Bug 1985962 (CVE-2021-3684)

Summary: CVE-2021-3684 assisted-installer: Image Pull Secret leaked through log files
Product: [Other] Security Response Reporter: Michael Kaplan <mkaplan>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: alazar, lgamliel, mfilanov, mlammon, rfreiman, security-response-team, sfowler
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: openshift/assisted-installer 1.0.25.1, openshift/assisted-installer 2.0.0 Doc Type: If docs needed, set a value
Doc Text:
A vulnerability was found in OpenShift Assisted Installer. During generation of the Discovery ISO, image pull secrets were leaked as plaintext in the installation logs. An authenticated user could exploit this by re-using the image pull secret to pull container images from the registry as the associated user.
Story Points: ---
Clone Of: Environment:
Last Closed: 2022-10-19 04:28:57 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1989899, 1991803    
Bug Blocks: 1985966    

Description Michael Kaplan 2021-07-26 11:30:06 UTC
A vulnerability was found in the Openshift API - Assisted Installer application. The Discovery ISO leaks the Image Pull Secret through several log files.

Comment 1 liat gamliel 2021-08-03 07:56:31 UTC
@mkaplan can you share in which logs you see the pull secret details?

Comment 8 mlammon 2021-09-01 19:23:34 UTC

I have downloaded a recent AI install (Assisted-ui-lib version: 1.5.34)

I checked all the log folder with DumpsterDriver (cool tool!) and found not issue.

python3 DumpsterDiver.py -p /tmp/junk/logs_host_f9fa0a82-7c54-4d58-bcaf-4fb080442cf2 --max-key=200 --min-key 100 --entropy 5
 python3 DumpsterDiver.py -p /tmp/junk/logs_host_a206dca4-25dc-4c7c-b28f-198b93f2170d --max-key=200 --min-key 100 --entropy 5
python3 DumpsterDiver.py -p /tmp/junk/logs_host_60f12793-739a-4730-85bd-a50b3cd31e91 --max-key=200 --min-key 100 --entropy 5
 python3 DumpsterDiver.py -p /tmp/junk/logs_host_5c77f6fb-bbf4-4b80-9ce7-207255f61071 --max-key=200 --min-key 100 --entropy 5
 python3 DumpsterDiver.py -p /tmp/junk/logs_host_08bf447b-afa5-4183-9253-368082726516 --max-key=200 --min-key 100 --entropy 5
 python3 DumpsterDiver.py -p /tmp/junk/logs_host_05a36f25-725d-47cf-9dc2-ef7d9201fe4f --max-key=200 --min-key 100 --entropy 5

python3 DumpsterDiver.py -p /tmp/junk/assisted-installer-controller-h2zlf.logs --max-key=200 --min-key 100 --entropy 5

 

I also used 'grep -r PullSecretToken' and I am not seeing any exposure

Comment 9 mlammon 2021-09-01 19:24:23 UTC

I have downloaded a recent AI install (Assisted-ui-lib version: 1.5.34)

I checked all the log folder with DumpsterDriver (cool tool!) and found not issue.

python3 DumpsterDiver.py -p /tmp/junk/logs_host_f9fa0a82-7c54-4d58-bcaf-4fb080442cf2 --max-key=200 --min-key 100 --entropy 5
 python3 DumpsterDiver.py -p /tmp/junk/logs_host_a206dca4-25dc-4c7c-b28f-198b93f2170d --max-key=200 --min-key 100 --entropy 5
python3 DumpsterDiver.py -p /tmp/junk/logs_host_60f12793-739a-4730-85bd-a50b3cd31e91 --max-key=200 --min-key 100 --entropy 5
 python3 DumpsterDiver.py -p /tmp/junk/logs_host_5c77f6fb-bbf4-4b80-9ce7-207255f61071 --max-key=200 --min-key 100 --entropy 5
 python3 DumpsterDiver.py -p /tmp/junk/logs_host_08bf447b-afa5-4183-9253-368082726516 --max-key=200 --min-key 100 --entropy 5
 python3 DumpsterDiver.py -p /tmp/junk/logs_host_05a36f25-725d-47cf-9dc2-ef7d9201fe4f --max-key=200 --min-key 100 --entropy 5

python3 DumpsterDiver.py -p /tmp/junk/assisted-installer-controller-h2zlf.logs --max-key=200 --min-key 100 --entropy 5

 

I also used 'grep -r PullSecretToken' and I am not seeing any exposure

Comment 12 liat gamliel 2022-04-10 21:51:59 UTC
*** Bug 1991803 has been marked as a duplicate of this bug. ***

Comment 14 Sam Fowler 2022-10-19 04:28:57 UTC
This issue has been addressed in the following products:

  OpenShift Assisted Installer

Via RHEA-2021:3455 https://access.redhat.com/errata/RHEA-2021:3455

Comment 15 Sam Fowler 2022-10-19 04:31:14 UTC
This issue has been addressed in the following products:

  OpenShift Assisted Installer

Via RHEA-2021:3455 https://access.redhat.com/errata/RHEA-2021:3455