Bug 2076211 (CVE-2022-1677) - CVE-2022-1677 openshift/router: route hijacking attack via crafted HAProxy configuration file
Summary: CVE-2022-1677 openshift/router: route hijacking attack via crafted HAProxy co...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2022-1677
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2074304 2074839 2076371 2076373 2076380 2076382 2076383 2076384
Blocks: 2074345
TreeView+ depends on / blocked
 
Reported: 2022-04-18 09:45 UTC by Avinash Hanwate
Modified: 2022-09-26 11:41 UTC (History)
10 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
In OpenShift Container Platform, a user with permissions to create or modify Routes can craft a payload that inserts a malformed entry into one of the cluster router's HAProxy configuration files. This malformed entry can match any arbitrary hostname, or all hostnames in the cluster, and direct traffic to an arbitrary application within the cluster, including one under attacker control.
Clone Of:
Environment:
Last Closed: 2022-05-31 12:31:15 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2022:2264 0 None None None 2022-05-26 17:00:19 UTC
Red Hat Product Errata RHSA-2022:2268 0 None None None 2022-05-25 12:02:58 UTC
Red Hat Product Errata RHSA-2022:2272 0 None None None 2022-05-25 21:48:22 UTC
Red Hat Product Errata RHSA-2022:2281 0 None None None 2022-05-31 08:42:38 UTC
Red Hat Product Errata RHSA-2022:2283 0 None None None 2022-05-25 04:30:31 UTC

Description Avinash Hanwate 2022-04-18 09:45:22 UTC 
A user can craft a route that injects a bogus entry into one of the HAProxy configuration files.  This bogus entry can match any arbitrary hostname, or all hostnames in the cluster, and direct traffic to an arbitrary application, including one belonging to the user who is performing the attack.
Comment 10 Sam Fowler 2022-05-13 07:31:03 UTC 
Upstream fix:

https://github.com/openshift/router/pull/381
Comment 11 errata-xmlrpc 2022-05-25 04:30:28 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.9

Via RHSA-2022:2283 https://access.redhat.com/errata/RHSA-2022:2283
Comment 12 errata-xmlrpc 2022-05-25 12:02:56 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.7

Via RHSA-2022:2268 https://access.redhat.com/errata/RHSA-2022:2268
Comment 13 errata-xmlrpc 2022-05-25 21:48:19 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.8

Via RHSA-2022:2272 https://access.redhat.com/errata/RHSA-2022:2272
Comment 14 errata-xmlrpc 2022-05-26 17:00:16 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.6

Via RHSA-2022:2264 https://access.redhat.com/errata/RHSA-2022:2264
Comment 15 errata-xmlrpc 2022-05-31 08:42:35 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 3.11

Via RHSA-2022:2281 https://access.redhat.com/errata/RHSA-2022:2281
Comment 16 Product Security DevOps Team 2022-05-31 12:31:14 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2022-1677
Note You need to log in before you can comment on or make changes to this bug.