This service will be undergoing disruptive maintenance at 7:00PM UTC, 2020-01-18. It is expected to last approximately one hour.
Bug 1734615 (CVE-2019-10213) - CVE-2019-10213 openshift: Secret data written to pod logs when operator set at Debug level or higher
Summary: CVE-2019-10213 openshift: Secret data written to pod logs when operator set a...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2019-10213
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1737317 1737319 1737321 1737324 1734621 1734622 1737315 1737316 1737318 1737320 1737322 1737323 1744724 1745796 1745797 1745799 1745800 1745801 1745802 1745803 1745804 1745805 1745806 1746103
Blocks: 1732750
TreeView+ depends on / blocked
 
Reported: 2019-07-31 06:04 UTC by Sam Fowler
Modified: 2019-12-17 07:38 UTC (History)
10 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-09-17 18:45:32 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2019:2791 None None None 2019-09-17 18:11:42 UTC
Red Hat Product Errata RHSA-2019:4082 None None None 2019-12-04 13:59:07 UTC
Red Hat Product Errata RHSA-2019:4088 None None None 2019-12-17 07:38:33 UTC

Description Sam Fowler 2019-07-31 06:04:51 UTC
OpenShift Container Platform 4 does not sanitize secret data written to pod logs when the log level in a given operator is set to Debug or higher. A low privileged user could read pod logs to discover secret material if the log level has already been modified in an operator by a privileged user.


Upstream Fix:

https://github.com/openshift/library-go/pull/472

Comment 4 Sam Fowler 2019-08-05 06:04:01 UTC
Flaw introduced by:

https://github.com/openshift/library-go/pull/244

Comment 9 errata-xmlrpc 2019-09-17 18:11:40 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.1

Via RHSA-2019:2791 https://access.redhat.com/errata/RHSA-2019:2791

Comment 10 Product Security DevOps Team 2019-09-17 18:45:32 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2019-10213

Comment 11 errata-xmlrpc 2019-12-04 13:59:06 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.1

Via RHSA-2019:4082 https://access.redhat.com/errata/RHSA-2019:4082

Comment 12 errata-xmlrpc 2019-12-17 07:38:32 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.1

Via RHSA-2019:4088 https://access.redhat.com/errata/RHSA-2019:4088


Note You need to log in before you can comment on or make changes to this bug.