Описание
Insufficient Granularity of Access Control in an OpenShift router causes improper subdomain ownership verification, allowing route takeover. Once a custom route is created, the user must update the DNS provider by creating a canonical name (CNAME) record to expose this route externally. The CNAME record should point the custom domain to the OpenShift router as the alias. If the CNAME is not removed when the route is not in use anymore, there is a dangling route that a malicious actor may take over.
Отчет
Red Hat Product Security does not consider this to be a vulnerability. It is not in the scope of the ingress controller to manage external dns records. It is the cluster administrator's responsibility to manage DNS records and to secure sensitive routes using TLS.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat OpenShift Container Platform 3.11 | atomic-openshift | Not affected | ||
| Red Hat OpenShift Container Platform 3.11 | openshift3/ose-haproxy-router | Not affected | ||
| Red Hat OpenShift Container Platform 4 | openshift4/ose-cluster-ingress-operator | Not affected | ||
| Red Hat OpenShift Container Platform 4 | openshift4/ose-haproxy-router | Not affected |
Показывать по
Дополнительная информация
0 Low
CVSS3
Связанные уязвимости
Rejected reason: DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none.
OpenShift doesn't properly verify subdomain ownership, which allows route takeover. Once a custom route is created, the user must update the DNS provider by creating a canonical name (CNAME) record (if he likes to expose this route externally). The CNAME record should point the custom domain to the OpenShift router as the alias. In a case that the CNAME is not removed when the route is not in use anymore we are dealing with a dangling route. A malicious actor may take over the route.
0 Low
CVSS3