CVE-2019-10150

It was found that OpenShift Container Platform versions 3.6.x - 4.6.0 does not perform SSH Host Key checking when using ssh key authentication during builds. An attacker, with the ability to redirect network traffic, could use this to alter the resulting build output.

Weakness

When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.

Affected Software

Potential Mitigations

Related Attack Patterns

• https://cwe.mitre.org/data/definitions/114.html
• https://cwe.mitre.org/data/definitions/115.html
• https://cwe.mitre.org/data/definitions/151.html
• https://cwe.mitre.org/data/definitions/194.html
• https://cwe.mitre.org/data/definitions/22.html
• https://cwe.mitre.org/data/definitions/57.html
• https://cwe.mitre.org/data/definitions/593.html
• https://cwe.mitre.org/data/definitions/633.html
• https://cwe.mitre.org/data/definitions/650.html
• https://cwe.mitre.org/data/definitions/94.html

References

• https://access.redhat.com/errata/RHSA-2019:2989
• https://access.redhat.com/errata/RHSA-2019:3007
• https://access.redhat.com/errata/RHSA-2019:3143
• https://access.redhat.com/errata/RHSA-2019:3811
• https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10150
• https://docs.openshift.com/container-platform/3.11/dev_guide/builds/build_inputs.html#source-secrets-ssh-key-authentication
• https://access.redhat.com/errata/RHSA-2019:2989
• https://access.redhat.com/errata/RHSA-2019:3007
• https://access.redhat.com/errata/RHSA-2019:3143
• https://access.redhat.com/errata/RHSA-2019:3811
• https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10150
• https://docs.openshift.com/container-platform/3.11/dev_guide/builds/build_inputs.html#source-secrets-ssh-key-authentication