{
  "threat_severity" : "Important",
  "public_date" : "2019-08-24T00:00:00Z",
  "bugzilla" : {
    "description" : "openshift-ansible: dockergc service account incorrectly associated with namespace during upgrade",
    "id" : "1746238",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=1746238"
  },
  "cvss3" : {
    "cvss3_base_score" : "7.5",
    "cvss3_scoring_vector" : "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
    "status" : "verified"
  },
  "cwe" : "CWE-266",
  "details" : [ "A flaw was found during the upgrade of an existing OpenShift Container Platform 3.x cluster. Using CRI-O, the dockergc service account is assigned to the current namespace of the user performing the upgrade. This flaw can allow an unprivileged user to escalate their privileges to those allowed by the privileged Security Context Constraints.", "A flaw was found during the upgrade of an existing OpenShift Container Platform 3.x cluster. Using CRI-O, the dockergc service account is assigned to the current namespace of the user performing the upgrade. This flaw can allow an unprivileged user to escalate their privileges to those allowed by the privileged Security Context Constraints." ],
  "statement" : "If an upgrade was run with the openshift_crio_enable_docker_gc ansible variable set to 'False' the cluster won't be affected. The default for the variable was set to 'True' before openshift-ansible-3.11.0-0.28.0, and after 3.10.x. See https://github.com/openshift/openshift-ansible/commit/bf5fbea4138f27313c5e4dcd683821975db8e443",
  "affected_release" : [ {
    "product_name" : "Red Hat OpenShift Container Platform 3.11",
    "release_date" : "2019-09-23T00:00:00Z",
    "advisory" : "RHSA-2019:2818",
    "cpe" : "cpe:/a:redhat:openshift:3.11::el7",
    "package" : "openshift-ansible-0:3.11.146-1.git.0.fcedb45.el7"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat OpenShift Container Platform 3.10",
    "fix_state" : "Affected",
    "package_name" : "openshift-ansible",
    "cpe" : "cpe:/a:redhat:openshift:3.10"
  }, {
    "product_name" : "Red Hat OpenShift Container Platform 3.9",
    "fix_state" : "Not affected",
    "package_name" : "openshift-ansible",
    "cpe" : "cpe:/a:redhat:openshift:3.9"
  }, {
    "product_name" : "Red Hat OpenShift Container Platform 4",
    "fix_state" : "Not affected",
    "package_name" : "openshift-ansible",
    "cpe" : "cpe:/a:redhat:openshift:4"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2019-14819\nhttps://nvd.nist.gov/vuln/detail/CVE-2019-14819" ],
  "name" : "CVE-2019-14819",
  "mitigation" : {
    "value" : "Make sure your kubeconfig (~/.kube/config) is using the 'default' context when executing, or re-executing a cluster upgrade or install using the ansible playbooks.",
    "lang" : "en:us"
  },
  "csaw" : false
}