{
  "threat_severity" : "Moderate",
  "public_date" : "2019-04-24T00:00:00Z",
  "bugzilla" : {
    "description" : "libseccomp-golang: mishandling of multiple argument rules leading to a bypass of intended access restrictions",
    "id" : "1706826",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=1706826"
  },
  "cvss3" : {
    "cvss3_base_score" : "6.5",
    "cvss3_scoring_vector" : "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
    "status" : "verified"
  },
  "cwe" : "CWE-305",
  "details" : [ "libseccomp-golang 0.9.0 and earlier incorrectly generates BPFs that OR multiple arguments rather than ANDing them. A process running under a restrictive seccomp filter that specified multiple syscall arguments could bypass intended access restrictions by specifying a single matching argument." ],
  "statement" : "This issue may affect OpenShift Container Platform 3.x and 4.x if you are providing a custom Seccomp profile using Security Context Constraints [1]. The custom Seccomp profile would need to specify multiple arguments, such as below, from [2].\n{\n\"names\": [\n\"socketcall\"\n],\n\"action\": \"SCMP_ACT_ALLOW\",\n\"args\": [\n{\n\"index\": 0,\n\"value\": 1,\n\"valueTwo\": 0,\n\"op\": \"SCMP_CMP_EQ\"\n},\n{\n\"index\": 1,\n\"value\": 1,\n\"valueTwo\": 0,\n\"op\": \"SCMP_CMP_EQ\"\n}\n],\n\"comment\": \"\",\n\"includes\": {},\n\"excludes\": {}\n},\nIf such a profile was used the arguments could be combined as an OR rule, not AND, as the user might expect from Seccomp.\n[1] https://docs.openshift.com/container-platform/4.1/authentication/managing-security-context-constraints.html\n[2] https://github.com/moby/moby/issues/32714#issuecomment-295532163",
  "affected_release" : [ {
    "product_name" : "Red Hat OpenShift Container Platform 3.11",
    "release_date" : "2020-06-18T00:00:00Z",
    "advisory" : "RHSA-2020:2479",
    "cpe" : "cpe:/a:redhat:openshift:3.11::el7",
    "package" : "atomic-openshift-0:3.11.232-1.git.0.a5bc32f.el7"
  }, {
    "product_name" : "Red Hat OpenShift Container Platform 4.1",
    "release_date" : "2019-12-17T00:00:00Z",
    "advisory" : "RHSA-2019:4087",
    "cpe" : "cpe:/a:redhat:openshift:4.1::el7",
    "package" : "openshift-0:4.1.27-201912021146.git.0.a40116f.el7"
  }, {
    "product_name" : "Red Hat OpenShift Container Platform 4.1",
    "release_date" : "2019-12-17T00:00:00Z",
    "advisory" : "RHSA-2019:4090",
    "cpe" : "cpe:/a:redhat:openshift:4.1::el7",
    "package" : "openshift4/ose-cli:v4.1.27-201912030019"
  }, {
    "product_name" : "Red Hat OpenShift Container Platform 4.1",
    "release_date" : "2019-12-17T00:00:00Z",
    "advisory" : "RHSA-2019:4090",
    "cpe" : "cpe:/a:redhat:openshift:4.1::el7",
    "package" : "openshift4/ose-cli-artifacts:v4.1.27-201912030019"
  }, {
    "product_name" : "Red Hat OpenShift Container Platform 4.1",
    "release_date" : "2019-12-17T00:00:00Z",
    "advisory" : "RHSA-2019:4090",
    "cpe" : "cpe:/a:redhat:openshift:4.1::el7",
    "package" : "openshift4/ose-hyperkube:v4.1.27-201912030019"
  }, {
    "product_name" : "Red Hat OpenShift Container Platform 4.1",
    "release_date" : "2019-12-17T00:00:00Z",
    "advisory" : "RHSA-2019:4090",
    "cpe" : "cpe:/a:redhat:openshift:4.1::el7",
    "package" : "openshift4/ose-hypershift:v4.1.27-201912030019"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat OpenShift Container Platform 3.10",
    "fix_state" : "Will not fix",
    "package_name" : "atomic-openshift",
    "cpe" : "cpe:/a:redhat:openshift:3.10"
  }, {
    "product_name" : "Red Hat OpenShift Container Platform 4",
    "fix_state" : "Affected",
    "package_name" : "openshift-enterprise-node-container",
    "cpe" : "cpe:/a:redhat:openshift:4"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2017-18367\nhttps://nvd.nist.gov/vuln/detail/CVE-2017-18367" ],
  "name" : "CVE-2017-18367",
  "csaw" : false
}