CVE-2018-1102

Impact:
Critical
Public Date:
2018-04-27
CWE:
CWE-20
Bugzilla:
1562246: CVE-2018-1102 source-to-image: Improper path sanitization in ExtractTarStreamFromTarReader in tar/tar.go
A flaw was found in source-to-image function as shipped with Openshift Enterprise 3.x. An improper path validation of tar files in ExtractTarStreamFromTarReader in tar/tar.go leads to privilege escalation.

Find out more about CVE-2018-1102 from the MITRE CVE dictionary dictionary and NIST NVD.

Statement

Package source-to-image as shipped in Red Hat Software Collections has been rated as Important, because it allows an attacker to get access to the victim's machine, but it requires user interaction.

CVSS v3 metrics

CVSS3 Base Score 9.9
CVSS3 Base Metrics CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Attack Vector Network
Attack Complexity Low
Privileges Required Low
User Interaction None
Scope Changed
Confidentiality High
Integrity Impact High
Availability Impact High

Red Hat Security Errata

Platform Errata Release Date
Red Hat OpenShift Container Platform 3.5 (atomic-openshift) RHSA-2018:1235 2018-04-30
Red Hat OpenShift Container Platform 3.4 (atomic-openshift) RHSA-2018:1237 2018-04-30
Red Hat OpenShift Container Platform 3.6 (atomic-openshift) RHSA-2018:1233 2018-04-30
Red Hat OpenShift Container Platform 3.2 (atomic-openshift) RHSA-2018:1241 2018-04-29
Red Hat OpenShift Enterprise 3.1 (atomic-openshift) RHSA-2018:1243 2018-04-29
Red Hat OpenShift Container Platform 3.8 (atomic-openshift) RHSA-2018:1229 2018-04-28
Red Hat Software Collections for Red Hat Enterprise Linux 7 (source-to-image) RHSA-2019:0036 2019-01-08
Red Hat OpenShift Container Platform 3.9 (atomic-openshift) RHSA-2018:1227 2018-04-28
Red Hat OpenShift Container Platform 3.3 (atomic-openshift) RHSA-2018:1239 2018-04-29
Red Hat OpenShift Container Platform 3.7 (atomic-openshift) RHSA-2018:1231 2018-04-29

Acknowledgements

Red Hat would like to thank Michael Hanselmann (hansmi.ch) for reporting this issue.

Mitigation

Customers can turn off the source-to-image (S2I) build strategy to prevent access to the exploitable function. Information about how to disable the source-to-image build strategy is in the product documentation.

* Disabling S2I in OpenShift Enterprise 3.0 - https://docs.openshift.com/enterprise/3.0/admin_guide/securing_builds.html#disabling-a-build-strategy-globally
* Disabling S2I in OpenShift Enterprise 3.1 - https://docs.openshift.com/enterprise/3.1/admin_guide/securing_builds.html#disabling-a-build-strategy-globally
* Disabling S2I in OpenShift Enterprise 3.2 - https://docs.openshift.com/enterprise/3.2/admin_guide/securing_builds.html#disabling-a-build-strategy-globally
* Disabling S2I in OpenShift Enterprise 3.3 - https://access.redhat.com/documentation/en-us/openshift_container_platform/3.3/html/cluster_administration/admin-guide-securing-builds
* Disabling S2I in OpenShift Enterprise 3.4 - https://access.redhat.com/documentation/en-us/openshift_container_platform/3.4/html/cluster_administration/admin-guide-securing-builds
* Disabling S2I in OpenShift Enterprise 3.5 - https://access.redhat.com/documentation/en-us/openshift_container_platform/3.5/html/cluster_administration/admin-guide-securing-builds
* Disabling S2I in OpenShift Enterprise 3.6 - https://access.redhat.com/documentation/en-us/openshift_container_platform/3.6/html/cluster_administration/admin-guide-securing-builds
* Disabling S2I in OpenShift Enterprise 3.7 - https://access.redhat.com/documentation/en-us/openshift_container_platform/3.7/html/cluster_administration/admin-guide-securing-builds
* OpenShift Enterprise 3.8 is not a production version (only for upgrades).
* Disabling S2I in OpenShift Enterprise 3.9 - https://access.redhat.com/documentation/en-us/openshift_container_platform/3.9/html/cluster_administration/admin-guide-securing-builds

External References

Last Modified