Bugzilla – Bug 1144065
VUL-0: CVE-2019-10214: libcontainers-common: library does not enforce TLS connections
Last modified: 2023-04-13 10:01:33 UTC
From: Jason Shepherd <jshepher@redhat.com> Red Hat have discovered a vulnerability in the containers/image library [1]. The library does not enforce TLS connections to the container registry authorization service [2]. An attacker could use this vulnerability to launch a MiTM attack, and steal login credentials, or bearer tokens. We've rated the vulnerability with a CVSSv3 of 8/CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N, which we classify as an important security issue. We've assigned the issue CVE-2019-10214. Upstream issue: https://github.com/containers/image/issues/654 Upstream patch: https://github.com/containers/image/pull/655 The issue was discovered by a library user who reported it upstream. There is a Pull Request available which at the current time is yet to be merged. The original reporter didn't highlight the security implications as stated in the previous paragraph, instead those where reported by Red Hat engineering member Miloslav Trmač to us in the Red Hat Product Security team. We'd like to co-ordinate an unembargo date with you, since you are a significant contributor to the library. I'm not sure yet how long it will take a patch into Red Hat products, but I suspect it will not take longer than a month. So I'd like to propose a tentative unembargo date of Sept 2nd 2019.
From: Jason Shepherd On review of this issue, we've reduced the CVSS score to the following: 6.4/CVSS:3.0/AV:A/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N We're still rating it overall as Important because of the potential of supply chain attack against our own container delivery infrastructure. We're curious to know your thoughts on the CVSS rating given the details of this vulnerability.
Hey, the mentioned fix is part of the v3.0.0 release of containers/image. Multiple projects use this library, such as: - cri-o v1.15.0: currently affected, fixed with v1.15.1 (unreleased) - podman fixed with v1.5.0 - skopeo fixed with v0.1.38 - buildah fixed with v1.10.0 We’re pretty up to date in factory, but the versions for SLE 15 may be outdated.
libcontainers-common is not affected because it does not provide the vulnerability related code part. It's more a collection of man pages and configuration files for the related projects.
(In reply to Johannes Segitz from comment #8) > CRD: 2019-09-09 > > RH asked for an extension but unfortunately they only mailed me despite my > vacation reminder Thanks, that's something which really helps us, too. Did they add a reason regarding the extension? It might be related to the not yet released version of CRI-O 1.15.1.
Created MRs for podman, skopeo, buildah in IBS: - https://build.suse.de/request/show/200032 - https://build.suse.de/request/show/200033 - https://build.suse.de/request/show/200034 CRI-O is not on SLE, so I'm waiting if we push 1.15.1 if available.
Revoked the requests for skopeo and buildah since I'm not sure if they're really affected. I'm investigating this.
Okay fine, I think we're good with these three patches for SLE15/Leap https://build.suse.de/request/show/200047 https://build.suse.de/request/show/200046 https://build.suse.de/request/show/200045
Added patch for CaaSP v4: https://build.suse.de/request/show/200055
https://bugzilla.redhat.com/show_bug.cgi?id=1732508 is public
SUSE-SU-2019:2341-1: An update that fixes one vulnerability is now available. Category: security (important) Bug References: 1144065 CVE References: CVE-2019-10214 Sources used: SUSE Linux Enterprise Module for Containers 15-SP1 (src): buildah-1.7.1-3.3.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2019:2340-1: An update that fixes one vulnerability is now available. Category: security (important) Bug References: 1144065 CVE References: CVE-2019-10214 Sources used: SUSE Linux Enterprise Module for Server Applications 15-SP1 (src): skopeo-0.1.32-4.8.1 SUSE Linux Enterprise Module for Server Applications 15 (src): skopeo-0.1.32-4.8.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2019:2346-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 1144065 CVE References: CVE-2019-10214 Sources used: SUSE Linux Enterprise Module for Containers 15-SP1 (src): podman-1.4.4-4.11.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2019:2369-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 1144065 CVE References: CVE-2019-10214 Sources used: SUSE CaaS Platform 4.0 (src): cri-o-1.15.0-3.3.2 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2019:2368-1: An update that fixes one vulnerability is now available. Category: security (important) Bug References: 1144065 CVE References: CVE-2019-10214 Sources used: SUSE CaaS Platform 3.0 (src): cri-o-1.11.14-4.14.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
openSUSE-SU-2019:2137-1: An update that fixes one vulnerability is now available. Category: security (important) Bug References: 1144065 CVE References: CVE-2019-10214 Sources used: openSUSE Leap 15.1 (src): buildah-1.7.1-lp151.2.3.1
openSUSE-SU-2019:2138-1: An update that fixes one vulnerability is now available. Category: security (important) Bug References: 1144065 CVE References: CVE-2019-10214 Sources used: openSUSE Leap 15.1 (src): skopeo-0.1.32-lp151.2.3.1
openSUSE-SU-2019:2143-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 1144065 CVE References: CVE-2019-10214 Sources used: openSUSE Leap 15.1 (src): podman-1.4.4-lp151.3.6.1
I think this can be closed as fixed now.
openSUSE-SU-2019:2159-1: An update that fixes one vulnerability is now available. Category: security (important) Bug References: 1144065 CVE References: CVE-2019-10214 Sources used: openSUSE Leap 15.0 (src): skopeo-0.1.32-lp150.8.1
SUSE-FU-2020:0089-1: An update that has 11 feature fixes can now be installed. Category: feature (moderate) Bug References: 1100838,1118897,1118898,1118899,1143813,1144065,1146991,1147142,1152861,1155810,1156646 CVE References: Sources used: SUSE CaaS Platform 4.0 (src): caasp-release-4.1.0-24.9.1, conmon-2.0.0-1.7.1, cri-o-1.16.0-3.22.2, cri-tools-1.16.1-3.7.1, helm-2.16.1-3.7.1, kubernetes-1.16.2-4.7.1, patterns-caasp-Node-1.15-1.16-1.2-3.11.1, patterns-caasp-Node-1.16-1.2-3.11.2, release-notes-caasp-4.1.20191218-4.16.2, skuba-1.2.1-3.21.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
openSUSE-SU-2020:0554-1: An update that solves 7 vulnerabilities and has 22 fixes is now available. Category: security (important) Bug References: 1039663,1042383,1042387,1057277,1059207,1061027,1065972,1069469,1084765,1084766,1085009,1086185,1086412,1095131,1095154,1096773,1097473,1100838,1101010,1104598,1104821,1112980,1118897,1118898,1136403,1144065,1155323,1161056,1161179 CVE References: CVE-2016-5195,CVE-2016-8859,CVE-2017-1002101,CVE-2018-1002105,CVE-2018-16873,CVE-2018-16874,CVE-2019-10214 Sources used: openSUSE Leap 15.1 (src): cri-o-1.17.1-lp151.2.2, cri-tools-1.18.0-lp151.2.1, go1.14-1.14-lp151.6.1, kubernetes-1.18.0-lp151.5.1
This is an autogenerated message for OBS integration: This bug (1144065) was mentioned in https://build.opensuse.org/request/show/871315 15.2 / buildah
openSUSE-SU-2021:0310-1: An update that fixes two vulnerabilities is now available. Category: security (moderate) Bug References: 1144065,1165184 CVE References: CVE-2019-10214,CVE-2020-10696 JIRA References: Sources used: openSUSE Leap 15.2 (src): buildah-1.19.2-lp152.2.3.1, libcontainers-common-20210112-lp152.2.6.1, podman-2.2.1-lp152.4.9.1