IBM Support

Security Bulletin: In IBM Cloud Private on OpenShift icp-scc SecurityContextContraints is erroneously assigned to all pods in all namespaces

Security Bulletin


Summary

In IBM Cloud Private on OpenShift icp-scc SecurityContextContraints is erroneously assigned to all pods in all namespaces

Vulnerability Details

CVEID: CVE-2019-4415
DESCRIPTION: IBM Cloud Private could allow a local user to obtain elevated privileges due to improper security context constraints.
CVSS Base Score: 4.9
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/162706 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L)

Affected Products and Versions

IBM Cloud Private 3.1.1, 3.1.2

Remediation/Fixes

For IBM Cloud Private 3.1.1 or 3.1.2:

In OpenShift clusters, the icp-scc SecurityContextContraints resource is erroneously assigned to all pods in all namespaces that use Deployments, StatefulSets, DaemonSets, Jobs, and other controllers that manage pods. The icp-scc SecurityContextContraints is assigned regardless of the user ID that was used to create the resource or the service account that is assigned to the pod.

To resolve the issue, run the following kubectl commands on the master node:

  1. kubectl patch scc icp-scc --type='json' -p='[{"op": "remove", "path": "/groups"}]'
  2. kubectl patch scc icp-scc --type='json' -p='[{"op": "add", "path": "/users", "value": ["system:serviceaccount:kube-system:default","system:serviceaccount:istio-system:default", "system:serviceaccount:icp-system:default","system:serviceaccount:cert-manager:default"] }]'

Reference: 

https://www-03preprod.ibm.com/support/knowledgecenter/SSBS6K_3.2.0/supported_environments/openshift/known_issues_openshift.html#scc

Workarounds and Mitigations

See Remediation/Fixes

Get Notified about Future Security Bulletins

Subscribe to My Notifications to be notified of important product support alerts like this.

References

Complete CVSS v3 Guide
On-line Calculator v3

Off

Related Information

IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog

Change History

xx June 2019 - Original version published

*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

Disclaimer

Review the IBM security bulletin disclaimer and definitions regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.

Document Location

Worldwide

[{"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"SSBS6K","label":"IBM Cloud Private"},"Component":"","Platform":[{"code":"PF016","label":"Linux"}],"Version":"All Versions","Edition":"","Line of Business":{"code":"LOB45","label":"Automation"}}]

Document Information

Modified date:
23 July 2019

UID

ibm10887857

Page Feedback