Bug 1144065 (CVE-2019-10214) - VUL-0: CVE-2019-10214: libcontainers-common: library does not enforce TLS connections
Summary: VUL-0: CVE-2019-10214: libcontainers-common: library does not enforce TLS con...
Status: RESOLVED FIXED
Alias: CVE-2019-10214
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P2 - High : Major
Target Milestone: ---
Assignee: Containers Team
QA Contact: Security Team bot
URL:
Whiteboard: CVSSv3:SUSE:CVE-2019-10214:9.0:(AV:N/...
Keywords:
Depends on:
Blocks:
 
Reported: 2019-08-02 15:41 UTC by Johannes Segitz
Modified: 2023-04-13 10:01 UTC (History)
8 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Johannes Segitz 2019-08-02 15:41:00 UTC
From: Jason Shepherd <jshepher@redhat.com>
Red Hat have discovered a vulnerability in the containers/image library [1]. The library does not enforce TLS connections to the container registry authorization service [2]. An attacker
could use this vulnerability to launch a MiTM attack, and  steal login credentials, or bearer tokens. We've rated the vulnerability with a CVSSv3 of
8/CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N, which we classify as an important security issue. We've assigned the issue CVE-2019-10214.

Upstream issue:

https://github.com/containers/image/issues/654

Upstream patch:

https://github.com/containers/image/pull/655

The issue was discovered by a library user who reported it upstream. There is a Pull Request available which at the current time is yet to be merged. The original reporter didn't highlight
the security implications as stated in the previous paragraph, instead those where reported by Red Hat engineering member Miloslav Trmač to us in the Red Hat Product Security team.

We'd like to co-ordinate an unembargo date with you, since you are a significant contributor to the library. I'm not sure yet how long it will take a patch into Red Hat products, but I
suspect it will not take longer than a month. So I'd like to propose a tentative unembargo date of Sept 2nd 2019.
Comment 2 Johannes Segitz 2019-08-09 06:49:00 UTC
From: Jason Shepherd

On review of this issue, we've reduced the CVSS score to the following:

6.4/CVSS:3.0/AV:A/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N

We're still rating it overall as Important because of the potential of supply chain attack against our own container delivery infrastructure. We're curious to know your thoughts on the CVSS
rating given the details of this vulnerability.
Comment 6 Sascha Grunert 2019-08-30 12:15:37 UTC
Hey, the mentioned fix is part of the v3.0.0 release of containers/image.

Multiple projects use this library, such as:

- cri-o v1.15.0: currently affected, fixed with v1.15.1 (unreleased)
- podman fixed with v1.5.0
- skopeo fixed with v0.1.38
- buildah fixed with v1.10.0

We’re pretty up to date in factory, but the versions for SLE 15 may be outdated.
Comment 7 Sascha Grunert 2019-08-30 12:17:12 UTC
libcontainers-common is not affected because it does not provide the vulnerability related code part. It's more a collection of man pages and configuration files for the related projects.
Comment 9 Sascha Grunert 2019-09-02 11:57:20 UTC
(In reply to Johannes Segitz from comment #8)
> CRD: 2019-09-09
> 
> RH asked for an extension but unfortunately they only mailed me despite my
> vacation reminder

Thanks, that's something which really helps us, too. Did they add a reason regarding the extension? It might be related to the not yet released version of CRI-O 1.15.1.
Comment 10 Sascha Grunert 2019-09-02 12:14:30 UTC
Created MRs for podman, skopeo, buildah in IBS:

- https://build.suse.de/request/show/200032
- https://build.suse.de/request/show/200033
- https://build.suse.de/request/show/200034

CRI-O is not on SLE, so I'm waiting if we push 1.15.1 if available.
Comment 11 Sascha Grunert 2019-09-02 12:22:55 UTC
Revoked the requests for skopeo and buildah since I'm not sure if they're really affected. I'm investigating this.
Comment 12 Sascha Grunert 2019-09-02 13:08:55 UTC
Okay fine, I think we're good with these three patches for SLE15/Leap

https://build.suse.de/request/show/200047
https://build.suse.de/request/show/200046
https://build.suse.de/request/show/200045
Comment 13 Sascha Grunert 2019-09-02 14:20:56 UTC
Added patch for CaaSP v4: https://build.suse.de/request/show/200055
Comment 19 Marcus Meissner 2019-09-10 06:36:51 UTC
https://bugzilla.redhat.com/show_bug.cgi?id=1732508

