Authentication Bypass by Primary Weakness Affecting openshift-clients-redistributable package, versions <0:4.1.27-201912021146.git.0.a40116f.el8_0
Threat Intelligence
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-RHEL8-OPENSHIFTCLIENTSREDISTRIBUTABLE-4403554
- published 26 Mar 2023
- disclosed 24 Apr 2019
Introduced: 24 Apr 2019
CVE-2017-18367 Open this link in a new tabHow to fix?
Upgrade RHEL:8 openshift-clients-redistributable to version 0:4.1.27-201912021146.git.0.a40116f.el8_0 or higher.
This issue was patched in RHSA-2019:4087.
NVD Description
Note: Versions mentioned in the description apply only to the upstream openshift-clients-redistributable package and not the openshift-clients-redistributable package as distributed by RHEL.
See How to fix? for RHEL:8 relevant fixed versions and status.
libseccomp-golang 0.9.0 and earlier incorrectly generates BPFs that OR multiple arguments rather than ANDing them. A process running under a restrictive seccomp filter that specified multiple syscall arguments could bypass intended access restrictions by specifying a single matching argument.
References
- https://access.redhat.com/security/cve/CVE-2017-18367
- https://github.com/seccomp/libseccomp-golang/issues/22
- https://github.com/seccomp/libseccomp-golang/commit/06e7a29f36a34b8cf419aeb87b979ee508e58f9e
- http://www.openwall.com/lists/oss-security/2019/04/25/6
- https://access.redhat.com/errata/RHSA-2019:4087
- https://lists.debian.org/debian-lts-announce/2020/08/msg00016.html
- https://usn.ubuntu.com/4574-1/