1746238 – (CVE-2019-14819) CVE-2019-14819 openshift-ansible: dockergc service account incorrectly associated with namespace during upgrade

Bug 1746238 (CVE-2019-14819) - CVE-2019-14819 openshift-ansible: dockergc service account incorrectly associated with namespace during upgrade

Summary: CVE-2019-14819 openshift-ansible: dockergc service account incorrectly associ...

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2019-14819
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	1745202 1746260
Blocks:	1745647
TreeView+	depends on / blocked

Reported:	2019-08-28 04:03 UTC by Jason Shepherd
Modified:	2021-02-16 21:27 UTC (History)
CC List:	14 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:	A flaw was found during the upgrade of an existing OpenShift Container Platform 3.x cluster. Using CRI-O, the dockergc service account is assigned to the current namespace of the user performing the upgrade. This flaw can allow an unprivileged user to escalate their privileges to those allowed by the privileged Security Context Constraints.
Clone Of:
Environment:
Last Closed:	2019-09-24 00:45:39 UTC
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2019:2818	0	None	None	None	2019-09-23 20:02:20 UTC

Description Jason Shepherd 2019-08-28 04:03:48 UTC

During an upgrade of an existing OpenShift Container Platform 3.x cluster which is using CRI-O the dockergc service account is assigned to the current namespace of user performing the upgrade. This would allow an unprivileged user to escalate their privileges to those allowed by the privileged Security Context Constraints.

Comment 1 Jason Shepherd 2019-08-28 05:18:44 UTC

Upstream fix for OKD 3.11:

https://github.com/openshift/openshift-ansible/pull/11860

Comment 6 Jason Shepherd 2019-08-28 21:57:51 UTC

Statement:

If an upgrade was run with the openshift_crio_enable_docker_gc ansible variable set to 'False' the cluster won't be affected. The default for the variable was set to 'True' before openshift-ansible-3.11.0-0.28.0, and after 3.10.x. See https://github.com/openshift/openshift-ansible/commit/bf5fbea4138f27313c5e4dcd683821975db8e443

Comment 7 Jason Shepherd 2019-09-20 01:06:52 UTC

Mitigation:

Make sure your kubeconfig (~/.kube/config) is using the 'default' context when executing, or re-executing a cluster upgrade or install using the ansible playbooks.

Comment 8 Jason Shepherd 2019-09-20 01:11:40 UTC

This vulnerable code no longer exists in the 4.x branches, see:
https://github.com/openshift/openshift-ansible/tree/release-4.1

Comment 10 errata-xmlrpc 2019-09-23 20:02:18 UTC

This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 3.11

Via RHSA-2019:2818 https://access.redhat.com/errata/RHSA-2019:2818

Comment 11 Product Security DevOps Team 2019-09-24 00:45:39 UTC

This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2019-14819

Note You need to log in before you can comment on or make changes to this bug.