Bug 2022017 (CVE-2021-3948)

Summary: CVE-2021-3948 mig-controller: incorrect namespaces handling may lead to not authorized usage of Migration Toolkit for Containers (MTC)
Product: [Other] Security Response Reporter: Przemyslaw Roguski <proguski>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: adsoni, dwhatley, dymurray, ibolton, jmatthew, jmontleo, rjohnson, slucidi, sseago
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: konveyor/mig-controller release-1.5.2, konveyor/mig-controller release-1.6.3 Doc Type: If docs needed, set a value
Doc Text:
An incorrect default permissions vulnerability was found in the mig-controller. Due to an incorrect cluster namespaces handling an attacker may be able to migrate a malicious workload to the target cluster, impacting confidentiality, integrity, and availability of the services located on that cluster.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2022-01-20 07:31:10 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2022479, 2022480    
Bug Blocks: 2021991, 2022409    

Description Przemyslaw Roguski 2021-11-10 15:10:34 UTC 
The Migration Toolkit for Containers (MTC) enables you to migrate stateful application workloads between OpenShift Container Platform 4 clusters at the granularity of a namespace. By default the migration process should be available only for users with cluster-admin privileges on all clusters (source and target). The controller watches ALL namespaces, rather than strictly the openshift-migration namespace, what may lead to not-authorized usage of the Migration Toolkit for Containers (MTC). 

Users with permissions to create MigPlans and MigMigrations CRDs (namespace admins) may create them in their own namespace. 
That would provide a way to register their own (potentially crafted) cluster (source) with a MigCluster in their namespace on the target cluster and migrate malicious workload to the target cluster. Potentially that may lead to the exposure of sensitive information or even may provide a way to permission escalation.
Comment 3 Przemyslaw Roguski 2021-11-24 10:15:22 UTC 
Upstream PRs:
https://github.com/konveyor/mig-controller/pull/1230
https://github.com/konveyor/mig-controller/pull/1228
Comment 4 errata-xmlrpc 2021-11-29 14:32:34 UTC 
This issue has been addressed in the following products:

  Red Hat Migration Toolkit for Containers 1.5

Via RHSA-2021:4848 https://access.redhat.com/errata/RHSA-2021:4848
Comment 5 errata-xmlrpc 2022-01-20 06:31:33 UTC 
This issue has been addressed in the following products:

  Red Hat Migration Toolkit for Containers 1.6

Via RHSA-2022:0202 https://access.redhat.com/errata/RHSA-2022:0202
Comment 6 Product Security DevOps Team 2022-01-20 07:31:08 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-3948