Bug 1384112 (CVE-2016-7075) - CVE-2016-7075 OpenShift 3: API server does not validate client-provided intermediate certificates correctly
Summary: CVE-2016-7075 OpenShift 3: API server does not validate client-provided inter...
Alias: CVE-2016-7075
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Whiteboard: impact=important,public=20161010,repo...
Keywords: Security
Depends On: 1384120
Blocks: 1384165
TreeView+ depends on / blocked
Reported: 2016-10-12 15:06 UTC by Kurt Seifried
Modified: 2019-06-11 11:13 UTC (History)
14 users (show)

It was found that Kubernetes did not correctly validate X.509 client intermediate certificate host name fields. An attacker could use this flaw to bypass authentication requirements by using a specially crafted X.509 certificate.
Clone Of:
Last Closed: 2019-06-08 03:00:01 UTC

Attachments (Terms of Use)

External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2016:2064 normal SHIPPED_LIVE Important: atomic-openshift security update 2016-10-17 21:24:45 UTC

Description Kurt Seifried 2016-10-12 15:06:37 UTC
Upstream reports:
Clients using SSL certs for auth show the subject CN of their intermediate cert
not their entity cert.

Reference URL:

Comment 3 errata-xmlrpc 2016-10-17 17:25:21 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Enterprise 3.1
  Red Hat OpenShift Enterprise 3.2
  Red Hat OpenShift Container Platform 3.3

Via RHSA-2016:2064 https://access.redhat.com/errata/RHSA-2016:2064

Note You need to log in before you can comment on or make changes to this bug.