Jason Shepherd

Name of the Vulnerable Software and Affected Versions: openshift/console versions before openshift/console-4 Description: A flaw was found in the OpenShift web console, where the access token is stored in the browser's local storage. An attacker can use this flaw to get the access token via physical access, or an XSS attack on the victim's browser. Recommendations: For openshift/console versions before openshift/console-4, update to openshift/console-4 or later to resolve the issue. As a temporary workaround, consider restricting access to sensitive resources that use the access token stored in the browser's local storage.

**Name of the Vulnerable Software and Affected Versions** openshift-4.2 **Description** A flaw was found in atomic-openshift where the basic-user RABC role in OpenShift Container Platform doesn't sufficiently protect the GlusterFS StorageClass against leaking of the `restuserkey`. An attacker with basic-user permissions is able to obtain the value of `restuserkey`, and use it to authenticate to the GlusterFS REST service, gaining access to read and modify files. **Recommendations** For openshift-4.2, at the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: openshift4/ose-docker-builder (affected versions not specified) Description: A privilege escalation flaw was found in the build container, which runs with high privileges using a chrooted environment instead of runc. If an attacker gains access to this build container, they can potentially utilize the raw devices of the underlying node, such as the network and storage devices, to escalate their privileges to that of the cluster admin. The highest threat from this issue is to data confidentiality and integrity as well as system availability. Recommendations: At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** crewjam/saml (affected versions not specified) **Description** A signature verification issue exists, allowing an attacker to bypass SAML Authentication, posing a threat to confidentiality, integrity, and system availability. This issue can be exploited by forging part of a signed XML document. The go `encoding/xml` package is also affected, where a crafted XML document may cause XML Digital Signature validation to be entirely bypassed. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** HTTP Server (affected versions not specified) **Description** The issue is related to an integer overflow vulnerability in the length of websocket frames received via a websocket connection. This flaw can be exploited by an attacker to cause a denial of service attack on an HTTP Server that allows websocket connections. An attacker can craft malicious WebSocket frames that cause an integer overflow in a variable which tracks the number of bytes remaining, potentially causing the server or client to get stuck in a loop attempting to read frames. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** OpenShift Container Platform's distribution of Kibana (affected versions not specified) **Description** A flaw in OpenShift Container Platform's distribution of Kibana allows it to be opened in an iframe, enabling an attacker to intercept and manipulate requests. This issue can be exploited to trick a user into performing arbitrary actions in Kibana, such as clickjacking. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Quay versions prior to 3.0.0 **Description** A security issue was found in the Quay web GUI, where the CSRF token, used in POST requests, is not refreshed after each request or when a user logs out and back in. This allows an attacker to potentially use a leaked token to access the system using the user's account. **Recommendations** For Quay versions prior to 3.0.0, consider updating to version 3.0.0 or later to resolve the issue. As a temporary workaround, restrict access to sensitive operations that rely on the CSRF token to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** OpenShift Container Platform versions 3.x **Description** A flaw was discovered in the upgrade process of OpenShift Container Platform, specifically when using CRI-O. The issue allows an unprivileged user to escalate their privileges to those allowed by the privileged Security Context Constraints, as the dockergc service account is assigned to the current namespace of the user performing the upgrade. **Recommendations** For OpenShift Container Platform versions 3.x, consider restricting the privileges assigned to the dockergc service account during the upgrade process to prevent unauthorized privilege escalation. As a temporary workaround, limit the use of CRI-O during upgrades until a more permanent solution is available.

**Name of the Vulnerable Software and Affected Versions** Openshift Container Platform version 3.11 **Description** A cross-site scripting flaw exists in the tetonic-console component. An attacker with the ability to create pods can use this flaw to perform actions on the K8s API as the victim. **Recommendations** For Openshift Container Platform version 3.11, consider restricting access to the tetonic-console component until a fix is available. As a temporary workaround, limit the ability to create pods to trusted users to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** OpenShift Container Platform versions prior to 3.7 **Description** The issue is related to an out-of-bounds write that can occur when patching an OpenShift object using the `oc patch` functionality. This can be exploited to cause a denial of service attack on the OpenShift master API service, which provides cluster management. A malicious JSON patch can cause a panic due to an out-of-bounds write attempt, potentially serving as a denial of service vector if exposed to arbitrary user input. **Recommendations** For OpenShift Container Platform versions prior to 3.7, update to version 3.7 or later to resolve the issue. As a temporary workaround, consider restricting access to the `oc patch` functionality to minimize the risk of exploitation. Avoid using the `oc patch` command with untrusted input until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Red Hat JBoss Fuse versions 6.x Red Hat JBoss A-MQ versions 6.x **Description** A flaw was discovered in the Karaf container used by Red Hat JBoss Fuse and Red Hat JBoss A-MQ, where it deserializes objects passed to MBeans via JMX operations. This could allow an attacker to execute remote code on the server as the user running the Java Virtual Machine if the target MBean contains deserialization gadgets in its classpath. **Recommendations** For Red Hat JBoss Fuse version 6.x, update to a version that includes a fix for this issue. For Red Hat JBoss A-MQ version 6.x, update to a version that includes a fix for this issue.

