A buffer overflow in iptables-restore in netfilter iptables 1.8.2 allows an attacker to (at least) crash the program or potentially gain code execution via a specially crafted iptables-save file. This is related to add_param_to_argv in xshared.c. References: https://0day.work/cve-2019-11360-bufferoverflow-in-iptables-restore-v1-8-2/ https://git.netfilter.org/iptables/commit/iptables/xshared.c?id=2ae1099a42e6a0f06de305ca13a842ac83d4683e
Upstream fix: https://git.netfilter.org/iptables/commit/iptables/xshared.c?id=2ae1099a42e6a0f06de305ca13a842ac83d4683e
External References: https://0day.work/cve-2019-11360-bufferoverflow-in-iptables-restore-v1-8-2/
OCP 3.11 containers got it's iptables version from RHEL. OCP 4.x does package a version of iptables but is v1.8.4 and is not vulnerable.
Statement: This flaw has been rated as having a security impact of Low, because it requires unlikely circumstances to be able to be exploited. Red Hat Enterprise Linux 8 is not affected by this flaw, as the shipped versions of `iptables` already include the patch. Although Red Hat Enterprise Linux 6 and 7 are affected, successful exploitation is prevented by Stack Smashing Protection (SSP), reducing the impact to a denial of service. Note that this flaw is not currently planned to be addressed in future updates of Red Hat Enterprise Linux 6 and 7. Red Hat Enterprise Linux 6 is in the Extended Life Phase of the support and maintenance life cycle; Red Hat Enterprise Linux 7 is now in Maintenance Support 2 Phase. For additional information, refer to the Red Hat Enterprise Linux Life Cycle: https://access.redhat.com/support/policy/updates/errata/.
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2019-11360