These issues affected supported versions of Red Hat Enterprise Linux, Red Hat OpenStack Platform, Red Hat Virtualization, Red Hat Enterprise Linux Atomic Host, and Red Hat Enterprise MRG. They required both software (kernel/virtualization) and hardware (microcode/firmware) fixes to mitigate the exploit. Patches for current release streams were available starting the same day the flaws went public, with older products receiving patches over the next several days. The initial mitigations were revised and performance was improved with the release of retpolines starting in March 2018. The content created in response to this issue and those that followed were some of the most viewed on our Customer Portal for the year with over 180,000 views on the vulnerability article alone. This also started our Vulnerability explained in 3 minutes video series which was widely cited throughout the industry. There are no known working public exploits for any of these issues to date.
Source-to-Image Vulnerability -S2I (April 27, 2018) CVE-2018-1102
Severity rating: CRITICAL
A bug was discovered in the Source-to-Image build functionality used within Red Hat OpenShift Container Platform that could allow an unprivileged user to escalate their privileges and gain access to the host system in the cluster. This issue affected all 3.x versions of Red Hat OpenShift Container Platform supported at the time. This was the first major issue coordinated with the upstream OpenShift community.
Red Hat had patches available for impacted versions of OpenShift Container Platform starting within one business day, with work-around mitigations available at the time the issue was made public.
POP SS debug exception (May 8, 2018) CVE-2018-8897 & CVE-2018-1087
Severity rating: MODERATE & IMPORTANT
Two related issues (one for bare-metal systems and the other focused on virtualized systems) that revolved around a flaw in how stack-switch operations were handled in MOV to SS or POP SS instructions. On bare-metal systems, this flaw could lead to a denial of service attack and impact a system’s availability. In a virtualized system, an unprivileged KVM guest user could use this flaw to crash the guest or, potentially, escalate their privileges in the guest. With the scope of the virtual machine attack being broader, the CVE was rated IMPORTANT, rather than MODERATE.
These issues affected all currently supported versions of Red Hat Enterprise Linux, Red Hat Enterprise Linux Atomic Host, Red Hat Enterprise MRG, and Red Hat Virtualization. Patches were available for all impacted products within one business day of the issue being made public.
DHCP Client Script Code Execution Vulnerability (May 15, 2018) CVE-2018-1111
Severity Rating: CRITICAL
A provided script to configure DHCP client packages (dhclient) could lead to a command injection attack in Red Hat Enterprise Linux 6 and 7 and Red Hat Virtualization 4. A malicious DHCP server, or an attacker on the local network able to spoof DHCP responses, could use this flaw to execute arbitrary commands with root privileges on systems using NetworkManager, which by default is configured to obtain network configuration using the DHCP protocol.
Patches and mitigations were made available the same day the issue was made public.
Kernel Side-Channel Attack using Speculative Store Bypass (May 21, 2018) CVE-2018-3639
Severity rating: IMPORTANT
With this microprocessor flaw, an unprivileged attacker could bypass restrictions to gain read access to privileged memory that would otherwise be inaccessible. This issue was also referred to as Variant 4 or Speculative Store Bypass. This issue is known to affect CPUs of various microarchitectures. All supported versions of Red Hat Enterprise Linux, Red Hat OpenShift, Red Hat Virtualization, and Red Hat OpenStack Platform were affected.
A malicious, unprivileged user could use this flaw to read privileged system memory and memory outside of a sandboxed environment like a web browser or JIT execution run times.
Patches for this issue were available starting the day the issue was made public and continued to be released for a month afterwards. To fully mitigate this vulnerability, system administrators had to apply both hardware microcode updates and software patches that enabled new functionality.
L1TF - L1 Terminal Fault Attack (August 14, 2018) CVE-2018-3620 & CVE-2018-3646
Severity rating: IMPORTANT
Similar to Spectre and Meltdown, these vulnerabilities could allow an unprivileged attacker to bypass memory security restrictions to gain access to data stored in L1 cache that would otherwise be inaccessible. Also referred to as Foreshadow, these issues are known to only affect x86 microprocessors manufactured by Intel at this time. Both flaws require software-level mitigations performed by operating systems and hypervisors. Full mitigation from potential attack by untrusted guest virtual machines in an environment using virtualization will require specific action by a system administrator including disabling simultaneous multithreading (SMT), also known as hyper-threading (HT).
This issue affected supported versions of Red Hat Enterprise Linux, Red Hat OpenStack Platform, Red Hat Virtualization, Red Hat Enterprise Linux Atomic Host, and Red Hat Enterprise MRG. Patches for this issue were available starting the day the issue was public and continued to be released for the next two weeks.
In virtualized, cloud, or container environments, additional risk analysis is needed to understand how workloads are managed within the environment. Co-mingling of known, trusted workloads alongside untrusted or lower security instances potentially exposes other guests and control infrastructure to a malicious actor reading data stored within L1 cache of the host system’s CPUs. Ultimately, barring workload isolation, the only way to ensure that the risk for this particular attack was mitigated would be to disable hyper-threading, which is not an inconsequential decision for most organizations.
