Bug 1886640 (CVE-2020-8566)

Summary: CVE-2020-8566 kubernetes: Ceph RBD adminSecrets exposed in logs when loglevel >= 4
Product: [Other] Security Response Reporter: Sam Fowler <sfowler>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: aos-bugs, bmontgom, eparis, hchiramm, hvyas, jburrell, jmulligan, jokerman, jsafrane, madam, mfojtik, nstielau, puebele, rhs-bugs, security-response-team, sfowler, sponnaga, storage-qa-internal, sttts, xxia
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: kubernetes 1.19.3, kubernetes 1.18.10, kubernetes 1.17.13 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in kubernetes. If the logging level is to at least 4, and Ceph RBD is configured as a storage provisioner, then Ceph RBD admin secrets can be written to logs. This occurs in kube-controller-manager's logs during provisioning of Ceph RBD persistent claims.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2021-01-18 23:59:14 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1887290, 1887291, 1887292, 1887748    
Bug Blocks: 1883756    

Description Sam Fowler 2020-10-09 01:52:34 UTC 
In Kubernetes, if the logging level is to at least 4, and Ceph RBD is configured as a storage provisioner, then Ceph RBD admin secrets can be written to logs. This occur's in kube-controller-manager's logs during provisioning of Ceph RBD persistent claims.


Upstream Fix:

https://github.com/kubernetes/kubernetes/pull/95245
Comment 2 Sam Fowler 2020-10-09 01:55:55 UTC 
Acknowledgments:

Name: the Kubernetes Product Security Committee
Upstream: Kaizhe Huang (derek0405)
Comment 4 Sam Fowler 2020-10-12 05:00:55 UTC 
Statement:

OpenShift Container Platform 4 does not support Ceph RBD persistent volumes, however the vulnerable code is included.
Comment 5 Sam Fowler 2020-10-13 02:31:18 UTC 
Mitigation:

OCP Clusters not using Ceph RBD volumes are not vulnerable to this issue. For clusters using Ceph RBD volumes, this can be mitigated by ensuring the logging level is below 4 and protecting unauthorized access to cluster logs.

For OCP, the logging level for core components can be configured using operators, e.g. for kube-controller-manager:
https://docs.openshift.com/container-platform/latest/rest_api/operator_apis/kubecontrollermanager-operator-openshift-io-v1.html#specification

In OCP, a logging level of "Debug" is equivalent to 4: 
https://github.com/openshift/api/blob/master/operator/v1/types.go#L96

The default logging level is "Normal", which is equivalent to 2. Clusters running with the default level are not vulnerable to this issue.
Comment 6 Sam Fowler 2020-10-15 23:36:42 UTC 
External References:

https://groups.google.com/g/kubernetes-announce/c/ScdmyORnPDk
https://github.com/kubernetes/kubernetes/issues/95624
Comment 7 errata-xmlrpc 2021-01-18 17:57:07 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.6

Via RHSA-2021:0037 https://access.redhat.com/errata/RHSA-2021:0037
Comment 8 Product Security DevOps Team 2021-01-18 23:59:14 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-8566
Comment 9 errata-xmlrpc 2021-02-24 14:41:53 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.7

Via RHSA-2020:5634 https://access.redhat.com/errata/RHSA-2020:5634