{"containers": {"cna": {"affected": [{"product": "Openshift", "vendor": "n/a", "versions": [{"status": "affected", "version": "Red Hat OpenShift Container Platform 4.6 and Red Hat OpenShift Container Platform 4.5.16"}]}], "descriptions": [{"lang": "en", "value": "A flaw was found in the Restricted Security Context Constraints (SCC), where it allows pods to craft custom network packets. This flaw allows an attacker to cause a denial of service attack on an OpenShift Container Platform cluster if they can deploy pods. The highest threat from this vulnerability is to system availability."}], "problemTypes": [{"descriptions": [{"cweId": "CWE-770", "description": "CWE-770", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2021-06-02T11:48:44", "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1858981"}]}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T12:39:36.450Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1858981"}]}]}, "cveMetadata": {"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "assignerShortName": "redhat", "cveId": "CVE-2020-14336", "datePublished": "2021-06-02T11:48:44", "dateReserved": "2020-06-17T00:00:00", "dateUpdated": "2024-08-04T12:39:36.450Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:redhat:openshift_container_platform:3.11:*:*:*:*:*:*:*", "matchCriteriaId": "2F87326E-0B56-4356-A889-73D026DB1D4B", "vulnerable": true}, {"criteria": "cpe:2.3:a:redhat:openshift_container_platform:4.5.16:*:*:*:*:*:*:*", "matchCriteriaId": "FECE9CCD-E26F-4FAA-8ADC-8AAC7116FE5B", "vulnerable": true}, {"criteria": "cpe:2.3:a:redhat:openshift_container_platform:4.6:*:*:*:*:*:*:*", "matchCriteriaId": "6B62E762-2878-455A-93C9-A5DB430D7BB5", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A flaw was found in the Restricted Security Context Constraints (SCC), where it allows pods to craft custom network packets. This flaw allows an attacker to cause a denial of service attack on an OpenShift Container Platform cluster if they can deploy pods. The highest threat from this vulnerability is to system availability."}, {"lang": "es", "value": "Se ha encontrado un fallo en las Restricciones de Contexto de Seguridad (SCC), que permite a los pods dise\u00f1ar paquetes de red personalizados. Este fallo permite a un atacante causar un ataque de Denegaci\u00f3n de Servicio en un cl\u00faster de OpenShift Container Platform si pueden desplegar pods. La mayor amenaza de esta vulnerabilidad es la disponibilidad del sistema"}], "id": "CVE-2020-14336", "lastModified": "2023-02-12T23:40:21.450", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "PARTIAL", "baseScore": 4.0, "confidentialityImpact": "NONE", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:S/C:N/I:N/A:P", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2021-06-02T12:15:08.807", "references": [{"source": "secalert@redhat.com", "tags": ["Issue Tracking", "Mitigation", "Vendor Advisory"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1858981"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-770"}], "source": "secalert@redhat.com", "type": "Primary"}]}

{"acknowledgement": "This issue was discovered by Yuval Kashtan (Red Hat).", "affected_release": [{"advisory": "RHSA-2020:4320", "cpe": "cpe:/a:redhat:openshift:4.5::el7", "package": "openshift4/ose-machine-config-operator:v4.5.0-202010160047.p0", "product_name": "Red Hat OpenShift Container Platform 4.5", "release_date": "2020-10-26T00:00:00Z"}, {"advisory": "RHSA-2020:4298", "cpe": "cpe:/a:redhat:openshift:4.6::el8", "package": "openshift4/ose-machine-config-operator:v4.6.0-202010220220.p0", "product_name": "Red Hat OpenShift Container Platform 4.6", "release_date": "2020-10-27T00:00:00Z"}], "bugzilla": {"description": "openshift: restricted SCC allows pods to craft custom network packets", "id": "1858981", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1858981"}, "csaw": false, "cvss3": {"cvss3_base_score": "3.1", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L", "status": "verified"}, "cwe": "CWE-770", "details": ["A flaw was found in the Restricted Security Context Constraints (SCC), where it allows pods to craft custom network packets. This flaw allows an attacker to cause a denial of service attack on an OpenShift Container Platform cluster if they can deploy pods. The highest threat from this vulnerability is to system availability.", "A flaw was found in the Restricted Security Context Constraints (SCC), where it allows pods to craft custom network packets. This flaw allows an attacker to cause a denial of service attack on an OpenShift Container Platform cluster if they can deploy pods. The highest threat from this vulnerability is to system availability."], "mitigation": {"lang": "en:us", "value": "On OCP 3.11 create a custom SCC based on 'restricted' and also drop the NET_RAW capability[1]. Assign this custom SCC to any users, or groups which create pods you want to protect. See the documentation for more information [2]. \n[1] https://access.redhat.com/solutions/5611521\n[2] https://docs.openshift.com/container-platform/3.11/admin_guide/manage_scc.html"}, "name": "CVE-2020-14336", "package_state": [{"cpe": "cpe:/a:redhat:openshift:3.11", "fix_state": "Will not fix", "package_name": "atomic-openshift", "product_name": "Red Hat OpenShift Container Platform 3.11"}], "public_date": "2020-07-13T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2020-14336\nhttps://nvd.nist.gov/vuln/detail/CVE-2020-14336"], "statement": "By default, the OpenShift Container Platform uses the OpenShift SDN network interface. This interface makes this attack impractical by implementing IPTable rules on the host side of the virtual network interface, isolating network traffic to within the pod.\nIf the OpenShift Container Platform has the sriov-network-operator deployed, it is at a greater risk for exploitation. \nIf installing a new OCP 4.6 cluster no changes are required. If upgrading a cluster from an earlier version to 4.5.16 be sure to delete 99-worker-generated-crio-capabilities and 99-master-generated-crio-capabilities machine controllers once you have tested that dropping NET_RAW does not break your cluster workload.", "threat_severity": "Low"}