An option injection flaw has been discovered in git when it recursively clones a repository with sub-modules. A remote attacker may configure a malicious repository and trick a user into recursively cloning it, thus executing arbitrary commands on the victim's machine.
Find out more about CVE-2018-17456 from the MITRE CVE dictionary dictionary and NIST NVD.
OpenShift Container Platform (OCP) source-to-image uses the git client packaged with the OCP container images. Since RHEL7 and its associated images are impacted, source-to-image is also impacted. The atomic-openshift package running on the masters controls the code that determines the source-to-image build image in use, therefore a cluster update is required to patch this issue. Full instructions will be provided in Security Errata provided for this issue.
In OCP 3.6 and earlier, source-to-image executes in a privileged container on the node. Therefore the severity of this CVE is important for these versions. OCP 3.7 and later execute source-to-image git pulls in an unprivileged init container.
CVSS3 Base Score | 8.8 |
---|---|
CVSS3 Base Metrics | CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H |
Attack Vector | Network |
Attack Complexity | Low |
Privileges Required | None |
User Interaction | Required |
Scope | Unchanged |
Confidentiality | High |
Integrity Impact | High |
Availability Impact | High |
Platform | Errata | Release Date |
---|---|---|
Red Hat Enterprise Linux 7 (git) | RHSA-2018:3408 | 2018-10-30 |
Red Hat Software Collections for Red Hat Enterprise Linux 7 (rh-git29-git) | RHSA-2018:3541 | 2018-11-13 |
Red Hat Software Collections for Red Hat Enterprise Linux 6 (rh-git29-git) | RHSA-2018:3541 | 2018-11-13 |
Platform | Package | State |
---|---|---|
Red Hat Software Collections for Red Hat Enterprise Linux | rh-git218-git | Not affected |
Red Hat OpenShift Enterprise 3.2 | source-to-image | Affected |
Red Hat OpenShift Enterprise 3.1 | source-to-image | Affected |
Red Hat OpenShift Enterprise 3.0 | source-to-image | Affected |
Red Hat OpenShift Container Platform 3.9 | source-to-image | Affected |
Red Hat OpenShift Container Platform 3.7 | source-to-image | Affected |
Red Hat OpenShift Container Platform 3.6 | source-to-image | Affected |
Red Hat OpenShift Container Platform 3.5 | source-to-image | Affected |
Red Hat OpenShift Container Platform 3.4 | source-to-image | Affected |
Red Hat OpenShift Container Platform 3.3 | source-to-image | Affected |
Red Hat OpenShift Container Platform 3.11 | source-to-image | Affected |
Red Hat OpenShift Container Platform 3.10 | source-to-image | Affected |
Red Hat Mobile Application Platform On-Premise 4 | fh-scm | Not affected |
Red Hat JBoss Fuse 7 | camel | Under investigation |
Red Hat JBoss Fuse 6 | camel | Under investigation |
Red Hat Enterprise Linux 6 | git | Will not fix |