CVE-2019-19335 : What You Need to Know

OpenShift 4.2 vulnerability in

openshift-install

command line tool

Understanding CVE-2019-19335

This CVE involves a vulnerability in the OpenShift 4.2 version that affects the

openshift-install

command line tool.

What is CVE-2019-19335?

When setting up an OpenShift 4 cluster, the

openshift-install

tool generates an

auth

directory with sensitive files,

kubeconfig

and

kubeadmin-password

, that have default permissions allowing unintended access.

The Impact of CVE-2019-19335

The vulnerability in

ose-installer

can lead to unauthorized access to authentication credentials, posing a risk to the security of the OpenShift API server.

Technical Details of CVE-2019-19335

This section provides detailed technical information about the CVE.

Vulnerability Description

The vulnerability arises from incorrect default permissions on sensitive files generated by the

openshift-install

tool during OpenShift 4 cluster setup.

Affected Systems and Versions

Product: openshift/installer
Vendor: Red Hat
Versions Affected: ose-installer as shipped in Openshift 4.2

Exploitation Mechanism

The vulnerability allows attackers with high privileges to access authentication credentials stored in the

auth

directory, compromising the security of the OpenShift API server.

Mitigation and Prevention

Protect your system from CVE-2019-19335 with the following steps:

Immediate Steps to Take

Restrict access to the

auth

directory and its contents.
Monitor and audit access to sensitive files regularly.

Long-Term Security Practices

Implement the principle of least privilege for file permissions.
Conduct regular security assessments and updates to address vulnerabilities.

Patching and Updates

Apply patches and updates provided by Red Hat to fix the vulnerability and enhance system security.