Bug 1920764 (CVE-2021-20198)
Summary: | CVE-2021-20198 openshift/installer: Bootstrap nodes allow anonymous authentication on kubelet port 10250 | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Sam Fowler <sfowler> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | high | Docs Contact: | |
Priority: | high | ||
Version: | unspecified | CC: | aos-bugs, aos-install, bmontgom, dramseur, eparis, jburrell, jhunter, jminter, jokerman, jrussell, kmitts, mgala, mjudeiki, mstaeble, nstielau, rphillips, sdodson, security-response-team, sfowler, skuznets, sponnaga, wking |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | github.com/openshift/installer v0.9.0-master.0.20210125200451-95101da940b0 | Doc Type: | If docs needed, set a value |
Doc Text: |
A flaw was found in the OpenShift Installer. During installation of OpenShift Container Platform 4 clusters, bootstrap nodes are provisioned with anonymous authentication enabled on kubelet port 10250. A remote attacker able to reach this port during installation can make unauthenticated `/exec` requests to execute arbitrary commands within running containers. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2021-02-08 14:41:51 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1920243, 1920253, 1920766, 1920767, 1922873 | ||
Bug Blocks: | 1920522, 1926375 |
Description
Sam Fowler
2021-01-27 01:39:31 UTC
Upstream fix: https://github.com/openshift/installer/pull/4590 Mitigation: This issue is mitigated by default on AWS, Azure, GCP and OpenStack as port 10250 is not remotely accessible on bootstrap nodes. For other IPI platforms, bootstrap nodes only exist during the installation window so the exposure is limited. For UPI installations, administrators should prevent remote access to this port on bootstrap nodes and/or remove the nodes once installation is complete This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.6 Via RHSA-2021:0308 https://access.redhat.com/errata/RHSA-2021:0308 This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2021-20198 This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.5 Via RHSA-2021:0313 https://access.redhat.com/errata/RHSA-2021:0313 |