge-haproxy-1.17.3/bin/control: cp -f "$haproxy_cfg" /tmp/haproxy.cfg.$$ ./openshift-origin-cartridge-haproxy-1.17.3/bin/control: sed -i "/$1/ s#\$# disabled#g" /tmp/haproxy.cfg.$$ ./openshift-origin-cartridge-haproxy-1.17.3/bin/control: cat /tmp/haproxy.cfg.$$ > "$haproxy_cfg" ./openshift-origin-cartridge-haproxy-1.17.3/bin/control: rm -f /tmp/haproxy.cfg.$$ ./openshift-origin-cartridge-haproxy-1.17.3/bin/control: cp -f "$haproxy_cfg" /tmp/haproxy.cfg.$$ ./openshift-origin-cartridge-haproxy-1.17.3/bin/control: sed -i "/$1/ s#disabled\$##g" /tmp/haproxy.cfg.$$ ./openshift-origin-cartridge-haproxy-1.17.3/bin/control: cat /tmp/haproxy.cfg.$$ > "$haproxy_cfg" ./openshift-origin-cartridge-haproxy-1.17.3/bin/control: rm -f /tmp/haproxy.cfg.$$ ./openshift-origin-cartridge-haproxy-1.17.3/usr/bin/fix_local.sh: cp -f $haproxy_cfg /tmp/haproxy.cfg.$$ ./openshift-origin-cartridge-haproxy-1.17.3/usr/bin/fix_local.sh: sed -i "/\s*server\s*local-gear\s.*/d" /tmp/haproxy.cfg.$$ ./openshift-origin-cartridge-haproxy-1.17.3/usr/bin/fix_local.sh: echo " server local-gear $local_ep weight 0" >> /tmp/haproxy.cfg.$$ ./openshift-origin-cartridge-haproxy-1.17.3/usr/bin/fix_local.sh: cat /tmp/haproxy.cfg.$$ > "$haproxy_cfg" ./openshift-origin-cartridge-haproxy-1.17.3/usr/bin/fix_local.sh: rm -f /tmp/haproxy.cfg.$$ ./openshift-origin-cartridge-haproxy-1.17.3/usr/bin/update-cluster:cp -f "$haproxy_cfg" /tmp/haproxy.cfg.$$ ./openshift-origin-cartridge-haproxy-1.17.3/usr/bin/update-cluster: sed -i "/\s*server\s*gear-$sg\s.*/d" /tmp/haproxy.cfg.$$ ./openshift-origin-cartridge-haproxy-1.17.3/usr/bin/update-cluster:sed -i "/\s*server\s*local-gear\s.*/d" /tmp/haproxy.cfg.$$ ./openshift-origin-cartridge-haproxy-1.17.3/usr/bin/update-cluster:echo " server local-gear $local_ep check fall 2 rise 3 inter 2000 cookie local-$OPENSHIFT_GEAR_UUID" >> /tmp/haproxy.cfg.$$ ./openshift-origin-cartridge-haproxy-1.17.3/usr/bin/update-cluster:cat /tmp/haproxy.cfg.$$ > "$haproxy_cfg" ./openshift-origin-cartridge-haproxy-1.17.3/usr/bin/update-cluster:rm -f /tmp/haproxy.cfg.$$
Wow, this bug is over a year old. :(. Looks like the set-proxy and fix-local.sh script need to be updated. This bug affects OSE 2.0 too so we should probably have a tracking bug there as well.
Statement: This issue affects the versions of the haproxy cartridge as shipped with Red Hat OpenShift Enterprise 1 and 2. Red Hat Product Security has rated this issue as having Low security impact. A future update may address this issue. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/. Additionally OpenShift uses a per user poly-instantiated /tmp directory which makes exploitation of this issue very difficult.
I edited statement in comment 9 and making comment 8 private.