Bug 1985962 (CVE-2021-3684)

Summary: CVE-2021-3684 assisted-installer: Image Pull Secret leaked through log files
Product: [Other] Security Response Reporter: Michael Kaplan <mkaplan>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: alazar, lgamliel, mfilanov, mlammon, rfreiman, security-response-team, sfowler
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: openshift/assisted-installer 1.0.25.1, openshift/assisted-installer 2.0.0 Doc Type: If docs needed, set a value
Doc Text:
A vulnerability was found in OpenShift Assisted Installer. During generation of the Discovery ISO, image pull secrets were leaked as plaintext in the installation logs. An authenticated user could exploit this by re-using the image pull secret to pull container images from the registry as the associated user.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2022-10-19 04:28:57 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1989899, 1991803    
Bug Blocks: 1985966    

Description Michael Kaplan 2021-07-26 11:30:06 UTC 
A vulnerability was found in the Openshift API - Assisted Installer application. The Discovery ISO leaks the Image Pull Secret through several log files.
Comment 1 liat gamliel 2021-08-03 07:56:31 UTC 
@mkaplan can you share in which logs you see the pull secret details?
Comment 7 liat gamliel 2021-08-11 07:13:54 UTC 
Fixed by 
https://issues.redhat.com/browse/MGMT-7450
https://issues.redhat.com/browse/MGMT-7452
Comment 8 mlammon 2021-09-01 19:23:34 UTC 

I have downloaded a recent AI install (Assisted-ui-lib version: 1.5.34)

I checked all the log folder with DumpsterDriver (cool tool!) and found not issue.

python3 DumpsterDiver.py -p /tmp/junk/logs_host_f9fa0a82-7c54-4d58-bcaf-4fb080442cf2 --max-key=200 --min-key 100 --entropy 5
 python3 DumpsterDiver.py -p /tmp/junk/logs_host_a206dca4-25dc-4c7c-b28f-198b93f2170d --max-key=200 --min-key 100 --entropy 5
python3 DumpsterDiver.py -p /tmp/junk/logs_host_60f12793-739a-4730-85bd-a50b3cd31e91 --max-key=200 --min-key 100 --entropy 5
 python3 DumpsterDiver.py -p /tmp/junk/logs_host_5c77f6fb-bbf4-4b80-9ce7-207255f61071 --max-key=200 --min-key 100 --entropy 5
 python3 DumpsterDiver.py -p /tmp/junk/logs_host_08bf447b-afa5-4183-9253-368082726516 --max-key=200 --min-key 100 --entropy 5
 python3 DumpsterDiver.py -p /tmp/junk/logs_host_05a36f25-725d-47cf-9dc2-ef7d9201fe4f --max-key=200 --min-key 100 --entropy 5

python3 DumpsterDiver.py -p /tmp/junk/assisted-installer-controller-h2zlf.logs --max-key=200 --min-key 100 --entropy 5

 

I also used 'grep -r PullSecretToken' and I am not seeing any exposure
Comment 9 mlammon 2021-09-01 19:24:23 UTC 

I have downloaded a recent AI install (Assisted-ui-lib version: 1.5.34)

I checked all the log folder with DumpsterDriver (cool tool!) and found not issue.

python3 DumpsterDiver.py -p /tmp/junk/logs_host_f9fa0a82-7c54-4d58-bcaf-4fb080442cf2 --max-key=200 --min-key 100 --entropy 5
 python3 DumpsterDiver.py -p /tmp/junk/logs_host_a206dca4-25dc-4c7c-b28f-198b93f2170d --max-key=200 --min-key 100 --entropy 5
python3 DumpsterDiver.py -p /tmp/junk/logs_host_60f12793-739a-4730-85bd-a50b3cd31e91 --max-key=200 --min-key 100 --entropy 5
 python3 DumpsterDiver.py -p /tmp/junk/logs_host_5c77f6fb-bbf4-4b80-9ce7-207255f61071 --max-key=200 --min-key 100 --entropy 5
 python3 DumpsterDiver.py -p /tmp/junk/logs_host_08bf447b-afa5-4183-9253-368082726516 --max-key=200 --min-key 100 --entropy 5
 python3 DumpsterDiver.py -p /tmp/junk/logs_host_05a36f25-725d-47cf-9dc2-ef7d9201fe4f --max-key=200 --min-key 100 --entropy 5

python3 DumpsterDiver.py -p /tmp/junk/assisted-installer-controller-h2zlf.logs --max-key=200 --min-key 100 --entropy 5

 

I also used 'grep -r PullSecretToken' and I am not seeing any exposure
Comment 12 liat gamliel 2022-04-10 21:51:59 UTC 
*** Bug 1991803 has been marked as a duplicate of this bug. ***
Comment 13 Sam Fowler 2022-10-06 00:16:47 UTC 
Upstream fixes:

https://github.com/openshift/assisted-installer/commit/f3800cfa3d64ce6dcd6f7b73f0578bb99bfdaf7a
https://github.com/openshift/assisted-installer/commit/2403dad3795406f2c5d923af0894e07bc8b0bdc4
Comment 14 Sam Fowler 2022-10-19 04:28:57 UTC 
This issue has been addressed in the following products:

  OpenShift Assisted Installer

Via RHEA-2021:3455 https://access.redhat.com/errata/RHEA-2021:3455
Comment 15 Sam Fowler 2022-10-19 04:31:14 UTC 
This issue has been addressed in the following products:

  OpenShift Assisted Installer

Via RHEA-2021:3455 https://access.redhat.com/errata/RHEA-2021:3455