CVE-2019-4415

Vulnerability

IBM Cloud Private versions 3.1.1 and 3.1.2, when deployed on OpenShift clusters, improperly assign the icp-scc SecurityContextConstraint (SCC) to pods in all namespaces. This occurs for pods managed by Deployments, StatefulSets, DaemonSets, Jobs, and other controllers, regardless of the user ID used to create the resource or the service account assigned to the pod [1].

Exploitation

An attacker with local access to the cluster can exploit the misconfigured SCC to run pods with elevated privileges. The icp-scc SCC is erroneously applied via the SCC's group membership, allowing any pod to inherit its permissions without needing specific user or service account associations [1].

Impact

Successful exploitation allows a local user to obtain elevated privileges, potentially leading to limited confidentiality, integrity, and availability impacts (CVSS 4.9, vector AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L) [1].

Mitigation

IBM recommends applying the following kubectl commands on the master node to restrict icp-scc to only authorized service accounts:

kubectl patch scc icp-scc --type='json' -p='[{"op": "remove", "path": "/groups"}]'
kubectl patch scc icp-scc --type='json' -p='[{"op": "add", "path": "/users", "value": ["system:serviceaccount:kube-system:default","system:serviceaccount:istio-system:default", "system:serviceaccount:icp-system:default","system:serviceaccount:cert-manager:default"]}]'

This fix removes group-level access and explicitly grants the SCC to specific system service accounts. No workaround is provided beyond this remediation [1].