Bug 2101959 (CVE-2022-2403)

Summary: CVE-2022-2403 openshift: oauth-serving-cert configmap contains cluster certificate private key
Product: [Other] Security Response Reporter: Anten Skrabec <askrabec>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: bbennett, bmontgom, caswilli, eparis, jburrell, kaycoth, marcus.neumann.u443666, mfojtik, nstielau, oarribas, slaznick, sponnaga, surbania, vkumar, wking
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
A credentials leak was found in the OpenShift Container Platform. The private key for the external cluster certificate was stored incorrectly in the oauth-serving-cert ConfigMaps, and accessible to any authenticated OpenShift user or service-account. This flaw allows a malicious user to read the oauth-serving-cert ConfigMap in the openshift-config-managed namespace, compromising any web traffic secured using that certificate.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2022-09-01 06:55:50 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2084054, 2107024, 2107025, 2107026, 2107027, 2107028    
Bug Blocks: 2088253, 2107095    

Description Anten Skrabec 2022-06-28 22:14:21 UTC 
the `oauth-serving-cert` configmap in openshift-config-managed and openshift-console projects contains the private key of the cluster external certificate
Comment 4 Sam Fowler 2022-07-14 22:54:28 UTC 
Upstream fix:

https://github.com/openshift/cluster-authentication-operator/pull/573
Comment 8 errata-xmlrpc 2022-07-25 06:52:47 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.10

Via RHSA-2022:5664 https://access.redhat.com/errata/RHSA-2022:5664
Comment 10 Marcus 2022-07-29 07:08:32 UTC 
Hi everyone,

is there any existing plan to back-port the fix to OpenShift v4.9 as well?


Thanks in advance,
Marcus
Comment 11 oarribas 2022-08-01 12:29:36 UTC 
Hi Marcus,


The fix for 4.9 is tracked in BZ 2107027.
Comment 12 Marcus 2022-08-02 05:32:46 UTC 
THX @oarribas, unfortunately I'm not allowed to access. Is there a reason why for v4.9 it's a private RH BZ?... and for v4.10 it's public
Comment 14 errata-xmlrpc 2022-08-09 14:00:57 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.9

Via RHSA-2022:5879 https://access.redhat.com/errata/RHSA-2022:5879
Comment 15 Product Security DevOps Team 2022-09-01 06:55:48 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2022-2403