Bug 1746238 (CVE-2019-14819) - CVE-2019-14819 openshift-ansible: dockergc service account incorrectly associated with namespace during upgrade
Summary: CVE-2019-14819 openshift-ansible: dockergc service account incorrectly associ...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2019-14819
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1745202 1746260
Blocks: 1745647
TreeView+ depends on / blocked
 
Reported: 2019-08-28 04:03 UTC by Jason Shepherd
Modified: 2020-03-18 04:48 UTC (History)
14 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found during the upgrade of an existing OpenShift Container Platform 3.x cluster. Using CRI-O, the dockergc service account is assigned to the current namespace of the user performing the upgrade. This flaw can allow an unprivileged user to escalate their privileges to those allowed by the privileged Security Context Constraints.
Clone Of:
Environment:
Last Closed: 2019-09-24 00:45:39 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2019:2818 None None None 2019-09-23 20:02:20 UTC

Description Jason Shepherd 2019-08-28 04:03:48 UTC
During an upgrade of an existing OpenShift Container Platform 3.x cluster which is using CRI-O the dockergc service account is assigned to the current namespace of user performing the upgrade. This would allow an unprivileged user to escalate their privileges to those allowed by the privileged Security Context Constraints.

Comment 1 Jason Shepherd 2019-08-28 05:18:44 UTC
Upstream fix for OKD 3.11:

https://github.com/openshift/openshift-ansible/pull/11860

Comment 6 Jason Shepherd 2019-08-28 21:57:51 UTC
Statement:

If an upgrade was run with the openshift_crio_enable_docker_gc ansible variable set to 'False' the cluster won't be affected. The default for the variable was set to 'True' before openshift-ansible-3.11.0-0.28.0, and after 3.10.x. See https://github.com/openshift/openshift-ansible/commit/bf5fbea4138f27313c5e4dcd683821975db8e443

Comment 7 Jason Shepherd 2019-09-20 01:06:52 UTC
Mitigation:

Make sure your kubeconfig (~/.kube/config) is using the 'default' context when executing, or re-executing a cluster upgrade or install using the ansible playbooks.

Comment 8 Jason Shepherd 2019-09-20 01:11:40 UTC
This vulnerable code no longer exists in the 4.x branches, see:
https://github.com/openshift/openshift-ansible/tree/release-4.1

Comment 10 errata-xmlrpc 2019-09-23 20:02:18 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 3.11

Via RHSA-2019:2818 https://access.redhat.com/errata/RHSA-2019:2818

Comment 11 Product Security DevOps Team 2019-09-24 00:45:39 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2019-14819


Note You need to log in before you can comment on or make changes to this bug.