Bug 1816789 (CVE-2020-10689)

Summary: CVE-2020-10689 che: pods in kubernetes cluster can bypass JWT proxy and send unauthenticated requests to workspace pods
Product: [Other] Security Response Reporter: Marco Benatto <mbenatto>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: scorneli
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Eclipse Che 7.9.0 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the Eclipse Che, where it did not properly restrict access to workspace pods. An authenticated user can exploit this flaw to bypass JWT proxy and gain access to the workspace pods of another user. Successful exploitation requires knowledge of the service name and namespace of the target pod.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2020-04-14 22:31:48 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1796611    

Description Marco Benatto 2020-03-24 18:04:12 UTC 
On Eclipse Che up to version 7.8.x any pod running in a Kubernetes cluster is able to send unauthenticated requests to Eclipse Che Workspaces pods bypassing the JWT proxy. This implies an user can send requests to another user's machine-exec container getting access to it, bypassing the JWT proxy.

For an attack be considered successful, the attacker needs to know the ip or name of targeted service and the namespace where workspaces are running.
This flaw was fixed on Eclipse Che 7.9.0.

https://github.com/eclipse/che/issues/15651
Comment 4 Marco Benatto 2020-03-30 20:47:42 UTC 
Acknowledgments:

Name: Mario Loriedo (Red Hat)
Comment 5 Marco Benatto 2020-04-01 14:52:39 UTC 
Upstream commits for this issue:
https://github.com/eclipse/che-theia/commit/ae27d4ab05396727140c9c79eaa898cee1225514
https://github.com/eclipse/che-plugin-registry/pull/378/commits/4106a306a7b5c5eae4d888a79dedd91cd848f29b
Comment 6 Marco Benatto 2020-04-01 15:09:05 UTC 
Eclipse Che uses JWTProxy to authenticate requests sent among pods from a same workspace, however a flaw was found on the way JWTProxy is used by Eclipse Che it's possible to an attacker interact with theia server from an workspace different than the one he owns. This issue is not trivial to be exploited as the attacker need high privileges in cluster-wide scope and know the IP from the container running the targeted Theia server.
Comment 7 errata-xmlrpc 2020-04-14 19:27:47 UTC 
This issue has been addressed in the following products:

  Red Hat CodeReady Workspaces 2.0

Via RHSA-2020:1475 https://access.redhat.com/errata/RHSA-2020:1475
Comment 8 Product Security DevOps Team 2020-04-14 22:31:48 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-10689