Bug 1967738 (CVE-2021-3586)
| Summary: | CVE-2021-3586 servicemesh-operator: NetworkPolicy resources incorrectly specify ports for ingress resources | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Anten Skrabec <askrabec> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | high | Docs Contact: | |
| Priority: | high | ||
| Version: | unspecified | CC: | jwendell, kconner, rcernich, security-response-team, twalsh |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | servicemesh-operator-2.0.5-3.el8 | Doc Type: | If docs needed, set a value |
| Doc Text: |
A flaw was found in servicemesh-operator. The NetworkPolicy resources installed for Maistra do not properly specify which ports may be accessed, allowing access to all ports on these resources from any pod. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2021-06-10 21:03:57 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | |||
| Bug Blocks: | 1967739, 1968734 | ||
This issue has been addressed in the following products: OpenShift Service Mesh 2.0 Via RHSA-2021:2380 https://access.redhat.com/errata/RHSA-2021:2380 This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2021-3586 (actually needinfo-ing anten this time instead of the whole team) |
The NetworkPolicy resources installed for Maistra do not properly specify which ports may be accessed. This allows access to all ports on these resources from any pod. For example, the ports for istiod are currently specified as: spec: ingress: - ports: port: webhook and should be specified as: spec: ingress: ports: - port: webhook Network policies applied to the following resources are affected: - istiod - grafana - kiali - prometheus - jaeger - galley - sidecar injector Jira Issue: https://issues.redhat.com/browse/MAISTRA-2401