Kubernetes privilege escalation (December 2, 2018) CVE-2018-1002105
Severity rating: CRITICAL
A flaw in Kubernetes, a container orchestration platform used in Red Hat OpenShift releases, was discovered that could allow a malicious actor to escalate their privileges and compromise other pods within a Red Hat OpenShift cluster. A second flaw that could allow a malicious party to escalate their permissions and gain cluster-wide administrative-level permissions through an aggregated API server was also revealed at the same time.
All supported versions of Red Hat OpenShift were affected, including Online and Dedicated. Patches for this issue were available starting the day the issue was public, and all supported versions had fixes available within 24 hours of public disclosure.
In Figure 3 above, we have plotted what we deemed the 10 most interesting vulnerabilities based off of two data factors: the severity of the CVE(s) and the impact to our customers. Each customer is unique, so they may not use a particular package, or they may have other controls in their environment that decrease the residual risk of a given flaw. Conversely, a system affected by any of the 1,274 vulnerabilities addressed in 2018 could support business-critical systems or have other factors that increase the risk for the affected organization.
Another way we gauge customer interest is to measure web traffic, specifically, views for each CVE page in the Red Hat Customer Portal.
The issues detailed in Figure 4 were the most-viewed vulnerabilities from the Red Hat CVE database. Customer interest in Spectre and Meltdown occupied a significant amount of attention over the year, bringing in nearly four times the page views of the next most visited CVE page, SSBD.
THE OPEN SOURCE SUPPLY CHAIN
All Red Hat products are based upon and heavily contribute back to open source communities and projects. A given Red Hat product could contain thousands of individual packages, many based upon a separate third-party package from an open source upstream. Red Hat engineering participates in developing and maintaining many of these upstream components that are the vital foundation of innovation for our enterprise product offerings. Managing and tracking vulnerabilities across these thousands of third-party components is a significant effort, which is why Red Hat has a dedicated Product Security team that monitors issues affecting Red Hat products and the projects and packages that comprise them. The Product Security team also works with our industry peers and security researchers. As vulnerabilities are discovered, Product Security works with Product Engineering and upstream communities to ensure that the issues are documented and prioritized to deliver fixes as quickly as possible to our subscribers—and to the open source community at large.
In 2018, we investigated over 3,774 vulnerabilities that potentially affected parts of our products. These efforts led to the confirmation of impact and resolution of 1,274 of those reported. Each one of those 3,774+ vulnerabilities is tracked within the Red Hat Bugzilla tool and is publicly accessible. Each vulnerability has a master bug, including the CVE name as an alias and metadata such as the dates we discovered it or were notified about it, its severity, and its source. Issues that are not yet public (which are referred to as embargoed) still get an entry in bugzilla, although during the embargo period they are kept private and shared only with those engineers and contributors that need to know about them and can help collaborate on fixing them. As the flaw gets disclosed to the public, the associated bugzilla is updated and also made public. This data is all available through multiple streams for anyone to review:
We use this data to create metrics and review trends with product engineering to help improve future releases and the whole open source ecosystem.
Red Hat does not wait for the bugs to come to us. Our Engineering, Quality Assurance, and Security teams are all actively looking for and finding issues. Approximately 29% of the issues Red Hat addressed came to us directly from peers or Red Hat employees. This is slightly down from 2017, but the number of total flaws reported grew 11% over the previous year. When possible, we share these issues back upstream and with our industry peers. In addition to those issues, Red Hat may also find and report software flaws that are not part of our currently shipped products. When it comes to fixing issues in third-party software, relationships matter. Red Hat Product Security and Product Engineering have deep ties to upstream communities and the technology industry at large. We are constantly communicating and collaborating with our peers on issues that impact all of our shared customers and communities.
If an upstream community is willing to share information about flaws with us in advance, we feel a responsibility to give value back for that shared trust. We do this by reviewing advisories, checking patches, and feeding data back from our quality or performance testing groups. Ultimately we’re all focused on providing remediation to the flaws, and we all try to contribute positively to the solution as it is evolving.
We hope that this report has provided useful information about the risks and flaws addressed across the Red Hat portfolio in 2018. Looking at the flaws reported and fixed over the years, we can see that, in general, the number of vulnerabilities found and fixed continues to rise over time.
There are other types of risks that enterprise operations has to deal with that we do not address in this report, specifically, malware or ransomware. These types of attacks typically rely upon the attacker having or gaining access to a system through intrusion or exploiting a person or vulnerability. Social engineering relies upon the innate good-nature of humans, and sometimes due to the existence of some level of permission or technical flaw, the persuasive attacker can exploit their target. Effective risk management practices, like a rigorous and speedy patch management process, measured and audited access controls, and logging, all help reduce the likelihood of a successful attack, and the overall impact if a flaw does gets exploited.