Описание
In Kubernetes clusters using Ceph RBD as a storage provisioner, with logging level of at least 4, Ceph RBD admin secrets can be written to logs. This occurs in kube-controller-manager's logs during provisioning of Ceph RBD persistent claims. This affects < v1.19.3, < v1.18.10, < v1.17.13.
A flaw was found in kubernetes. If the logging level is to at least 4, and Ceph RBD is configured as a storage provisioner, then Ceph RBD admin secrets can be written to logs. This occurs in kube-controller-manager's logs during provisioning of Ceph RBD persistent claims.
Отчет
OpenShift Container Platform 4 does not support Ceph RBD persistent volumes, however the vulnerable code is included.
Меры по смягчению последствий
OCP Clusters not using Ceph RBD volumes are not vulnerable to this issue. For clusters using Ceph RBD volumes, this can be mitigated by ensuring the logging level is below 4 and protecting unauthorized access to cluster logs. For OCP, the logging level for core components can be configured using operators, e.g. for kube-controller-manager: https://docs.openshift.com/container-platform/latest/rest_api/operator_apis/kubecontrollermanager-operator-openshift-io-v1.html#specification In OCP, a logging level of "Debug" is equivalent to 4: https://github.com/openshift/api/blob/master/operator/v1/types.go#L96 The default logging level is "Normal", which is equivalent to 2. Clusters running with the default level are not vulnerable to this issue.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat OpenShift Container Platform 3.11 | atomic-openshift | Will not fix | ||
| Red Hat Storage 3 | heketi | Not affected | ||
| Red Hat OpenShift Container Platform 4.6 | openshift4/ose-hyperkube | Fixed | RHSA-2021:0037 | 18.01.2021 |
| Red Hat OpenShift Container Platform 4.7 | openshift | Fixed | RHSA-2020:5634 | 24.02.2021 |
Показывать по
Дополнительная информация
Статус:
EPSS
5.3 Medium
CVSS3
Связанные уязвимости
In Kubernetes clusters using Ceph RBD as a storage provisioner, with logging level of at least 4, Ceph RBD admin secrets can be written to logs. This occurs in kube-controller-manager's logs during provisioning of Ceph RBD persistent claims. This affects < v1.19.3, < v1.18.10, < v1.17.13.
In Kubernetes clusters using Ceph RBD as a storage provisioner, with logging level of at least 4, Ceph RBD admin secrets can be written to logs. This occurs in kube-controller-manager's logs during provisioning of Ceph RBD persistent claims. This affects < v1.19.3, < v1.18.10, < v1.17.13.
In Kubernetes clusters using Ceph RBD as a storage provisioner, with l ...
Sensitive Information leak via Log File in Kubernetes
Security changes in Kubernetes, etcd, and helm; Bugfix in cri-o package
EPSS
5.3 Medium
CVSS3