Preface: Refer to market statistic on 2018, the growth in cloud revenues appear to be the strongest for Microsoft and weakest for IBM.
Vulnerability details: In IBM Cloud Private on OpenShift icp-scc SecurityContextContraints is erroneously assigned to all pods in all namespaces
Remedy: For IBM Cloud Private 3.1.1 or 3.1.2:
To resolve the issue, run the following kubectl commands on the master node:
- kubectl patch scc icp-scc –type=’json’ -p='[{“op”: “remove”, “path”: “/groups”}]’
- kubectl patch scc icp-scc –type=’json’ -p='[{“op”: “add”, “path”: “/users”, “value”: [“system:serviceaccount:kube-system:default”,”system:serviceaccount:istio-system:default”, “system:serviceaccount:icp-system:default”,”system:serviceaccount:cert-manager:default”] }]’
Reference:
The privileged
SCC allows:
- Users to run privileged pods
- Pods to mount host directories as volumes
- Pods to run as any user
- Pods to run with any MCS label
- Pods to use the host’s IPC namespace
- Pods to use the host’s PID namespace
- Pods to use any FSGroup
- Pods to use any supplemental group
- Pods to use any seccomp profiles
- Pods to request any capabilities
The restricted
SCC:
- Ensures that pods cannot run as privileged.
- Ensures that pods cannot mount host directory volumes.
- Requires that a pod run as a user in a pre-allocated range of UIDs.
- Requires that a pod run with a pre-allocated MCS label.
- Allows pods to use any FSGroup.
- Allows pods to use any supplemental group.
Supplement: CVE-2019-4439 – IBM Cloud Private 3.1.0, 3.1.1, and 3.1.2 does not invalidate session after logout which could allow a local user to impersonate another user on the system.
Remedy – For IBM Cloud Private 3.1.2, apply patch: https://www.ibm.com/support/fixcentral/swg/selectFixes?product=ibm/WebSphere/IBM+Cloud+Private&release=All&platform=All&function=fixId&fixids=icp-3.1.2-build520356-23797&includeSupersedes=0