CVE-2019-14819

Опубликовано: 24 авг. 2019

Источник: redhat

CVSS3: 7.5

EPSS Низкий

Описание

A flaw was found during the upgrade of an existing OpenShift Container Platform 3.x cluster. Using CRI-O, the dockergc service account is assigned to the current namespace of the user performing the upgrade. This flaw can allow an unprivileged user to escalate their privileges to those allowed by the privileged Security Context Constraints.

Отчет

If an upgrade was run with the openshift_crio_enable_docker_gc ansible variable set to 'False' the cluster won't be affected. The default for the variable was set to 'True' before openshift-ansible-3.11.0-0.28.0, and after 3.10.x. See https://github.com/openshift/openshift-ansible/commit/bf5fbea4138f27313c5e4dcd683821975db8e443

Меры по смягчению последствий

Make sure your kubeconfig (~/.kube/config) is using the 'default' context when executing, or re-executing a cluster upgrade or install using the ansible playbooks.

Затронутые пакеты

Платформа	Пакет	Состояние	Рекомендация	Релиз
Red Hat OpenShift Container Platform 3.10	openshift-ansible	Affected
Red Hat OpenShift Container Platform 3.9	openshift-ansible	Not affected
Red Hat OpenShift Container Platform 4	openshift-ansible	Not affected
Red Hat OpenShift Container Platform 3.11	openshift-ansible	Fixed	RHSA-2019:2818	23.09.2019

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Important

Дефект:

CWE-266->CWE-270

https://bugzilla.redhat.com/show_bug.cgi?id=1746238openshift-ansible: dockergc service account incorrectly associated with namespace during upgrade

EPSS

Процентиль: 57%

0.00357

Низкий

7.5 High

CVSS3

Связанные уязвимости

CVE-2019-14819

CVSS3: 8.8

nvd

около 6 лет назад

GHSA-37jw-xgjq-3fmq