Red Hat OpenShift Enterprise 3.2, when multi-tenant SDN is enabled and a build is run in a namespace that would normally be isolated from pods in other namespaces, allows remote authenticated users to access network resources on restricted pods via an s2i build with a builder image that (1) contains ONBUILD commands or (2) does not contain a tar binary.
Red Hat OpenShift Enterprise 3.2, cuando multi-tenant SDN está habilitado y un build está ejecutado en un espacio de nombres que normalmente estaría aislado de pods en otros espacios de nombres, permite a usuarios remotos autenticados acceder a recursos de red en pods restringidos a través de un build s2i con una imagen builder que (1) contiene comandos ONBUILD o (2) no contiene un binario tar.
A flaw was found in OpenShift Enterprise when multi-tenant SDN is enabled and a build is run within a namespace that would normally be isolated from pods in other namespaces. If an s2i build is run in such an environment the container being built can access network resources on pods that should not be available to it.
