Bug 2076211 (CVE-2022-1677)

Summary: CVE-2022-1677 openshift/router: route hijacking attack via crafted HAProxy configuration file
Product: [Other] Security Response Reporter: Avinash Hanwate <ahanwate>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: aos-network-edge-staff, bmontgom, eparis, jburrell, jokerman, nstielau, security-response-team, skrenger, sponnaga, vkumar
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
In OpenShift Container Platform, a user with permissions to create or modify Routes can craft a payload that inserts a malformed entry into one of the cluster router's HAProxy configuration files. This malformed entry can match any arbitrary hostname, or all hostnames in the cluster, and direct traffic to an arbitrary application within the cluster, including one under attacker control.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2022-05-31 12:31:15 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2074304, 2074839, 2076371, 2076373, 2076380, 2076382, 2076383, 2076384    
Bug Blocks: 2074345    

Description Avinash Hanwate 2022-04-18 09:45:22 UTC 
A user can craft a route that injects a bogus entry into one of the HAProxy configuration files.  This bogus entry can match any arbitrary hostname, or all hostnames in the cluster, and direct traffic to an arbitrary application, including one belonging to the user who is performing the attack.
Comment 10 Sam Fowler 2022-05-13 07:31:03 UTC 
Upstream fix:

https://github.com/openshift/router/pull/381
Comment 11 errata-xmlrpc 2022-05-25 04:30:28 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.9

Via RHSA-2022:2283 https://access.redhat.com/errata/RHSA-2022:2283
Comment 12 errata-xmlrpc 2022-05-25 12:02:56 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.7

Via RHSA-2022:2268 https://access.redhat.com/errata/RHSA-2022:2268
Comment 13 errata-xmlrpc 2022-05-25 21:48:19 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.8

Via RHSA-2022:2272 https://access.redhat.com/errata/RHSA-2022:2272
Comment 14 errata-xmlrpc 2022-05-26 17:00:16 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.6

Via RHSA-2022:2264 https://access.redhat.com/errata/RHSA-2022:2264
Comment 15 errata-xmlrpc 2022-05-31 08:42:35 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 3.11

Via RHSA-2022:2281 https://access.redhat.com/errata/RHSA-2022:2281
Comment 16 Product Security DevOps Team 2022-05-31 12:31:14 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2022-1677