Bug 1906267 (CVE-2020-27836)

Summary: CVE-2020-27836 cluster-ingress-operator: changes to loadBalancerSourceRanges overwritten by operator
Product: [Other] Security Response Reporter: Jason Shepherd <jshepherd>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: aos-bugs, aos-network-edge-staff, bmontgom, eparis, jburrell, jokerman, nstielau, sponnaga
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: ose-cluster-ingress-operator-container-v4.6.0-202012161211.p0 Doc Type: ---
Doc Text:
A flaw was found in cluster-ingress-operator. A change to how the router-default service allows only certain IP source ranges could allow an attacker to access resources that would otherwise be restricted to specified IP ranges. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2020-12-21 13:31:04 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1905490, 1906560    
Bug Blocks: 1905803, 1939568    

Description Jason Shepherd 2020-12-10 05:06:31 UTC 
Until the 4.6.6 version of OpenShift Container Platform changes to the router-default service to allow only certain IP source ranges was possible by directly editing the service object [1]. Since 4.6.6 changes to the loadBalancerSourceRanges field are overwritten to the default of all IP ranges. If a cluster is affected by this issue an attacker can use the flaw to access resources which should be restricted to the specified IP ranges.

[1] https://access.redhat.com/solutions/5158751
Comment 4 Jason Shepherd 2020-12-10 05:12:24 UTC 
Upstream commit:

https://github.com/openshift/cluster-ingress-operator/pull/507
Comment 5 Jason Shepherd 2020-12-14 22:59:35 UTC 
Mitigation:

Move the allowed IP source ranges from the loadBalancerSourceRanges setting to "service.beta.kubernetes.io/load-balancer-source-ranges" annotation. For example: 

oc -n openshift-ingress annotate svc/router-default service.beta.kubernetes.io/load-balancer-source-ranges=10.0.0.0/8,192.168.0.0/16
Comment 6 errata-xmlrpc 2020-12-21 13:23:52 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.6

Via RHSA-2020:5614 https://access.redhat.com/errata/RHSA-2020:5614
Comment 7 Product Security DevOps Team 2020-12-21 13:31:04 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-27836