Bug 1951025

Summary: codecov: Unauthorized access to Bash Uploader script
Product: [Other] Security Response Reporter: Pedro Sampaio <psampaio>
Component: vulnerabilityAssignee: Nobody <nobody>
Status: NEW --- QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: amackenz, amasferr, bmontgom, chazlett, eparis, hvyas, jburrell, kaycoth, mkudlej, nstielau, rcernich, rphillips, sponnaga, tjochec, vmugicag
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1951389, 1951390, 1951394, 1951993, 1951994    
Bug Blocks: 1951026    

Description Pedro Sampaio 2021-04-19 12:38:26 UTC 
Flaw was found in codecov. An error in Codecov’s Docker image creation process that allowed the actor to extract the credential required to modify the Bash Uploader script.

References:

https://about.codecov.io/security-update/
Comment 18 Jason Shepherd 2021-04-28 04:17:56 UTC 
Statement:

Codecov is not usually a component shipped by products, but is sometimes used during product builds. The flaw is the outcome of an investigation into how the use of Covscan in our builds might have affects Red Hat products or services.

Red Hat's internal build system (Koji) does not have egress to the internet so the malicious script could not have been used on those systems to ex-filtrate secret environment information directly. We are still investigating if upstream builds might have been impacted.

OpenShift Container Platform's cri-o component is not affected because the GitHub actions job which executes codecov does not add any secrets: https://github.com/cri-o/cri-o/blob/8ab831e686740a25509514010fba4bb2abca0f28/.github/workflows/test.yml#L273-L282

OpenShift Container Platform's coredns component does not use codecov at all.

OpenShift Container Platform's etcd component is not affected because it doesn't ship any binary upstream or downstream built with this testing Dockerfile which has a reference to the codecov bash uploader script.

OpenShift Container Platform's ose-cluster-ingress-operator component is not affected because it does not use codecov during a Red Hat downstream build.