Описание
Baremetal Operator (BMO) is a bare metal host provisioning integration for Kubernetes. Prior to version 0.3.0, ironic and ironic-inspector deployed within Baremetal Operator using the included deploy.sh store their .htpasswd files as ConfigMaps instead of Secrets. This causes the plain-text username and hashed password to be readable by anyone having a cluster-wide read-access to the management cluster, or access to the management cluster's Etcd storage. This issue is patched in baremetal-operator PR#1241, and is included in BMO release 0.3.0 onwards. As a workaround, users may modify the kustomizations and redeploy the BMO, or recreate the required ConfigMaps as Secrets per instructions in baremetal-operator PR#1241.
A flaw was found in the baremetal-operator, where the ironic and ironic-inspector deployed within the baremetal operator using the included deploy.sh store .htpasswd files as ConfigMaps instead of Secrets. This issue causes the plain-text username and hashed password to be readable by anyone having a cluster-wide read-access to the management cluster or access to the management cluster's etcd storage.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat OpenShift Container Platform 4 | openshift4/ose-agent-installer-api-server-rhel9 | Not affected | ||
| Red Hat OpenShift Container Platform 4 | openshift4/ose-baremetal-machine-controllers | Not affected | ||
| Red Hat OpenShift Container Platform 4 | openshift4/ose-cluster-baremetal-operator-rhel8 | Not affected | ||
| Red Hat OpenShift Container Platform 4 | openshift4/ose-image-customization-controller-rhel8 | Not affected | ||
| Red Hat OpenShift Container Platform 4 | openshift4/ose-installer | Not affected | ||
| Red Hat OpenShift Container Platform Assisted Installer 1 | rhai-tech-preview/assisted-installer-agent-rhel8 | Not affected | ||
| Red Hat OpenShift Container Platform Assisted Installer 1 | rhai-tech-preview/assisted-installer-rhel8 | Not affected | ||
| Red Hat Openshift Data Foundation 4 | odf4/odf-multicluster-rhel9-operator | Affected | ||
| Red Hat Openshift Data Foundation 4 | odf4/odr-rhel8-operator | Affected | ||
| Red Hat OpenShift Container Platform 4.12 | openshift4/topology-aware-lifecycle-manager-operator-bundle | Fixed | RHSA-2024:3801 | 11.06.2024 |
Показывать по
Дополнительная информация
Статус:
EPSS
6 Medium
CVSS3
Связанные уязвимости
Baremetal Operator (BMO) is a bare metal host provisioning integration for Kubernetes. Prior to version 0.3.0, ironic and ironic-inspector deployed within Baremetal Operator using the included `deploy.sh` store their `.htpasswd` files as ConfigMaps instead of Secrets. This causes the plain-text username and hashed password to be readable by anyone having a cluster-wide read-access to the management cluster, or access to the management cluster's Etcd storage. This issue is patched in baremetal-operator PR#1241, and is included in BMO release 0.3.0 onwards. As a workaround, users may modify the kustomizations and redeploy the BMO, or recreate the required ConfigMaps as Secrets per instructions in baremetal-operator PR#1241.
Ironic and ironic-inspector may expose as ConfigMaps
EPSS
6 Medium
CVSS3