Bug 1839942 (CVE-2020-10752)
| Summary: | CVE-2020-10752 openshift/openshift-apiserver: oauthtokens leaked to logs on panic | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Jason Shepherd <jshepherd> |
| Component: | vulnerability | Assignee: | Nobody <nobody> |
| Status: | NEW --- | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | aos-bugs, bmontgom, decarr, eparis, jburrell, nstielau, sponnaga |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: |
A flaw was found in the OpenShift API Server, where it failed to sufficiently protect OAuthTokens by leaking them into the logs when an API Server panic occurred. This flaw allows an attacker with the ability to cause an API Server error to read the logs, and use the leaked OAuthToken to log into the API Server with the leaked token.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | Type: | --- | |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1846657, 1846658, 1846659, 1846660, 1846661, 1846662, 1839944, 1839945 | ||
| Bug Blocks: | 1838942 | ||
|
Description
Jason Shepherd
2020-05-26 05:21:25 UTC
The immediate problem is this line of code [1], however the fix is none trivial and requires a reworking of oauthtokens in OpenShift [2]. [1] https://github.com/openshift/origin/blob/master/vendor/k8s.io/kubernetes/staging/src/k8s.io/apiserver/pkg/server/filters/wrap.go#L39 [2] https://github.com/openshift/enhancements/pull/323 Statement: OAuthTokens are only valid for 1 day by default. Mitigation: Ensure the OpenShift API Server logs are kept private |