Bug 1291963 (CVE-2015-7561) - CVE-2015-7561 OpenShift3: Private Docker images can be used by any user, once they are pulled to a node
Summary: CVE-2015-7561 OpenShift3: Private Docker images can be used by any user, once...
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: CVE-2015-7561
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1288094
Blocks: 1291965
TreeView+ depends on / blocked
 
Reported: 2015-12-16 04:50 UTC by Kurt Seifried
Modified: 2019-09-29 13:40 UTC (History)
11 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2016-11-01 23:52:16 UTC
Embargoed:

Attachments (Terms of Use)

Description Kurt Seifried 2015-12-16 04:50:57 UTC 
Miheer Salunke of Red Hat reports:

When a private image is pulled to a node any other user on the node can use 
this private image if they know the name of the image. It should be noted that 
the image name typically includes a SHA hash in the value making it difficult
to guess.
Comment 1 Trevor Jay 2016-09-06 23:54:43 UTC 
Clayton,

Doing some follow-up, can you (or anyone really) point me at a commit for this?

_Trevor
Comment 2 Andy Goldstein 2016-11-01 19:05:25 UTC 
Kube PR for AlwaysPullImages admission controller: https://github.com/kubernetes/kubernetes/pull/18909

Kube Docs: http://kubernetes.io/docs/admin/admission-controllers/#alwayspullimages

Example showing how to enable it in OpenShift config: https://docs.openshift.com/container-platform/3.3/architecture/additional_concepts/admission_controllers.html
Note You need to log in before you can comment on or make changes to this bug.