It was found that xterm.js does not sanitize terminal escape sequences in browser terminals allowing for execution of arbitrary commands. An attacker could exploit this by convincing a user with a xterm.js browser terminal to display an escape sequence by, for example, reading a from a log file containing attacker-controlled input.
A remote code execution vulnerability exists in Xterm.js before versions 3.8.1, 3.9.2 and 3.10.1 when the component mishandles special characters.
This issue affects both the atomic-openshift-web-console RPM and openshift3/ose-console container image shipped in OpenShift Container Platform. These components provide a web console for opening in-browser terminals in cluster pods. Successful exploitation of this issue would require an attacker to convince an authorized user to open an in-browser terminal on a target pod and execute a command that prints attacker-controlled input. Red Hat Product Security have rated this issue as having security impact of Moderate. A future update may address this issue.
This issue has been addressed in the following products:
Red Hat OpenShift Container Platform 3.11
Via RHSA-2019:1422 https://access.redhat.com/errata/RHSA-2019:1422