Bug 1065198 (CVE-2014-0084) - CVE-2014-0084 rubygem-openshift-origin-node: cron.daily/cron.weekly denial of service
Summary: CVE-2014-0084 rubygem-openshift-origin-node: cron.daily/cron.weekly denial of...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2014-0084
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1065045 1065205 1065206
Blocks: 1065209
TreeView+ depends on / blocked
 
Reported: 2014-02-14 05:24 UTC by Kurt Seifried
Modified: 2019-09-29 13:13 UTC (History)
11 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2014-07-18 19:14:53 UTC


Attachments (Terms of Use)

Description Kurt Seifried 2014-02-14 05:24:38 UTC
Andy Grimm of Red Hat reports:

OpenShift uses /etc/cron.daily/openshift-origin-cron-daily to run:

/usr/bin/oo-scheduled-jobs run daily &> /dev/null

This in turn runs all the user gears cron.daily content. If these cron jobs
take a long time to run it will prevent further OpenShift gears cron.daily 
from being run in a timely manner if at all. The same goes for /etc/cron.weekly/openshift-origin-cron-weekly

Comment 3 Kurt Seifried 2014-02-14 06:05:20 UTC
Acknowledgements:

This issue was discovered by Andy Grimm of Red Hat.

Comment 5 Tim Kramer 2014-03-19 21:07:17 UTC
Kurt,
      It looks like this should be set for
Product:  OpenShift Online
Component:  Cartridge

and not security response.  I could be wrong but I don't think the developers will see it in this state.


I see in brew:
https://brewweb.devel.redhat.com/buildinfo?buildID=344773

Michal was the last person to make a change to that RPM.

Comment 6 Michal Fojtik 2014-03-19 21:39:35 UTC
I fixed LD_LIBRARY_PATH problem there that cause problem when users have SCLized python/ruby/whatever inside cronjob, that env var was not exported properly.

Kurt: There is a timeout inside the cron_runjob.sh script that is responsible for executing users scripts. This script have 'timeout' command in places as executor. See here:

https://github.com/openshift/origin-server/blob/master/cartridges/openshift-origin-cartridge-cron/bin/cron_runjobs.sh#L72

Comment 7 Kurt Seifried 2014-03-20 02:26:26 UTC
(In reply to Tim Kramer from comment #5)
> Kurt,
>       It looks like this should be set for
> Product:  OpenShift Online
> Component:  Cartridge
> 
> and not security response.  I could be wrong but I don't think the
> developers will see it in this state.

This is the CVE bug, what you're describing is the tracking bug https://bugzilla.redhat.com/show_bug.cgi?id=1065045 where the changes can be made.

Comment 9 Kurt Seifried 2014-07-18 01:43:02 UTC
This was fixed publicly:

https://github.com/openshift/origin-server/pull/4764

Comment 10 Brenton Leanhardt 2014-07-18 12:14:55 UTC
For what it's worth, this shipped as part of the OpenShift Enterprise 2.1 rebase.

Comment 11 Kurt Seifried 2014-07-18 19:14:53 UTC
This issue has been addressed in following products:

  RHEL 6 Version of OpenShift Enterprise 2.1

Via RHBA-2014:0487 https://rhn.redhat.com/errata/RHBA-2014-0487.html


Note You need to log in before you can comment on or make changes to this bug.