2181765 – (CVE-2023-1636) CVE-2023-1636 openstack-barbican: incomplete container isolation

Bug 2181765 (CVE-2023-1636) - CVE-2023-1636 openstack-barbican: incomplete container isolation

Summary: CVE-2023-1636 openstack-barbican: incomplete container isolation

Keywords:
Status:	NEW
Alias:	CVE-2023-1636
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Nobody
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2183654 2188735 2183651 2183652 2183653
Blocks:	2170395
TreeView+	depends on / blocked

Reported:	2023-03-25 18:22 UTC by Nick Tait
Modified:	2024-04-17 17:24 UTC (History)
CC List:	13 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:	A vulnerability was found in OpenStack Barbican containers. This vulnerability is only applicable to deployments that utilize an all-in-one configuration. Barbican containers share the same CGROUP, USER, and NET namespace with the host system and other OpenStack services. If any service is compromised, it could gain access to the data transmitted to and from Barbican.
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description Nick Tait 2023-03-25 18:22:06 UTC

A container isolation flaw was discovered in Red Hat OpenStack, allowing an attacker with limited authentication and access to Barbican containers to potentially access other OpenStack containers and services. This is possible as they share common CGROUP and namespace.

Comment 5 Nick Tait 2023-04-21 22:50:05 UTC

Created openstack-barbican tracking bugs for this issue:

Affects: openstack-rdo [bug 2188735]

Comment 6 Salvatore Bonaccorso 2023-04-24 19:32:57 UTC

Hi

(In reply to Nick Tait from comment #0)
> A container isolation flaw was discovered in Red Hat OpenStack, allowing an
> attacker with limited authentication and access to Barbican containers to
> potentially access other OpenStack containers and services. This is possible
> as they share common CGROUP and namespace.

I'm trying to  evaluate/triage this CVE (CVE-2023-1636) in context of a downstream distribution and this bugzilla entry was the only  reference associated.  The above
does only give little information, is this a barbican upstream issue? Is it reported
upstream and is there a respective fix available?

Can you please provide more information on the issue?

Thanks already in advance,

Regards,
Salvatore

Note You need to log in before you can comment on or make changes to this bug.