CVE-2019-10150
First published: Thu May 23 2019(Updated: )
It was found that OpenShift Container Platform does not perform SSH Host Key checking when using ssh key authentication during builds. An attacker, with the ability to redirect network traffic, could use this to alter the resulting build output.
Credit: secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/atomic-openshift | <0:3.10.175-1.git.0.f9f0e81.el7 | 0:3.10.175-1.git.0.f9f0e81.el7 |
| redhat/cri-o | <0:1.10.6-2.rhaos3.10.git56d7d9a.el7 | 0:1.10.6-2.rhaos3.10.git56d7d9a.el7 |
| redhat/atomic-openshift | <0:3.11.153-1.git.0.aaf3f71.el7 | 0:3.11.153-1.git.0.aaf3f71.el7 |
| redhat/atomic-openshift | <0:3.9.102-1.git.0.6411f52.el7 | 0:3.9.102-1.git.0.6411f52.el7 |
| Red Hat OpenShift Container Platform | >=3.6<=4.1 |
Remedy
Use only methods (such as HTTPS with TLS verification) that enable the identity of the remote repository to be validated.
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://access.redhat.com/errata/RHSA-2019:2989
- https://access.redhat.com/errata/RHSA-2019:3007
- https://access.redhat.com/errata/RHSA-2019:3143
- https://access.redhat.com/errata/RHSA-2019:3811
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10150
- https://docs.openshift.com/container-platform/3.11/dev_guide/builds/build_inputs.html#source-secrets-ssh-key-authentication
- https://github.com/openshift/origin/blob/release-3.11/pkg/build/builder/cmd/scmauth/sshkey.go#L26-L28
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1715256
- https://access.redhat.com/security/cve/cve-2019-10150
- https://bugzilla.redhat.com/show_bug.cgi?id=1713433
- https://www.cve.org/CVERecord?id=CVE-2019-10150 https://nvd.nist.gov/vuln/detail/CVE-2019-10150 https://docs.openshift.com/container-platform/3.11/dev_guide/builds/build_inputs.html#source-secrets-ssh-key-authentication
Parent vulnerabilities
(Appears in the following advisories)
Frequently Asked Questions
What is the severity of CVE-2019-10150?
CVE-2019-10150 is considered a critical vulnerability as it allows attackers to manipulate build outputs due to lack of SSH Host Key checking.
How do I fix CVE-2019-10150?
To fix CVE-2019-10150, update your OpenShift Container Platform to one of the remediated versions specified in the advisory, such as 3.10.175-1.git.0.f9f0e81.el7 or later.
Which versions of OpenShift Container Platform are affected by CVE-2019-10150?
Versions of OpenShift Container Platform from 3.6 to less than 4.1 are affected by CVE-2019-10150.
What can an attacker do with CVE-2019-10150?
An attacker can redirect network traffic to alter the build output of OpenShift Container Platform due to the disabled SSH Host Key checking.
Is CVE-2019-10150 specific to Red Hat OpenShift?
Yes, CVE-2019-10150 specifically affects the Red Hat OpenShift Container Platform and its associated components.
- collector/redhat-cve
- agent/type
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2019-10150
- agent/severity
- agent/references
- agent/weakness
- agent/author
- agent/remedy
- agent/first-publish-date
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/description
- agent/event
- agent/trending
- collector/nvd-index
- agent/software-canonical-lookup-request
- agent/tags
- agent/softwarecombine
- agent/source
- package-manager/redhat
- vendor/redhat
- canonical/red hat openshift container platform
- version/red hat openshift container platform/3.6
- version/red hat openshift container platform/4.1