{"containers": {"cna": {"affected": [{"product": "OpenShift Enterprise", "vendor": "Red Hat, Inc.", "versions": [{"status": "affected", "version": "3.7"}]}], "datePublic": "2018-03-07T00:00:00", "descriptions": [{"lang": "en", "value": "Red Hat OpenShift Enterprise version 3.7 is vulnerable to access control override for container network filesystems. An attacker could override the UserId and GroupId for GlusterFS and NFS to read and write any data on the network filesystem."}], "problemTypes": [{"descriptions": [{"cweId": "CWE-284", "description": "CWE-284 (Improper Access Control)", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2018-03-13T09:57:01", "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1552987"}, {"name": "103364", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/103364"}]}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-05T03:51:47.337Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1552987"}, {"name": "103364", "tags": ["vdb-entry", "x_refsource_BID", "x_transferred"], "url": "http://www.securityfocus.com/bid/103364"}]}]}, "cveMetadata": {"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "assignerShortName": "redhat", "cveId": "CVE-2018-1069", "dateReserved": "2017-12-04T00:00:00", "dateUpdated": "2024-08-05T03:51:47.337Z", "state": "PUBLISHED", "datePublished": "2018-03-09T14:00:00Z"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:redhat:openshift:3.7:*:*:*:enterprise:*:*:*", "matchCriteriaId": "2D9724B7-D99B-4376-B1B5-5CE5F336D767", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Red Hat OpenShift Enterprise version 3.7 is vulnerable to access control override for container network filesystems. An attacker could override the UserId and GroupId for GlusterFS and NFS to read and write any data on the network filesystem."}, {"lang": "es", "value": "Red Hat OpenShift Enterprise 3.7 es vulnerable a un reemplazo del control de acceso para los sistemas de archivos de red de contenedor. Un atacante podr\u00eda reemplazar UserId y GroupId en GlusterFS y NFS para leer y escribir cualquier dato en el sistema de archivos de red."}], "id": "CVE-2018-1069", "lastModified": "2019-10-09T23:38:02.490", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "ADJACENT_NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 5.4, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:A/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 5.5, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:A/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 1.2, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2018-03-09T14:29:00.217", "references": [{"source": "secalert@redhat.com", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://www.securityfocus.com/bid/103364"}, {"source": "secalert@redhat.com", "tags": ["Issue Tracking", "Mitigation"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1552987"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-732"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-284"}], "source": "secalert@redhat.com", "type": "Secondary"}]}

{"acknowledgement": "Red Hat would like to thank Andreas Skoglund (Basefarm AS) for reporting this issue.", "bugzilla": {"description": "Networking: container networking does not prevent access to network resources", "id": "1552987", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1552987"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.1", "cvss3_scoring_vector": "CVSS:3.0/AV:A/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "draft"}, "cwe": "CWE-20", "details": ["Red Hat OpenShift Enterprise version 3.7 is vulnerable to access control override for container network filesystems. An attacker could override the UserId and GroupId for GlusterFS and NFS to read and write any data on the network filesystem.", "GlusterFS and NFS network filesystems rely on File System User ID and Group ID information in order to restrict access to file shares. However, it's possible to overwrite the Openshift restrictions on container UserId and GroupdId as they are not validated before being sent over the Openshift Network. An attacker could use the flaw to read and write any data on the network filesystem."], "mitigation": {"lang": "en:us", "value": "If exposing shares with NFS or GlusterFS to Openshift Nodes use EgressNetworkPolicy, [1] to redirect outbound storage network traffic via an egress router. Alternatively if you're on AWS, EgressNetworkPolicy is not supported, you can use a Static IP, [2], for projects to force projects which need storage to connect from a NIC with a unique IP Address. \nOnce traffic is coming from a known IP address, not the Node IP, you can protect the NFS, or GlusterFS storage node with a firewall, or exports which only allows access from the Egress router, or from the Static IP. \nAn egress policy such as the one in the redirect-mode, [3], is an example of egress policy which would mitigate this vulnerability. An administrator would need to deploy one of these to the project using storage, as they need to run in privileged mode. This forces all traffic to the storage device through the egress router, which is a distinct IP. You can then configure the storage device to only access traffic from that source IP.\nBe aware that during a docker build, the build container is not subject to EgressNetworkPolicy rules in versions prior to 3.7. Also the Static IP feature is only available as a Tech Preview from version 3.7.\nAn alternative mitigation if you're using Red Hat Gluster Storage is outlined here: https://github.com/gluster/gluster-kubernetes/blob/master/docs/design/tls-security.md\nA semi-automatic namespace wide egress-IP is due to be released in OCP 3.11 which will make management of the EgressNetworkPolicy easier. It will only work for the multitenant and networkpolicy plugins.\n[1] https://docs.openshift.com/container-platform/3.7/admin_guide/managing_networking.html#admin-guide-controlling-egress-traffic\n[2] https://docs.openshift.com/container-platform/3.7/admin_guide/managing_networking.html#enabling-static-ips-for-external-project-traffic\n[3] https://docs.openshift.org/latest/admin_guide/managing_networking.html#admin-guide-deploying-an-egress-router-pod"}, "name": "CVE-2018-1069", "package_state": [{"cpe": "cpe:/a:redhat:openshift:3", "fix_state": "Will not fix", "package_name": "Networking", "product_name": "Red Hat OpenShift Enterprise 3"}], "public_date": "2018-03-08T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2018-1069\nhttps://nvd.nist.gov/vuln/detail/CVE-2018-1069"], "threat_severity": "Important"}