Описание
It was found that default configuration of Heketi does not require any authentication potentially exposing the management interface to misuse. This isue only affects heketi as shipped with Openshift Container Platform 3.11.
It was found that the default configuration of Heketi does not require any authentication, potentially exposing the Heketi server API to be misused. An unauthenticated attacker could connect remotely to Heketi Server and run arbitrary commands supported by Heketi Server API via Heketi CLI.
Меры по смягчению последствий
After installation of Heketi
- configure user and admin key in /etc/heketi/heketi.json file ... { "_port_comment": "Heketi Server Port Number", "port": "8080", "_use_auth": "Enable JWT authorization. Please enable for deployment", "use_auth": true, "_jwt": "Private keys for access", "jwt": { "_admin": "Admin has access to all APIs", "admin": { "key": "My Secret" }, "_user": "User only has access to /volumes endpoint", "user": { "key": "My Secret" } }, ...
- restart heketi server
Дополнительная информация
Статус:
EPSS
7.3 High
CVSS3
Связанные уязвимости
It was found that default configuration of Heketi does not require any authentication potentially exposing the management interface to misuse. This isue only affects heketi as shipped with Openshift Container Platform 3.11.
It was found that default configuration of Heketi does not require any ...
It was found that default configuration of Heketi does not require any authentication potentially exposing the management interface to misuse. This isue only affects heketi as shipped with Openshift Container Platform 3.11.
Уязвимость программного средства Heketi, связанная с отсутствием процедуры аутентификации в стандартных настройках, позволяющая нарушителю выполнить произвольные команды
EPSS
7.3 High
CVSS3