The containers/image library used by container tools; Podman, Builah, and Skopeo in Red Hat Enterprise Linux 8, and CRI-O in OpenShift Container Platform does not enforce TLS connections to the container registry authorization service [1]. An attacker could use this vulnerability launch a MiTM attack, and steal login credentials, or bearer tokens. Upstream issue: https://github.com/containers/image/issues/654 Upstream patch: https://github.com/containers/image/pull/669 [1] https://docs.docker.com/registry/spec/auth/token/
Acknowledgments: Name: Miloslav Trmač (Red Hat)
All tracking bugs are now in MODIFIED state.
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 3.11 Via RHSA-2019:2817 https://access.redhat.com/errata/RHSA-2019:2817
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2019-10214
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.1 Via RHSA-2019:2825 https://access.redhat.com/errata/RHSA-2019:2825
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 3.10 Via RHSA-2019:2989 https://access.redhat.com/errata/RHSA-2019:2989
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.1 Via RHSA-2019:3007 https://access.redhat.com/errata/RHSA-2019:3007
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2019:3403 https://access.redhat.com/errata/RHSA-2019:3403
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2019:3494 https://access.redhat.com/errata/RHSA-2019:3494
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 3.9 Via RHSA-2019:3812 https://access.redhat.com/errata/RHSA-2019:3812