Bug 1947361 (CVE-2021-3495)

Summary: CVE-2021-3495 kiali/kiali-operator: can deploy specified image to any namespace
Product: [Other] Security Response Reporter: Marian Rehak <mrehak>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: askrabec, jshaughn, jwendell, kconner, rcernich, security-response-team, twalsh
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: kiali/kiali-operator 1.33.0, kiali/kiali-operator 1.24.7 Doc Type: If docs needed, set a value
Doc Text:
An incorrect access control flaw was found in the kiali-operator. This flaw allows an attacker with a basic level of access to the cluster (to deploy a kiali operand) to use this vulnerability and deploy a given image to anywhere in the cluster, potentially gaining access to privileged service account tokens. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2021-05-12 02:33:48 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1947362, 1948689    

Description Marian Rehak 2021-04-08 09:56:28 UTC 
If you create a kiali instance, then you can specify any project in yaml and it will be installed there, ignoring the rights to this project. If current user has edit permissions to 'user-namespace' but not to 'any-namespace', kiali anyway will be created in 'any-namespace'.

Reference:

https://issues.redhat.com/browse/KIALI-3278
Comment 3 Mark Cooper 2021-04-13 04:04:40 UTC 
Very similar to https://access.redhat.com/security/cve/cve-2020-14306 where an attacker would need some level of privilege to begin with.
Comment 4 Mark Cooper 2021-04-16 04:08:09 UTC 
Upstream fix: https://github.com/kiali/kiali-operator/pull/278
Comment 5 Mark Cooper 2021-04-16 11:28:13 UTC 
Acknowledgments:

Name: Vladimir Andryushin (VTB Bank (PJSC))
Comment 9 errata-xmlrpc 2021-05-11 23:41:17 UTC 
This issue has been addressed in the following products:

  OpenShift Service Mesh 2.0

Via RHSA-2021:1544 https://access.redhat.com/errata/RHSA-2021:1544
Comment 10 Product Security DevOps Team 2021-05-12 02:33:48 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-3495
Comment 11 Mark Cooper 2021-05-12 02:51:53 UTC 
External References:

https://kiali.io/news/security-bulletins/kiali-security-003/
Comment 13 Mark Cooper 2021-05-12 04:51:05 UTC 
Statement:

In regards to the ServiceMesh `openshift-service-mesh/kiali-rhel7` container, it has been superseded by the `openshift-service-mesh/kiali-rhel8` container and is no longer supported.