Back to bug 1926568
| Who | When | What | Removed | Added |
|---|---|---|---|---|
| Sam Fowler | 2021-02-09 04:38:22 UTC | CC | security-response-team | |
| Sam Fowler | 2021-02-09 04:39:28 UTC | CC | dramseur, jhunter, jminter, kmitts, mgala, mjudeiki | |
| Sam Fowler | 2021-02-09 04:40:23 UTC | CC | sfowler | |
| Sam Fowler | 2021-02-09 04:45:17 UTC | CC | crawford, danken, danw, dhellmann, rbryant, sttts, walters | |
| Jim Minter | 2021-02-11 17:54:04 UTC | CC | jminter | |
| Sam Fowler | 2021-02-12 03:36:34 UTC | Priority | high | medium |
| Severity | high | medium | ||
| Sam Fowler | 2021-02-12 03:38:22 UTC | Group | security, qe_staff | |
| Summary | EMBARGOED openshift/machine-config-operator: Unexpected access to Machine Config Server | openshift/machine-config-operator: Unexpected access to Machine Config Server | ||
| Sam Fowler | 2021-02-12 03:40:23 UTC | Depends On | 1925494 | |
| Dhananjay Arunesh | 2021-02-15 18:13:11 UTC | Summary | openshift/machine-config-operator: Unexpected access to Machine Config Server | CVE-2021-20238 openshift/machine-config-operator: Unexpected access to Machine Config Server |
| Alias | CVE-2021-20238 | |||
| Eric Christensen | 2021-02-18 19:26:17 UTC | Doc Text | A flaw was found in OpenShift's machine-config-operator. When running with Red Hat supported network types, applications in the cluster are blocked from sending traffic to ports 22623 or 22624 via iptables rules injected into the pod. This ensures that no unprivileged workloads are able to access the Machine Config Server (MCS) and download ignition configuration, which may contain sensitive information. Unfortunately, this security measure is implemented within the code for the network plugins, so a cluster that uses another network plugin does not have this protection mechanism in place. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability. | |
| W. Trevor King | 2021-04-16 19:58:37 UTC | CC | wking | |
| Sam Fowler | 2021-04-30 06:50:15 UTC | Doc Text | A flaw was found in OpenShift's machine-config-operator. When running with Red Hat supported network types, applications in the cluster are blocked from sending traffic to ports 22623 or 22624 via iptables rules injected into the pod. This ensures that no unprivileged workloads are able to access the Machine Config Server (MCS) and download ignition configuration, which may contain sensitive information. Unfortunately, this security measure is implemented within the code for the network plugins, so a cluster that uses another network plugin does not have this protection mechanism in place. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability. | It was found in OpenShift Container Platform 4 that the Machine Config Server (MCS) endpoint, which runs on Master Nodes on ports 22623 and 22624 is accessible without authentication. The MCS endpoint provides ignition configuration used for bootstrapping Nodes and can include some sensitive data, e.g. registry pull secrets. When running clusters with OpenShift supported network types, applications in the cluster are blocked from sending traffic to MCS ports via iptables rules injected into pods. This ensures that no unprivileged workloads are able to access the MCS. As the security measure is implemented within the code for the network plugins, clusters that uses other network plugins do not have this protection method in place. Pods run with hostNetwork access can also access the MCS. |
| Summary | CVE-2021-20238 openshift/machine-config-operator: Unexpected access to Machine Config Server | CVE-2021-20238 openshift/machine-config-operator: unauthenticated access to Machine Config Server | ||
| Sam Fowler | 2021-05-04 04:51:33 UTC | Doc Text | It was found in OpenShift Container Platform 4 that the Machine Config Server (MCS) endpoint, which runs on Master Nodes on ports 22623 and 22624 is accessible without authentication. The MCS endpoint provides ignition configuration used for bootstrapping Nodes and can include some sensitive data, e.g. registry pull secrets. When running clusters with OpenShift supported network types, applications in the cluster are blocked from sending traffic to MCS ports via iptables rules injected into pods. This ensures that no unprivileged workloads are able to access the MCS. As the security measure is implemented within the code for the network plugins, clusters that uses other network plugins do not have this protection method in place. Pods run with hostNetwork access can also access the MCS. | It was found in OpenShift Container Platform 4 that ignition config, served by the Machine Config Server, can be accessed externally from clusters without authentication. The MCS endpoint (port 22623) provides ignition configuration used for bootstrapping Nodes and can include some sensitive data, e.g. registry pull secrets. There are two scenarios where this data can be accessed. The first is on Baremetal, OpenStack, Ovirt, Vsphere and KubeVirt deployments which do not have a separate internal API endpoint and allow access from outside the cluster to port 22623 from the standard OpenShift API Virtual IP address. The second is on cloud deployments when using unsupported network plugins, which do not create iptables rules that prevent to port 22623. In this scenario, the ignition config is exposed to all pods within the cluster and cannot be accessed externally. |
| Summary | CVE-2021-20238 openshift/machine-config-operator: unauthenticated access to Machine Config Server | CVE-2021-20238 openshift/machine-config-operator: unauthenticated access to Machine Config Server ignition config | ||
| Marian Rehak | 2021-05-26 15:16:31 UTC | Blocks | 1965031 | |
| Red Hat Bugzilla | 2021-09-15 05:45:43 UTC | CC | crawford | |
| Red Hat Bugzilla | 2021-10-28 18:54:03 UTC | CC | mjudeiki | |
| Red Hat Bugzilla | 2022-01-08 05:28:23 UTC | CC | jokerman | |
| Ricardo Arguello | 2022-06-02 22:28:50 UTC | CC | ricardo.arguello | |
| Red Hat Bugzilla | 2022-10-29 04:14:11 UTC | CC | kmitts | |
| Red Hat Bugzilla | 2022-10-29 07:47:47 UTC | CC | mgala | |
| Red Hat Bugzilla | 2023-04-29 08:27:59 UTC | CC | sttts | |
| Red Hat Bugzilla | 2023-07-07 08:29:13 UTC | Assignee | security-response-team | nobody |
| CC | security-response-team |
Back to bug 1926568