{ "threat_severity" : "Moderate", "public_date" : "2019-05-29T00:00:00Z", "bugzilla" : { "description" : "atomic-openshift: OpenShift builds don't verify SSH Host Keys for the git repository", "id" : "1713433", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=1713433" }, "cvss3" : { "cvss3_base_score" : "5.9", "cvss3_scoring_vector" : "CVSS:3.0/AV:A/AC:H/PR:N/UI:R/S:U/C:L/I:H/A:L", "status" : "verified" }, "cwe" : "CWE-287", "details" : [ "It was found that OpenShift Container Platform versions 3.6.x - 4.6.0 does not perform SSH Host Key checking when using ssh key authentication during builds. An attacker, with the ability to redirect network traffic, could use this to alter the resulting build output.", "It was found that OpenShift Container Platform does not perform SSH Host Key checking when using ssh key authentication during builds. An attacker, with the ability to redirect network traffic, could use this to alter the resulting build output." ], "statement" : "OpenShift Container Platform allows for various types of \"source clone secrets\" to be defined in order to permit building from non-public git repositories. When using ssh key authentication, the server host key checking function is disabled.\nAn attacker with the ability to redirect the network traffic and perform a \"man in the middle\" attack will be able to redirect the build job to use arbitrary content of their choosing.\nNote that the same flaw (non-verification of remote server) is present when using HTTP, or when using HTTPS with TLS verification manually disabled.", "acknowledgement" : "Red Hat would like to thank @l14n_uk for reporting this issue.", "affected_release" : [ { "product_name" : "Red Hat OpenShift Container Platform 3.10", "release_date" : "2019-10-14T00:00:00Z", "advisory" : "RHSA-2019:2989", "cpe" : "cpe:/a:redhat:openshift:3.10::el7", "package" : "atomic-openshift-0:3.10.175-1.git.0.f9f0e81.el7" }, { "product_name" : "Red Hat OpenShift Container Platform 3.10", "release_date" : "2019-10-14T00:00:00Z", "advisory" : "RHSA-2019:2989", "cpe" : "cpe:/a:redhat:openshift:3.10::el7", "package" : "cri-o-0:1.10.6-2.rhaos3.10.git56d7d9a.el7" }, { "product_name" : "Red Hat OpenShift Container Platform 3.11", "release_date" : "2019-10-18T00:00:00Z", "advisory" : "RHSA-2019:3143", "cpe" : "cpe:/a:redhat:openshift:3.11::el7", "package" : "atomic-openshift-0:3.11.153-1.git.0.aaf3f71.el7" }, { "product_name" : "Red Hat OpenShift Container Platform 3.9", "release_date" : "2019-11-07T00:00:00Z", "advisory" : "RHSA-2019:3811", "cpe" : "cpe:/a:redhat:openshift:3.9::el7", "package" : "atomic-openshift-0:3.9.102-1.git.0.6411f52.el7" }, { "product_name" : "Red Hat OpenShift Container Platform 4.1", "release_date" : "2019-10-16T00:00:00Z", "advisory" : "RHSA-2019:3007", "cpe" : "cpe:/a:redhat:openshift:4.1::el7", "package" : "openshift4/ose-docker-builder:v4.1.20-201910102034" } ], "package_state" : [ { "product_name" : "Red Hat OpenShift Container Platform 3.6", "fix_state" : "Out of support scope", "package_name" : "atomic-openshift", "cpe" : "cpe:/a:redhat:openshift:3.6" }, { "product_name" : "Red Hat OpenShift Container Platform 3.7", "fix_state" : "Out of support scope", "package_name" : "atomic-openshift", "cpe" : "cpe:/a:redhat:openshift:3.7" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2019-10150\nhttps://nvd.nist.gov/vuln/detail/CVE-2019-10150\nhttps://docs.openshift.com/container-platform/3.11/dev_guide/builds/build_inputs.html#source-secrets-ssh-key-authentication" ], "name" : "CVE-2019-10150", "mitigation" : { "value" : "Use only methods (such as HTTPS with TLS verification) that enable the identity of the remote repository to be validated.", "lang" : "en:us" }, "csaw" : false }