Information Disclosure

OpenShift Enterprise by Red Hat is the company’s cloud computing Platform-as-a-Service (PaaS) solution designed for on-premise or private cloud deployments. It was reported that OpenShift Enterprise 2.2 did not properly restrict access to services running on different gears. This could allow an attacker to access unprotected network resources running in another user’s gear. OpenShift Enterprise 2.2 introduces the oo-gear-firewall command which creates firewall rules and SELinux policy to contain services running on gears to their own internal gear IPs. The command is invoked by default during new installations of OpenShift Enterprise 2.2 to prevent this security issue. Administrators should run the following on node hosts in existing deployments after upgrading to 2.2 to address this security issue: # oo-gear-firewall -i enable -s enable Please see the man page for the oo-gear-firewall command for more details. (CVE-2014-3674) It was reported that OpenShift Enterprise did not restrict access to the /proc/net/tcp file on gears, which allowed local users to view all listening connections and connected sockets. This could result in remote systems IP or port numbers in use being exposed which may be useful for further targeted attacks. Note that for local listeners, OSE restricts connections to within the gear by default, so even with the knowledge of the local port and IP the attacker is unable to connect. This bug fix updates the SELinux policy on node hosts to prevent this gear information from being accessed by local users. (CVE-2014-3602) The OpenShift Enterprise 2.2 Release Notes provide information about new features and notable technical changes in this release, as well as notes on initial installations. For more information about OpenShift Enterprise, see the documentation available at: https://access.redhat.com/site/documentation/en-US/OpenShift_Enterprise/2/ All OpenShift Enterprise users are advised to upgrade to release 2.2.