Описание
HAProxy Kubernetes Ingress Controller before 3.1.13, when the config-snippets feature flag is used, accepts config snippets from users with create/update permissions. This can result in obtaining an ingress token secret as a response. The fixed versions of HAProxy Enterprise Kubernetes Ingress Controller are 3.0.16-ee1, 1.11.13-ee1, and 1.9.15-ee1.
A flaw was found in HAProxy Kubernetes Ingress Controller. This vulnerability allows an authenticated attacker to obtain an ingress token secret by submitting malicious configuration snippets when the config-snippets feature is enabled.
Отчет
This flaw is rated MODERATE primarily because successful exploitation requires the attacker to possess existing privileges allowing them to create or modify Ingress or Service objects in a cluster environment. The core flaw is a configuration injection weakness where the KIC's config-snippets feature can be misused to embed arbitrary HAProxy directives that are not properly sanitized. This malicious code allows an attacker to access environment variables, specifically the highly sensitive Kubernetes service account token secret, which is available to the ingress controller pod. Obtaining this token permits an authenticated user to perform privilege escalation and access cluster data. So essentially, for a product to be affected, it has to both ship the base haproxy RPM and run it in the Kubernetes Ingres Controller.
Меры по смягчению последствий
Disabling the config-snippets feature before starting the Ingres Controller is a useful mitigation for this vulnerability. This can be done by starting the Ingres Controller with the following flag: --disable-config-snippets Upgrade to version 3.2 and above to fix this issue.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Ceph Storage 5 | haproxy | Out of support scope | ||
| Red Hat Enterprise Linux 10 | haproxy | Affected | ||
| Red Hat Enterprise Linux 7 | haproxy | Affected | ||
| Red Hat Enterprise Linux 8 | haproxy | Affected | ||
| Red Hat Enterprise Linux 9 | haproxy | Affected | ||
| Red Hat OpenShift Container Platform 4 | haproxy | Not affected |
Показывать по
Дополнительная информация
Статус:
EPSS
8.5 High
CVSS3
Связанные уязвимости
HAProxy Kubernetes Ingress Controller before 3.1.13, when the config-snippets feature flag is used, accepts config snippets from users with create/update permissions. This can result in obtaining an ingress token secret as a response. The fixed versions of HAProxy Enterprise Kubernetes Ingress Controller are 3.0.16-ee1, 1.11.13-ee1, and 1.9.15-ee1.
HAProxy Kubernetes Ingress Controller before 3.1.13, when the config-snippets feature flag is used, accepts config snippets from users with create/update permissions. This can result in obtaining an ingress token secret as a response. The fixed versions of HAProxy Enterprise Kubernetes Ingress Controller are 3.0.16-ee1, 1.11.13-ee1, and 1.9.15-ee1.
EPSS
8.5 High
CVSS3