Описание
An issue was discovered in Docker Moby before 17.06.0. The Docker engine validated a client TLS certificate using both the configured client CA root certificate and all system roots on non-Windows systems. This allowed a client with any domain validated certificate signed by a system-trusted root CA (as opposed to one signed by the configured CA root certificate) to authenticate.
A certificate signing vulnerability was found in Moby. This issue could allow an unauthenticated remote attacker to validate a TLS certificate using Certificate Authorities (CA) from the system instead of only by a specified client CA root, which could allow bypassing of some certificate authorization rules, reducing system integrity.
Меры по смягчению последствий
Some environments may be able to mitigate this issue by removing extra CAs from the host.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Multicluster Engine for Kubernetes | multicluster-engine/agent-service-rhel8 | Not affected | ||
| OpenShift Service Mesh 2 | openshift-service-mesh/proxyv2-rhel8 | Will not fix | ||
| Red Hat Ceph Storage 5 | rhceph/rhceph-5-dashboard-rhel8 | Affected | ||
| Red Hat Ceph Storage 6 | rhceph/rhceph-6-dashboard-rhel9 | Affected | ||
| Red Hat Ceph Storage 7 | rhceph/grafana-rhel9 | Affected | ||
| Red Hat OpenShift Container Platform 4 | openshift4/ose-agent-installer-api-server-rhel9 | Affected | ||
| Red Hat OpenShift Container Platform 4 | openshift4/ose-console | Will not fix | ||
| Red Hat OpenShift Service Mesh 2.6 for RHEL 8 | openshift-service-mesh/grafana-rhel8 | Fixed | RHSA-2024:5094 | 07.08.2024 |
| Red Hat OpenShift Service Mesh 2.6 for RHEL 8 | openshift-service-mesh/istio-cni-rhel8 | Fixed | RHSA-2024:5094 | 07.08.2024 |
| Red Hat OpenShift Service Mesh 2.6 for RHEL 8 | openshift-service-mesh/istio-must-gather-rhel8 | Fixed | RHSA-2024:5094 | 07.08.2024 |
Показывать по
Дополнительная информация
Статус:
7.5 High
CVSS3
Связанные уязвимости
An issue was discovered in Docker Moby before 17.06.0. The Docker engine validated a client TLS certificate using both the configured client CA root certificate and all system roots on non-Windows systems. This allowed a client with any domain validated certificate signed by a system-trusted root CA (as opposed to one signed by the configured CA root certificate) to authenticate.
An issue was discovered in Docker Moby before 17.06.0. The Docker engine validated a client TLS certificate using both the configured client CA root certificate and all system roots on non-Windows systems. This allowed a client with any domain validated certificate signed by a system-trusted root CA (as opposed to one signed by the configured CA root certificate) to authenticate.
An issue was discovered in Docker Moby before 17.06.0. The Docker engi ...
7.5 High
CVSS3