Possible DoS via dbus socket available in containers
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
tripleo |
Fix Released
|
Critical
|
Unassigned |
Bug Description
Hello there,
This is the upstream version of a Red Hat Bugzilla[0], as a summary of the investigations and state.
Red Hat is asking for a CVE number and considers this issue as "Moderate CVE" - since it's, for now, private on the Bugzilla, I set it to private here as well.
Report content:
Since [1], container_t is allowed to send messages to the host DBus service. This is linked to rhbz#1738134.
This can lead to a denial of service (DoS) if a rogue user can talk to the DBus socket from a compromised container. This is true for every container with /run or /var/run bind-mounted from the host. Neither root or sudo are needed within the container.
We should revert asap that patch, and put to use the newly created log as per:
Master/ussuri
- https:/
- https:/
- https:/
Train:
- https:/
- https:/
Stein:
- https:/
- https:/
If we revert that patch already, it will break the metrics for the healthchecks until the provided logfile is used instead of "journalctl" calls - Not sure about the real impact, especially for osp-15 (how many customers are actually running prod on it, with metrics and all), but it might be worth the breakage, compared to the security risk...
Please note than the listed changes are NOT sufficient - collectd|sensu must update their configuration/
Cheers,
C.
[0] https:/
[1] https:/
CVE References
information type: | Private Security → Public Security |
Changed in tripleo: | |
milestone: | ussuri-3 → ussuri-rc3 |
Changed in tripleo: | |
milestone: | ussuri-rc3 → victoria-1 |
Changed in tripleo: | |
milestone: | victoria-1 → victoria-3 |
Changed in tripleo: | |
status: | Triaged → Fix Released |
CVE-2020-1690 has been assigned to this issue.