CVE-2018-14632

Impact:
Important
Public Date:
2018-09-06
CWE:
CWE-787
Bugzilla:
1625885: CVE-2018-14632 atomic-openshift: oc patch with json causes masterapi service crash
An out of bounds write can occur when patching an Openshift object using the 'oc patch' functionality in OpenShift Container Platform 3.x. An attacker can use this flaw to cause a denial of service attack on the Openshift master API service which provides cluster management.

Find out more about CVE-2018-14632 from the MITRE CVE dictionary dictionary and NIST NVD.

Statement

A multi-master Openshift Container Platform cluster is more resilient, however a sustained attack would still have an important impact.

CVSS v3 metrics

CVSS3 Base Score 7.7
CVSS3 Base Metrics CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H
Attack Vector Network
Attack Complexity Low
Privileges Required Low
User Interaction None
Scope Changed
Confidentiality None
Integrity Impact None
Availability Impact High

Red Hat Security Errata

Platform Errata Release Date
Red Hat OpenShift Container Platform 3.9 (atomic-openshift) RHSA-2018:2908 2018-11-20
Red Hat OpenShift Container Platform 3.10 (atomic-openshift) RHSA-2018:2709 2018-11-11
Red Hat OpenShift Container Platform 3.11 (atomic-openshift) RHBA-2018:2652 2018-10-11
Red Hat OpenShift Container Platform 3.7 (atomic-openshift) RHSA-2018:2906 2018-11-21
Red Hat OpenShift Container Platform 3.6 (atomic-openshift) RHSA-2018:2654 2018-09-26

Affected Packages State

Platform Package State
Red Hat OpenShift Enterprise 3.2 atomic-openshift Affected
Red Hat OpenShift Enterprise 3.1 atomic-openshift Affected
Red Hat OpenShift Enterprise 3.0 atomic-openshift Affected
Red Hat OpenShift Container Platform 3.5 atomic-openshift Affected
Red Hat OpenShift Container Platform 3.4 atomic-openshift Affected
Red Hat OpenShift Container Platform 3.3 atomic-openshift Affected

Acknowledgements

Red Hat would like to thank Lars Haugan for reporting this issue.

Last Modified