Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-28769

CVE-2024-1139 cluster-monitoring-operator-container: cluster-monitoring-operator: credentials leak [openshift-4.15]

XMLWordPrintable

    • -
    • No
    • MON Sprint 252
    • 1
    • False
    • Hide

      None

      Show
      None
    • Previously, a remote attacker with basic login credentials could check the pod manifest to discover a repository pull secret. With this release, the vulnerability has been fixed.
    • CVE - Common Vulnerabilities and Exposures
    • Done

      Security Tracking Issue

      Do not make this issue public.

      NOTE THIS ISSUE IS CURRENTLY EMBARGOED, DO NOT MAKE PUBLIC COMMITS OR COMMENTS ABOUT THIS ISSUE.

      WARNING: NOTICE THAT CHANGING THE SECURITY LEVEL FROM "SECURITY ISSUE" TO "RED HAT INTERNAL" MAY BREAK THE EMBARGO.

      Flaw:

      EMBARGOED CVE-2024-1139 cluster-monitoring-operator: credentials leak
      https://bugzilla.redhat.com/show_bug.cgi?id=2262158

      The below issue was reported to ProdSec by Simon Pasquier:

      In OCP, the telemeter-client pod running in the
      openshift-monitoring has an annotation containing the cluster's pull secret
      for the cloud.openshift.com and quay.io registries.

      The cause of the bug is that we use the token string concatenated with the
      hash [2] instead of writing the token string to the hash object and calling
      Sum() with a nil slice.

      The impact is that any user which can read the definition of the
      telemeter-client pod and/or deployment gets access to the pull secret
      token. Users with permissions from the cluster-reader clusterrole already
      have access to the original pull secret because they can read the
      "pull-secret" Secret in the openshift-config namespace.

      The issue has been present since OCP 4.12 [3] [4].

      [1] https://issues.redhat.com/browse/OCPBUGS-28650
      [2]
      https://github.com/openshift/cluster-monitoring-operator/blob/d45a3335c2bbada0948adef9fcba55c4e14fa1d7/pkg/manifests/manifests.go#L3135
      [3] https://bugzilla.redhat.com/show_bug.cgi?id=2114721
      [4] https://github.com/openshift/cluster-monitoring-operator/pull/1747

      This security tracking issue was filed based on manifesting data available to Product Security in https://deptopia.prodsec.redhat.com/ui/home. This data indicates that the component noted in the "pscomponent" label was found to be affected by this vulnerability. If you believe this issue is not actionable and was created erroneously, please fill out the following form and close this issue as Closed with a resolution of Obsolete. This will prompt Product Security to review what type of error caused this Jira issue to be created, and prevent further mistakes of this type in the future.

      https://forms.gle/LnXaf5aCAHaV6g8T8

      To better understand the distinction between a component being Affected vs Not Affected, please read the following article:
      https://docs.engineering.redhat.com/pages/viewpage.action?spaceKey=PRODSEC&title=Understanding+Affected+and+Not+Affected

            spasquie@redhat.com Simon Pasquier
            rhn-support-ntait Nick Tait
            Tai Gao Tai Gao
            Brian Burt Brian Burt
            ART Bot, Bill Montgomery, Daniele Paolella, Daniel Mohr, Eric Paris, Han Ximin, Jan Fajerski, Jason Burrell, Joep van Delft, Justin Pierce, Luke Meyer, Nicholas Stielau, Siddharth Sharma, Sudha Ponnaganti, Thiago Alessio Pereira, Vikas Laad, Yuxiang Zhu
            Votes:
            0 Vote for this issue
            Watchers:
            6 Start watching this issue

              Created:
              Updated:
              Resolved: