PT-2019-5504 · Red Hat · Openshift Container Platform
Published
2019-06-12
·
Updated
2023-02-12
·
CVE-2019-10150
CVSS v3.1
5.9
Medium
| Vector | AV:A/AC:H/PR:N/UI:R/S:U/C:L/I:H/A:L |
Name of the Vulnerable Software and Affected Versions
OpenShift Container Platform versions 3.6.x through 4.6.0
Description
The issue is related to deficiencies in the authentication procedure of the Red Hat OpenShift Container Platform. It was found that the platform does not perform SSH Host Key checking when using ssh key authentication during builds. An attacker, with the ability to redirect network traffic, could exploit this to alter the resulting build output. This could potentially allow a remote attacker to redirect network traffic.
Recommendations
For OpenShift Container Platform versions 3.6.x through 4.6.0, consider implementing additional security measures to verify the authenticity of build outputs, such as manually verifying SSH Host Keys, until a patch is available. As a temporary workaround, restrict access to the build process to minimize the risk of exploitation.
Fix
Improper Authentication
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Openshift Container Platform