{
  "threat_severity" : "Low",
  "public_date" : "2020-07-13T00:00:00Z",
  "bugzilla" : {
    "description" : "openshift: restricted SCC allows pods to craft custom network packets",
    "id" : "1858981",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=1858981"
  },
  "cvss3" : {
    "cvss3_base_score" : "3.1",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L",
    "status" : "verified"
  },
  "cwe" : "CWE-770",
  "details" : [ "A flaw was found in the Restricted Security Context Constraints (SCC), where it allows pods to craft custom network packets. This flaw allows an attacker to cause a denial of service attack on an OpenShift Container Platform cluster if they can deploy pods. The highest threat from this vulnerability is to system availability.", "A flaw was found in the Restricted Security Context Constraints (SCC), where it allows pods to craft custom network packets. This flaw allows an attacker to cause a denial of service attack on an OpenShift Container Platform cluster if they can deploy pods. The highest threat from this vulnerability is to system availability." ],
  "statement" : "By default, the OpenShift Container Platform uses the OpenShift SDN network interface. This interface makes this attack impractical by implementing IPTable rules on the host side of the virtual network interface, isolating network traffic to within the pod.\nIf the OpenShift Container Platform has the sriov-network-operator deployed, it is at a greater risk for exploitation. \nIf installing a new OCP 4.6 cluster no changes are required. If upgrading a cluster from an earlier version to 4.5.16 be sure to delete 99-worker-generated-crio-capabilities and 99-master-generated-crio-capabilities machine controllers once you have tested that dropping NET_RAW does not break your cluster workload.",
  "acknowledgement" : "This issue was discovered by Yuval Kashtan (Red Hat).",
  "affected_release" : [ {
    "product_name" : "Red Hat OpenShift Container Platform 4.5",
    "release_date" : "2020-10-26T00:00:00Z",
    "advisory" : "RHSA-2020:4320",
    "cpe" : "cpe:/a:redhat:openshift:4.5::el7",
    "package" : "openshift4/ose-machine-config-operator:v4.5.0-202010160047.p0"
  }, {
    "product_name" : "Red Hat OpenShift Container Platform 4.6",
    "release_date" : "2020-10-27T00:00:00Z",
    "advisory" : "RHSA-2020:4298",
    "cpe" : "cpe:/a:redhat:openshift:4.6::el8",
    "package" : "openshift4/ose-machine-config-operator:v4.6.0-202010220220.p0"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat OpenShift Container Platform 3.11",
    "fix_state" : "Fix deferred",
    "package_name" : "atomic-openshift",
    "cpe" : "cpe:/a:redhat:openshift:3.11"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2020-14336\nhttps://nvd.nist.gov/vuln/detail/CVE-2020-14336" ],
  "name" : "CVE-2020-14336",
  "mitigation" : {
    "value" : "On OCP 3.11 create a custom SCC based on 'restricted' and also drop the NET_RAW capability[1]. Assign this custom SCC to any users, or groups which create pods you want to protect. See the documentation for more information [2]. \n[1] https://access.redhat.com/solutions/5611521\n[2] https://docs.openshift.com/container-platform/3.11/admin_guide/manage_scc.html",
    "lang" : "en:us"
  },
  "csaw" : false
}