REDHAT-BUG-1096955: Command Injection
First published: Mon May 12 2014(Updated: )
Jeremy Choi of Red Hat reports: Attackers, with normal user privilege, are able to do OS command injection with *root* by leveraging a downloadable cartridge where its source-URL scheme is 'file'. In cartridge_repository.rb: 532 when 'file' == uri.scheme 533 entries = Dir.glob(PathUtils.join(uri.path, '*'), File::FNM_DO TMATCH) 534 filesystem_copy(entries, target, %w(. ..)) ... 609 Utils.oo_spawn("/bin/cp -ad #{entries.join(' ')} #{target}", 610 expected_exitstatus: 0) OpenShift Origin copies the directory structure from the user specified cartridge when an application is created via 'file' scheme source. Due to this attackers are able to add an arbitrary directory with system commands (e.g. ;reboot;) in their apps and put it to cp, resulting in OS command injection attack with root privileges.
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Red Hat OpenShift |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- agent/weakness
- agent/type
- agent/first-publish-date
- agent/last-modified-date
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2014-0233
- agent/references
- agent/severity
- agent/description
- agent/event
- agent/trending
- agent/source
- agent/tags
- agent/softwarecombine
- agent/guess-ai
- agent/software-canonical-lookup
- agent/software-canonical-lookup-request
- vendor/red hat
- canonical/red hat openshift