In IBM Cloud Private on OpenShift icp-scc SecurityContextContraints is erroneously assigned to all pods in all namespaces
CVEID: CVE-2019-4415 DESCRIPTION: IBM Cloud Private could allow a local user to obtain elevated privileges due to improper security context constraints.
CVSS Base Score: 4.9
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/162706> for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L)
IBM Cloud Private 3.1.1, 3.1.2
For IBM Cloud Private 3.1.1 or 3.1.2:
In OpenShift clusters, the icp-scc SecurityContextContraints resource is erroneously assigned to all pods in all namespaces that use Deployments, StatefulSets, DaemonSets, Jobs, and other controllers that manage pods. The icp-scc SecurityContextContraints is assigned regardless of the user ID that was used to create the resource or the service account that is assigned to the pod.
To resolve the issue, run the following kubectl commands on the master node:
Reference:
See Remediation/Fixes