Main Vulnerability Database SB2021061016

SB2021061016 - Security restrictions bypass in OpenShift Container Platform 3.11

Published: June 10, 2021

Security Bulletin ID SB2021061016

CSH Severity

Low

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Adjecent network

Highest impact Data manipulation

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 vulnerability.

1) Security features bypass (CVE-ID: CVE-2021-30465)

CWE-ID: CWE-254 - Security Features

CVSSv4: CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

The vulnerability allows a remote attacker to compromise the target system.

The vulnerability exists due to the security features bypass issue. A remote authenticated attacker on the local network can perform a symlink exchange attack and host filesystem being bind-mounted into the container.

Remediation

Install update from vendor's website.

References

https://access.redhat.com/errata/RHSA-2021:2150

Vulnerable Software

runc (Red Hat package): 1.0.0-1.rc2.el7 - 1.0.0-67.rc10.el7_8
Red Hat OpenShift Container Platform: 3.11.0 - 3.11.439
atomic-openshift (Red Hat package): 3.11.16-1.git.0.b48b8f8.el7 - 3.11.420-1.git.0.14645d0.el7
openshift-ansible (Red Hat package): 3.11.16-1.git.0.4ac6f81.el7 - 3.11.420-1.git.0.336dcef.el7
atomic-openshift-cluster-autoscaler (Red Hat package): 3.11.16-1.git.0.8c8305e.el7 - 3.11.420-1.git.0.5eb2514.el7
golang-github-prometheus-alertmanager (Red Hat package): 3.11.16-1.git.0.be735ec.el7 - 3.11.420-1.git.0.9300c91.el7
atomic-openshift-service-idler (Red Hat package): 3.11.16-1.git.14.a65cbf0.el7 - 3.11.420-1.git.15.021a26a.el7
atomic-openshift-metrics-server (Red Hat package): 3.11.16-1.git.52.9fd74a8.el7 - 3.11.420-1.git.53.4b2f788.el7
atomic-openshift-node-problem-detector (Red Hat package): 3.11.16-1.git.198.95f4dfa.el7 - 3.11.420-1.git.616.0e0f24d.el7
openshift-enterprise-autoheal (Red Hat package): 3.11.16-1.git.219.5443970.el7 - 3.11.420-1.git.218.439a0dd.el7
atomic-openshift-web-console (Red Hat package): 3.11.16-1.git.289.ecf7441.el7 - 3.11.420-1.git.693.897d713.el7
atomic-openshift-descheduler (Red Hat package): 3.11.16-1.git.300.abfab3c.el7 - 3.11.420-1.git.299.1441464.el7
openshift-enterprise-cluster-capacity (Red Hat package): 3.11.16-1.git.380.1406f2f.el7 - 3.11.420-1.git.379.aa3bf1b.el7
golang-github-openshift-oauth-proxy (Red Hat package): 3.11.16-1.git.409.922769e.el7 - 3.11.420-1.git.439.bfcc32b.el7
golang-github-prometheus-node_exporter (Red Hat package): 3.11.16-1.git.1056.1583d2a.el7 - 3.11.420-1.git.1062.26157c1.el7
atomic-enterprise-service-catalog (Red Hat package): 3.11.16-1.git.1633.05087cb.el7 - 3.11.420-1.git.1675.fc6e217.el7
golang-github-prometheus-prometheus (Red Hat package): 3.11.16-1.git.5020.5e81ed1.el7 - 3.11.420-1.git.5026.1e8cb9c.el7
atomic-openshift-dockerregistry (Red Hat package): 3.11.51-1.git.446.d29ce0e.el7 - 3.11.420-1.git.481.b7f0e25.el7
openshift-kuryr (Red Hat package): 3.11.153-1.git.1.073ef06.el7 - 3.11.420-1.git.1500.afe0076.el7

SB2021061016 - Security restrictions bypass in OpenShift Container Platform 3.11

Breakdown by Severity

Description

Remediation

References

Please verify you're human