Bug 1978144 (CVE-2021-32690)

Summary: CVE-2021-32690 helm: information disclosure vulnerability
Product: [Other] Security Response Reporter: Dhananjay Arunesh <darunesh>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: aos-bugs, bcoca, bkundu, bmontgom, chousekn, cmeyers, davidn, dbecker, dperaza, eparis, gblomqui, gghezzo, gparvin, jburrell, jcammara, jchui, jhadvig, jhardy, jjoyce, jlanford, jnakfour, jobarker, jokerman, jramanat, jschluet, jweiser, jwendell, kaycoth, kyoshida, lhh, lpeer, mabashia, mattmill, mburns, notting, nstielau, osapryki, pknezevi, rcernich, relrod, rfreiman, rhos-maint, rpetrell, sclewis, sd-operator-metering, sdoran, slinaber, smcdonal, sponnaga, stcannon, tflannag, thee, tkral, tkuratom, twalsh
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: helm 3.6.1 Doc Type: If docs needed, set a value
Doc Text:
A vulnerability was discovered in Helm, which could allow credentials associated with one Helm repository to be leaked to another repository referenced by the first one. In order to exploit this vulnerability, an attacker would need to control a repository trusted by the configuration of the target Helm instance.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2021-10-18 20:08:19 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1991827, 1980633, 1984588, 1985915, 1987051, 1987052, 1987053, 1987055, 1987056, 1987057, 1988206, 1988207, 1988208, 1988209, 1988210, 1991828    
Bug Blocks: 1978146    

Description Dhananjay Arunesh 2021-07-01 08:18:13 UTC 
Helm is a tool for managing Charts (packages of pre-configured Kubernetes resources). In versions of helm prior to 3.6.1, a vulnerability exists where the username and password credentials associated with a Helm repository could be passed on to another domain referenced by that Helm repository. This issue has been resolved in 3.6.1. There is a workaround through which one may check for improperly passed credentials. One may use a username and password for a Helm repository and may audit the Helm repository in order to check for another domain being used that could have received the credentials. In the `index.yaml` file for that repository, one may look for another domain in the `urls` list for the chart versions. If there is another domain found and that chart version was pulled or installed, the credentials would be passed on.

References:
https://github.com/helm/helm/releases/tag/v3.6.1
https://github.com/helm/helm/security/advisories/GHSA-56hp-xqp3-w2jf
Comment 3 Przemyslaw Roguski 2021-07-22 20:08:59 UTC 
Upstream fix:
https://github.com/helm/helm/commit/179f90151d5ecb4aa3d35ada35e82b5c1e791752
Comment 12 Tapas Jena 2021-08-10 06:26:36 UTC 
Analysis is complete for Ansible affected components i.e. Ansible Tower (AAP 1.2) and Ansible Controller (AAP 2.0) and it was found that these components are affected by this CVE both from current version and current functionality implementation point of view. Hence, marking Ansible components as "Affected".
Comment 15 errata-xmlrpc 2021-10-18 17:28:35 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.9

Via RHSA-2021:3759 https://access.redhat.com/errata/RHSA-2021:3759
Comment 16 Product Security DevOps Team 2021-10-18 20:08:19 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-32690
Comment 17 errata-xmlrpc 2021-10-20 03:55:16 UTC 
This issue has been addressed in the following products:

  Red Hat Advanced Cluster Management for Kubernetes 2.3 for RHEL 8
  Red Hat Advanced Cluster Management for Kubernetes 2.3 for RHEL 7

Via RHSA-2021:3925 https://access.redhat.com/errata/RHSA-2021:3925
Comment 18 errata-xmlrpc 2021-11-11 18:32:14 UTC 
This issue has been addressed in the following products:

  Red Hat Advanced Cluster Management for Kubernetes 2.4 for RHEL 8

Via RHSA-2021:4618 https://access.redhat.com/errata/RHSA-2021:4618
Comment 19 errata-xmlrpc 2021-12-01 17:23:58 UTC 
This issue has been addressed in the following products:

  RHACS-3.67-RHEL-8

Via RHSA-2021:4902 https://access.redhat.com/errata/RHSA-2021:4902