{ "threat_severity" : "Important", "public_date" : "2018-09-06T00:00:00Z", "bugzilla" : { "description" : "atomic-openshift: oc patch with json causes masterapi service crash", "id" : "1625885", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=1625885" }, "cvss3" : { "cvss3_base_score" : "7.7", "cvss3_scoring_vector" : "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H", "status" : "verified" }, "cwe" : "CWE-787", "details" : [ "An out of bound write can occur when patching an Openshift object using the 'oc patch' functionality in OpenShift Container Platform before 3.7. An attacker can use this flaw to cause a denial of service attack on the Openshift master api service which provides cluster management.", "An out of bounds write can occur when patching an Openshift object using the 'oc patch' functionality in OpenShift Container Platform 3.x. An attacker can use this flaw to cause a denial of service attack on the Openshift master API service which provides cluster management." ], "statement" : "A multi-master Openshift Container Platform cluster is more resilient, however a sustained attack would still have an important impact.", "acknowledgement" : "Red Hat would like to thank Lars Haugan for reporting this issue.", "affected_release" : [ { "product_name" : "Red Hat OpenShift Container Platform 3.10", "release_date" : "2018-11-11T00:00:00Z", "advisory" : "RHSA-2018:2709", "cpe" : "cpe:/a:redhat:openshift:3.10::el7", "package" : "atomic-openshift-0:3.10.66-1.git.0.91d1e89.el7" }, { "product_name" : "Red Hat OpenShift Container Platform 3.11", "release_date" : "2018-10-11T00:00:00Z", "advisory" : "RHBA-2018:2652", "cpe" : "cpe:/a:redhat:openshift:3.11::el7", "package" : "atomic-openshift-0:3.11.16-1.git.0.b48b8f8.el7" }, { "product_name" : "Red Hat OpenShift Container Platform 3.6", "release_date" : "2018-09-26T00:00:00Z", "advisory" : "RHSA-2018:2654", "cpe" : "cpe:/a:redhat:openshift:3.6::el7", "package" : "atomic-openshift-0:3.6.173.0.130-1.git.0.8d78a39.el7" }, { "product_name" : "Red Hat OpenShift Container Platform 3.7", "release_date" : "2018-11-21T00:00:00Z", "advisory" : "RHSA-2018:2906", "cpe" : "cpe:/a:redhat:openshift:3.7::el7", "package" : "atomic-openshift-0:3.7.72-1.git.0.925b9cd.el7" }, { "product_name" : "Red Hat OpenShift Container Platform 3.9", "release_date" : "2018-11-20T00:00:00Z", "advisory" : "RHSA-2018:2908", "cpe" : "cpe:/a:redhat:openshift:3.9::el7", "package" : "atomic-openshift-0:3.9.51-1.git.0.dc3a40b.el7" } ], "package_state" : [ { "product_name" : "Red Hat OpenShift Container Platform 3.2", "fix_state" : "Affected", "package_name" : "atomic-openshift", "cpe" : "cpe:/a:redhat:openshift:3.2" }, { "product_name" : "Red Hat OpenShift Container Platform 3.3", "fix_state" : "Affected", "package_name" : "atomic-openshift", "cpe" : "cpe:/a:redhat:openshift:3.3" }, { "product_name" : "Red Hat OpenShift Container Platform 3.4", "fix_state" : "Affected", "package_name" : "atomic-openshift", "cpe" : "cpe:/a:redhat:openshift:3.4" }, { "product_name" : "Red Hat OpenShift Container Platform 3.5", "fix_state" : "Affected", "package_name" : "atomic-openshift", "cpe" : "cpe:/a:redhat:openshift:3.5" }, { "product_name" : "Red Hat OpenShift Container Platform 4", "fix_state" : "Not affected", "package_name" : "openshift", "cpe" : "cpe:/a:redhat:openshift:4" }, { "product_name" : "Red Hat OpenShift Enterprise 3.0", "fix_state" : "Affected", "package_name" : "openshift", "cpe" : "cpe:/a:redhat:openshift:3.0" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2018-14632\nhttps://nvd.nist.gov/vuln/detail/CVE-2018-14632" ], "name" : "CVE-2018-14632", "csaw" : false }