is public
Comment 21 Swamp Workflow Management 2019-09-10 13:11:48 UTC
SUSE-SU-2019:2341-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 1144065
CVE References: CVE-2019-10214
Sources used:
SUSE Linux Enterprise Module for Containers 15-SP1 (src):    buildah-1.7.1-3.3.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 22 Swamp Workflow Management 2019-09-10 13:12:27 UTC
SUSE-SU-2019:2340-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 1144065
CVE References: CVE-2019-10214
Sources used:
SUSE Linux Enterprise Module for Server Applications 15-SP1 (src):    skopeo-0.1.32-4.8.1
SUSE Linux Enterprise Module for Server Applications 15 (src):    skopeo-0.1.32-4.8.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 23 Swamp Workflow Management 2019-09-10 16:13:21 UTC
SUSE-SU-2019:2346-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1144065
CVE References: CVE-2019-10214
Sources used:
SUSE Linux Enterprise Module for Containers 15-SP1 (src):    podman-1.4.4-4.11.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 24 Swamp Workflow Management 2019-09-12 20:13:41 UTC
SUSE-SU-2019:2369-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1144065
CVE References: CVE-2019-10214
Sources used:
SUSE CaaS Platform 4.0 (src):    cri-o-1.15.0-3.3.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 25 Swamp Workflow Management 2019-09-12 20:25:03 UTC
SUSE-SU-2019:2368-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 1144065
CVE References: CVE-2019-10214
Sources used:
SUSE CaaS Platform 3.0 (src):    cri-o-1.11.14-4.14.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 26 Swamp Workflow Management 2019-09-15 16:10:29 UTC
openSUSE-SU-2019:2137-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 1144065
CVE References: CVE-2019-10214
Sources used:
openSUSE Leap 15.1 (src):    buildah-1.7.1-lp151.2.3.1
Comment 27 Swamp Workflow Management 2019-09-15 16:11:07 UTC
openSUSE-SU-2019:2138-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 1144065
CVE References: CVE-2019-10214
Sources used:
openSUSE Leap 15.1 (src):    skopeo-0.1.32-lp151.2.3.1
Comment 28 Swamp Workflow Management 2019-09-16 22:11:54 UTC
openSUSE-SU-2019:2143-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1144065
CVE References: CVE-2019-10214
Sources used:
openSUSE Leap 15.1 (src):    podman-1.4.4-lp151.3.6.1
Comment 29 Flavio Castelli 2019-09-23 08:53:28 UTC
I think this can be closed as fixed now.
Comment 30 Swamp Workflow Management 2019-09-24 13:22:46 UTC
openSUSE-SU-2019:2159-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 1144065
CVE References: CVE-2019-10214
Sources used:
openSUSE Leap 15.0 (src):    skopeo-0.1.32-lp150.8.1
Comment 35 Swamp Workflow Management 2020-01-13 23:16:36 UTC
SUSE-FU-2020:0089-1: An update that has 11 feature fixes can now be installed.

Category: feature (moderate)
Bug References: 1100838,1118897,1118898,1118899,1143813,1144065,1146991,1147142,1152861,1155810,1156646
CVE References: 
Sources used:
SUSE CaaS Platform 4.0 (src):    caasp-release-4.1.0-24.9.1, conmon-2.0.0-1.7.1, cri-o-1.16.0-3.22.2, cri-tools-1.16.1-3.7.1, helm-2.16.1-3.7.1, kubernetes-1.16.2-4.7.1, patterns-caasp-Node-1.15-1.16-1.2-3.11.1, patterns-caasp-Node-1.16-1.2-3.11.2, release-notes-caasp-4.1.20191218-4.16.2, skuba-1.2.1-3.21.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 37 Swamp Workflow Management 2020-04-26 19:17:10 UTC
openSUSE-SU-2020:0554-1: An update that solves 7 vulnerabilities and has 22 fixes is now available.

Category: security (important)
Bug References: 1039663,1042383,1042387,1057277,1059207,1061027,1065972,1069469,1084765,1084766,1085009,1086185,1086412,1095131,1095154,1096773,1097473,1100838,1101010,1104598,1104821,1112980,1118897,1118898,1136403,1144065,1155323,1161056,1161179
CVE References: CVE-2016-5195,CVE-2016-8859,CVE-2017-1002101,CVE-2018-1002105,CVE-2018-16873,CVE-2018-16874,CVE-2019-10214
Sources used:
openSUSE Leap 15.1 (src):    cri-o-1.17.1-lp151.2.2, cri-tools-1.18.0-lp151.2.1, go1.14-1.14-lp151.6.1, kubernetes-1.18.0-lp151.5.1
Comment 38 OBSbugzilla Bot 2021-02-12 04:20:07 UTC
This is an autogenerated message for OBS integration:
This bug (1144065) was mentioned in
https://build.opensuse.org/request/show/871315 15.2 / buildah
Comment 39 Swamp Workflow Management 2021-02-19 14:15:00 UTC
openSUSE-SU-2021:0310-1: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 1144065,1165184
CVE References: CVE-2019-10214,CVE-2020-10696
JIRA References: 
Sources used:
openSUSE Leap 15.2 (src):    buildah-1.19.2-lp152.2.3.1, libcontainers-common-20210112-lp152.2.6.1, podman-2.2.1-lp152.4.9.1