**Name of the Vulnerable Software and Affected Versions** Red Hat JBoss Fuse 6 Red Hat A-MQ 6 **Description** A flaw was discovered in the JMX endpoint, allowing it to deserialize credentials passed to it. This could be exploited by an attacker to launch a denial of service attack. **Recommendations** For Red Hat JBoss Fuse 6, consider disabling the JMX endpoint until a fix is available. For Red Hat A-MQ 6, restrict access to the JMX endpoint to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** atomic-openshift versions prior to 3.10.9 **Description** A malicious network-policy configuration can cause Openshift Routing to crash when using the ovs-networkpolicy plugin, potentially leading to a Denial of Service (DoS) attack on an Openshift Cluster. **Recommendations** For versions prior to 3.10.9, update to version 3.10.9 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** JBoss EAP version 7.0 **Description** A code injection issue was found in the JAXP implementation used for XSLT processing, which could allow an attacker to achieve remote code execution if they can provide XSLT content for parsing. The issue involves the use of a `javax.xml.transform.TransformerFactory` for doing transforms. Setting the `FEATURE SECURE PROCESSING` feature to `true` mitigates this issue. **Recommendations** For JBoss EAP version 7.0, set the `FEATURE SECURE PROCESSING` feature to `true` to mitigate the issue.

**Name of the Vulnerable Software and Affected Versions** Openshift Routing versions prior to 3.10 **Description** The issue is related to improper input validation of the Openshift Routing configuration, which can cause an entire shard to be brought down. A malicious user can exploit this to cause a Denial of Service attack for other users of the router shard. **Recommendations** For versions prior to 3.10, update to version 3.10 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Red Hat JBoss EAP version 5 **Description** The issue concerns the deserialization of untrusted data in the JMX endpoint, specifically when it deserializes credentials passed to it. An attacker could exploit this, resulting in a denial of service attack. **Recommendations** For Red Hat JBoss EAP version 5, consider restricting access to the JMX endpoint to minimize the risk of exploitation. As a temporary workaround, avoid using the JMX endpoint for deserializing credentials until a patch is available.

**Name of the Vulnerable Software and Affected Versions** App Studio (millicore) (affected versions not specified) **Description** The issue allows for server side request forgery (SSRF) through the external request API call. This could enable an attacker to probe internal network resources and access restricted endpoints. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Red Hat JBoss EAP versions 3.0.7 through 3.0.25.Final Red Hat JBoss EAP version 3.5.0.CR1 Red Hat JBoss EAP version 4.0.0.Beta1 **Description** The issue is related to inconsistent interpretation of HTTP requests, which can be exploited by a remote attacker to compromise data integrity. This can result in server-side cache poisoning or CORS requests in the JAX-RS component. **Recommendations** For Red Hat JBoss EAP versions 3.0.7 through 3.0.25.Final, consider updating to a version outside of this range to mitigate the risk. For Red Hat JBoss EAP version 3.5.0.CR1, consider updating to a version outside of this range to mitigate the risk. For Red Hat JBoss EAP version 4.0.0.Beta1, consider updating to a version outside of this range to mitigate the risk. As a temporary workaround, consider restricting access to the JAX-RS component to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** JBoss Enterprise Application Platform (EAP) version 7 **Description** The issue allows GET requests to disclose internal IP addresses to remote attackers. **Recommendations** For JBoss Enterprise Application Platform (EAP) version 7, update to a version that includes a fix for this issue to prevent internal IP address disclosure.

**Name of the Vulnerable Software and Affected Versions** JBoss EAP versions 4.x through 5.x **Description** The issue allows remote attackers to execute arbitrary code via a crafted serialized payload. This is related to the PooledInvokerServlet in the affected software. **Recommendations** For JBoss EAP versions 4.x through 5.x, consider disabling the PooledInvokerServlet as a temporary workaround until a patch is available.