CVE-2019-10200
First published: Tue Jul 16 2019(Updated: )
A flaw was discovered in OpenShift Container Platform 4 where, by default, users with access to create pods also have the ability to schedule workloads on master nodes. Pods with permission to access the host network, running on master nodes, can retrieve security credentials for the master AWS IAM role, allowing management access to AWS resources. With access to the security credentials, the user then has access to the entire infrastructure. Impact to data and system availability is high.
Credit: secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Red Hat OpenShift Container Platform | =4.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1729242
- https://github.com/openshift/cluster-kube-apiserver-operator/pull/524
- https://docs.openshift.com/container-platform/4.1/authentication/managing-security-context-constraints.html
- https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/configuring-instance-metadata-service.html
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1730161#c5
- https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/configuring-instance
- https://docs.openshift.com/container-platform/4.4/authentication/managing-security-context-constraints.html
- https://bugzilla.redhat.com/show_bug.cgi?id=1730161
Frequently Asked Questions
What is the severity of CVE-2019-10200?
CVE-2019-10200 has been classified as a high severity vulnerability due to its potential impact on cluster security.
How do I fix CVE-2019-10200?
To fix CVE-2019-10200, you should restrict pod security contexts and ensure that users do not have permissions to schedule workloads on master nodes.
What are the potential risks of CVE-2019-10200?
The potential risks of CVE-2019-10200 include unauthorized access to AWS IAM security credentials and increased attack surface on master nodes.
Which version of OpenShift Container Platform is affected by CVE-2019-10200?
CVE-2019-10200 affects version 4.0 of the OpenShift Container Platform.
Can CVE-2019-10200 lead to data breaches?
Yes, CVE-2019-10200 can potentially lead to data breaches if malicious users exploit the vulnerability to gain access to sensitive information.
- agent/references
- agent/type
- agent/remedy
- agent/softwarecombine
- agent/first-publish-date
- collector/mitre-cve
- source/MITRE
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2019-10200
- agent/weakness
- agent/author
- agent/last-modified-date
- agent/severity
- agent/description
- agent/event
- agent/trending
- agent/source
- agent/tags
- collector/nvd-index
- agent/software-canonical-lookup-request
- vendor/redhat
- canonical/red hat openshift container platform
- version/red hat openshift container platform/4.0