SB2019111815 - Red Hat update for OpenShift Container Platform 3.11 atomic-openshift

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2019111815

SB2019111815 - Red Hat update for OpenShift Container Platform 3.11 atomic-openshift

Published: November 18, 2019

Security Bulletin ID SB2019111815
Severity
Medium
Patch available
YES
Number of vulnerabilities 2
Exploitation vector Remote access
Highest impact Denial of service

Breakdown by Severity

Medium 50% Low 50%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 2 secuirty vulnerabilities.


1) UNIX symbolic link following (CVE-ID: CVE-2019-11251)

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to a symlink following issue in kubectl cp. A local user can create two symbolic links and overwrite files on the system with privileges of the application.

Successful exploitation of this vulnerability may result in privilege escalation.


2) Resource exhaustion (CVE-ID: CVE-2019-11253)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to improper input validation when processing YAML or JSON data in Kubernetes API server. A remote attacker can pass a malicious file to the API server and consume excessive memory and CPU resources, leading to a denial of service (DoS) attack.

Note, this vulnerability can be exploited by a remote non-authenticated attacker in Kubernetes versions prior to 1.14.0 due to default RBAC policy.


Remediation

Install update from vendor's website.

References