SB2019120412 - Multiple vulnerabilities in Red Hat OpenShift Container Platform

Description

This security bulletin contains information about 3 secuirty vulnerabilities.

1) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2019-16884)

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to incorrect checking of the mount targets in libcontainer/rootfs_linux.go in runc. A local user can bypass AppArmor restrictions and perform unauthorized actions on the system, as demonstrated by overwriting the /proc directory with a malicious Doker image.

2) Cleartext storage of sensitive information (CVE-ID: CVE-2019-14854)

The vulnerability allows a local user to gain access to sensitive information.

The vulnerability exists due to library-go component did not sanitize secret data written to static Pod logs when an Operator's log level was set to Debug or higher. A local user can read Pod logs if the log level had already been modified in an Operator by a privileged user.

3) Cleartext storage of sensitive information (CVE-ID: CVE-2019-10213)

The vulnerability allows a local user to gain access to sensitive information.

The vulnerability exists due to OpenShift Container Platform writes secrets in clear text into pod logs when the log level in a given operator is set to Debug or higher. A local user can read the log files and gain access to sensitive information.

Remediation

Install update from vendor's website.

References

• https://access.redhat.com/errata/RHSA-2019:4074
• https://access.redhat.com/errata/RHSA-2019:4075
• https://bugzilla.redhat.com/show_bug.cgi?id=1758953
• https://access.redhat.com/security/cve/CVE-2019-14854
• https://access.redhat.com/errata/RHSA-2019:4081
• https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10213
• https://access.redhat.com/errata/RHSA-2019:4082