A user can craft a route that injects a bogus entry into one of the HAProxy configuration files. This bogus entry can match any arbitrary hostname, or all hostnames in the cluster, and direct traffic to an arbitrary application, including one belonging to the user who is performing the attack.
Upstream fix: https://github.com/openshift/router/pull/381
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.9 Via RHSA-2022:2283 https://access.redhat.com/errata/RHSA-2022:2283
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.7 Via RHSA-2022:2268 https://access.redhat.com/errata/RHSA-2022:2268
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.8 Via RHSA-2022:2272 https://access.redhat.com/errata/RHSA-2022:2272
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.6 Via RHSA-2022:2264 https://access.redhat.com/errata/RHSA-2022:2264
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 3.11 Via RHSA-2022:2281 https://access.redhat.com/errata/RHSA-2022:2281
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2022-1677