Bug 1825161 (CVE-2020-10712)

Summary: CVE-2020-10712 openshift/cluster-image-registry-operator: secrets disclosed in logs
Product: [Other] Security Response Reporter: Jason Shepherd <jshepherd>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: adam.kaplan, aos-bugs, bmontgom, bparees, eparis, fmarquez, jburrell, jokerman, nstielau, obulatov, security-response-team, sponnaga
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in OpenShift Container Platform versions from 4.1 to 4.4 inclusive. Sensitive information was found to be logged by the image registry operator allowing an attacker able to gain access to those logs, to read and write to the storage backing the internal image registry. The highest threat from this vulnerability is to data integrity.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2020-05-12 10:33:28 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1825164, 1825165, 1825718, 1825719, 1825720    
Bug Blocks: 1824779    

Description Jason Shepherd 2020-04-17 09:16:26 UTC 
The image registry operator in OpenShift Container Platform version 4.4 and later logs sensitive information. An attacker able to obtain the log could gain read and write access to the storage backing the OpenShift Container Platform internal image registry.
Comment 1 Jason Shepherd 2020-04-17 09:16:29 UTC 
Acknowledgments:

Name: Adam Kaplan (Red Hat)
Comment 11 Jason Shepherd 2020-04-21 23:24:51 UTC 
Mitigation:

Ensure that the image registry operator logs remain private.
Comment 12 Jason Shepherd 2020-05-05 00:15:04 UTC 
Upstream Patch:

https://github.com/openshift/cluster-image-registry-operator/pull/527
Comment 13 errata-xmlrpc 2020-05-12 05:11:47 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.3

Via RHSA-2020:2009 https://access.redhat.com/errata/RHSA-2020:2009
Comment 14 Product Security DevOps Team 2020-05-12 10:33:28 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-10712
Comment 15 errata-xmlrpc 2020-05-13 11:27:47 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.2

Via RHSA-2020:2026 https://access.redhat.com/errata/RHSA-2020:2026
Comment 16 errata-xmlrpc 2020-05-18 15:44:25 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.4

Via RHSA-2020:2136 https://access.redhat.com/errata/RHSA-2020:2136
Comment 19 Jason Shepherd 2020-11-08 22:54:38 UTC 
Statement:

References to internal container components making up OpenShift Container Platform 4.x itself all use digests to refer to container images [1]. Therefore any changes to the images in the registry storage will invalidate those references. This issue could allow an attacker to modify other container image content that is referred to by tag however.

[1] https://www.redhat.com/en/blog/securing-deployment-openshift-container-platform-4