Bug 1955601 (CVE-2021-3528)

Summary: CVE-2021-3528 NooBaa: noobaa-operator leaking RPC AuthToken into log files
Product: [Other] Security Response Reporter: Hardik Vyas <hvyas>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: hvyas
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: noobaa-operator 5.7.0 Doc Type: ---
Doc Text:
A flaw was found in NooBaa, where internal RPC AuthTokens between the noobaa operator and the noobaa core are leaked into log files. An attacker with access to the log files could use this AuthToken to gain additional access into noobaa deployment and can read/modify system configuration.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2021-05-19 14:33:46 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1935262, 1956211    
Bug Blocks: 1937465, 1955758    

Description Hardik Vyas 2021-04-30 13:54:26 UTC 
An issue was discovered in OpenShift Container Storage (OCS) 4, where internal RPC AuthTokens between the noobaa operator and the noobaa core are leaked into log files. Logs of noobaa operator are part of must gather data as any other OCS component logs, so the AuthToken can also be retrieved from must gather logs. A user with sufficient privileges could read the AuthToken from the logs and use them to access other resources.
Comment 1 Hardik Vyas 2021-04-30 13:54:30 UTC 
Acknowledgments:

Name: Martin Bukatovic (Red Hat)
Comment 3 Hardik Vyas 2021-04-30 13:59:42 UTC 
Upstream PR: 

[master] https://github.com/noobaa/noobaa-operator/pull/569
[5.7.0] https://github.com/noobaa/noobaa-operator/pull/571
Comment 5 errata-xmlrpc 2021-05-19 09:14:49 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Storage 4.7.0 on RHEL-8

Via RHSA-2021:2041 https://access.redhat.com/errata/RHSA-2021:2041
Comment 6 Product Security DevOps Team 2021-05-19 14:33:46 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-3528
Comment 7 errata-xmlrpc 2021-06-17 15:46:42 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Storage 4.6.0 on RHEL-8

Via RHSA-2021:2479 https://access.redhat.com/errata/RHSA-2021:2479