Описание
A flaw was found in the Submariner project. Due to unnecessary role-based access control permissions, a privileged attacker can run a malicious container on a node that may allow them to steal service account tokens and further compromise other nodes and potentially the entire cluster.
Отчет
For the submariner operator in Red Hat Advanced Cluster Management for Kubernetes, the submariner-security outlined potential vulnerabilities regarding RBAC permissions being too broad. Those permissions make it possible to create, patch or update statefulsets or replicasets resources. This may allow new privileged containers escaping them and gaining root privileges on any worker nodes where those containers have been deployed within the cluster.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Advanced Cluster Management for Kubernetes 2 | rhacm2/lighthouse-agent-rhel9 | Affected | ||
| Red Hat Advanced Cluster Management for Kubernetes 2 | rhacm2/lighthouse-coredns-rhel8 | Affected | ||
| Red Hat Advanced Cluster Management for Kubernetes 2 | rhacm2/submariner-gateway-rhel8 | Affected | ||
| Red Hat Advanced Cluster Management for Kubernetes 2 | rhacm2/submariner-globalnet-rhel8 | Affected | ||
| Red Hat Advanced Cluster Management for Kubernetes 2 | rhacm2/submariner-rhel8-operator | Affected | ||
| Red Hat Advanced Cluster Management for Kubernetes 2 | rhacm2/submariner-route-agent-rhel9 | Affected | ||
| RHODF-4.16-RHEL-9 | odf4/odf-multicluster-rhel9-operator | Fixed | RHSA-2024:4591 | 17.07.2024 |
Показывать по
Дополнительная информация
Статус:
6.6 Medium
CVSS3
Связанные уязвимости
A flaw was found in the Submariner project. Due to unnecessary role-based access control permissions, a privileged attacker can run a malicious container on a node that may allow them to steal service account tokens and further compromise other nodes and potentially the entire cluster.
Submariner Operator sets unnecessary RBAC permissions
Уязвимость программного обеспечения взаимодействия модулей и служб в кластерах Kubernetes Submariner Operator, связанная с ошибками при управлении привилегиями, позволяющая нарушителю запустить на узле произвольный контейнер
6.6 Medium
CVSS3