Описание
A credentials leak was found in the OpenShift Container Platform. The private key for the external cluster certificate was stored incorrectly in the oauth-serving-cert ConfigMaps, and accessible to any authenticated OpenShift user or service-account. A malicious user could exploit this flaw by reading the oauth-serving-cert ConfigMap in the openshift-config-managed namespace, compromising any web traffic secured using that certificate.
A credentials leak was found in the OpenShift Container Platform. The private key for the external cluster certificate was stored incorrectly in the oauth-serving-cert ConfigMaps, and accessible to any authenticated OpenShift user or service-account. This flaw allows a malicious user to read the oauth-serving-cert ConfigMap in the openshift-config-managed namespace, compromising any web traffic secured using that certificate.
Отчет
All versions of the OpenShift Container Platform 4.9 and later are affected by this vulnerability.
Меры по смягчению последствий
Removal of the private key from the ConfigMap, or modification of the RBAC permissions is not a sufficient mitigation on its own, as these will both be restored by the authentication-operator. This flaw can be mitigated by deploying a custom webhook which filters out the private key from the target ConfigMap, preventing it from being restored by the authentication-operator. An example of this can be found here: https://github.com/sfowl/configmap-cleaner After upgrading to a fixed version of OpenShift or applying the mitigation, all ingress certificates should be rotated: https://docs.openshift.com/container-platform/4.10/security/certificates/replacing-default-ingress-certificate.html#replacing-default-ingress
Дополнительная информация
Статус:
EPSS
7.7 High
CVSS3
Связанные уязвимости
A credentials leak was found in the OpenShift Container Platform. The private key for the external cluster certificate was stored incorrectly in the oauth-serving-cert ConfigMaps, and accessible to any authenticated OpenShift user or service-account. A malicious user could exploit this flaw by reading the oauth-serving-cert ConfigMap in the openshift-config-managed namespace, compromising any web traffic secured using that certificate.
A credentials leak was found in the OpenShift Container Platform. The private key for the external cluster certificate was stored incorrectly in the oauth-serving-cert ConfigMaps, and accessible to any authenticated OpenShift user or service-account. A malicious user could exploit this flaw by reading the oauth-serving-cert ConfigMap in the openshift-config-managed namespace, compromising any web traffic secured using that certificate.
EPSS
7.7 High
CVSS3