(RHSA-2014:0422) Critical: openshift-origin-broker security update

2014-04-23T04:00:00
ID RHSA-2014:0422
Type redhat
Reporter RedHat
Modified 2018-06-09T14:16:41

Description

The openshift-origin-broker package provides the OpenShift Broker service that manages all user logins, DNS name resolution, application states, and general orchestration of the applications.

The rubygem-openshift-origin-auth-remote-user package provides the remote user authentication plug-in.

A flaw was found in the way openshift-origin-broker handled authentication requests via the remote user authentication plug-in. A remote attacker able to submit a request to openshift-origin-broker could set the X-Remote-User header, and send the request to a passthrough trigger, resulting in a bypass of the authentication checks to gain access to any OpenShift user account on the system. (CVE-2014-0188)

All users of Red Hat OpenShift Enterprise 1.2.7 are advised to upgrade to these updated packages, which contain a backported patch to correct this issue. After installing the updated packages, restart the httpd daemon for this update to take effect.