Bug 2081181 (CVE-2022-1632)

Summary: CVE-2022-1632 Openshift: ClusterIP Service TLS certificate not checked by route controller if re-encrypt Route destinationCACertificate field is explicitly set to default serviceCA
Product: [Other] Security Response Reporter: Anten Skrabec <askrabec>
Component: vulnerabilityAssignee: Nobody <nobody>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: adudiak, akashem, aos-bugs, bcoca, bmontgom, chousekn, cmeyers, davidn, eparis, gblomqui, infra-sig, jburrell, jcammara, jhardy, jobarker, joelsmith, jokerman, kshier, mabashia, mfojtik, notting, nstielau, osapryki, pbunev, relrod, rpetrell, sdoran, shaising, smcdonal, sponnaga, stcannon, tfister, tkuratom, vkumar, xxia, yguenane
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
An Improper Certificate Validation attack was found in Openshift. A re-encrypt Route with destinationCACertificate explicitly set to the default serviceCA skips internal Service TLS certificate validation. This flaw allows an attacker to exploit an invalid certificate, resulting in a loss of confidentiality.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2093936, 2083320, 2083321, 2109273    
Bug Blocks: 2044612    

Description Anten Skrabec 2022-05-02 22:45:16 UTC 
A re-encrypt Route with destinationCACertificate explicitly set to the default serviceCA seems to skip internal Service TLS certificate validation, errorless serving content even if target Service certificate and certificate provided by target Pod(s) differ. 
Note that if we don't set destinationCACertificate in the Route yaml manifest (the Route will still implicitly use the same default serviceCA certificate, as described on the doc [1]) we will correctly get a error page.

References:
https://bugzilla.redhat.com/show_bug.cgi?id=2041857
Comment 1 Sage McTaggart 2022-05-09 16:57:52 UTC 
Created ansible-collection-community-kubernetes tracking bugs for this issue:

Affects: fedora-34 [bug 2083320]
Affects: fedora-35 [bug 2083321]
Comment 12 Sage McTaggart 2022-07-19 17:41:41 UTC 
Is there an estimated "fixed in" or eta for the fix? Thanks!