Red Hat recently announced information about CVE-2018-1102, a bug in the S2I (Source to Image) functionality of OpenShift Online and OpenShift Container Platform (OCP).
This bug affects OpenShift Container Platform (OCP) versions 3.0 through 3.9, and the OpenShift Online service including our Starter, Pro, and Dedicated tiers. In response to this, the OpenShift Online Security SRE team took steps to minimize exposure across all the clusters managed by Red Hat.
For the OpenShift Container Platform on-premises product, fixes have been released, and a workaround in the form of turning off the source to image feature is also available, please see the vulnerability article linked below for more information on these.
For OpenShift Online the software update has been applied and testing was conducted to confirm that the update has taken effect. Additionally, for all Red Hat managed clusters, automation tools were used to “untag” any pre-existing S2I images that were cached on the nodes This process ensures that the new, fixed, the image is retrieved prior to the next use of the S2I builder.
For OpenShift Online and Dedicated customers:
- As an OpenShift Online or Dedicated user, your environments are protected.
- OpenShift Online and Dedicated have multiple layers of security that help restrict the exposure caused by CVE-2018-1102.
OCP customers should refer to the vulnerability article available at https://access.redhat.com/security/vulnerabilities/3422241.
Red Hat OpenShift SRE Team
About the author
Dave Baker has been with Red Hat since 2017. He's currently working as a Design Architect in the Secure Engineering team within Product Security, and has spent the last years in various security related roles helping to protect Red Hat OpenShift Container Platform and many other products.