Bug 2101959 (CVE-2022-2403)
Summary: | CVE-2022-2403 openshift: oauth-serving-cert configmap contains cluster certificate private key | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Anten Skrabec <askrabec> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | high | Docs Contact: | |
Priority: | high | ||
Version: | unspecified | CC: | bbennett, bmontgom, caswilli, eparis, jburrell, kaycoth, marcus.neumann.u443666, mfojtik, nstielau, oarribas, slaznick, sponnaga, surbania, vkumar, wking |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | If docs needed, set a value | |
Doc Text: |
A credentials leak was found in the OpenShift Container Platform. The private key for the external cluster certificate was stored incorrectly in the oauth-serving-cert ConfigMaps, and accessible to any authenticated OpenShift user or service-account. This flaw allows a malicious user to read the oauth-serving-cert ConfigMap in the openshift-config-managed namespace, compromising any web traffic secured using that certificate.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2022-09-01 06:55:50 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 2084054, 2107024, 2107025, 2107026, 2107027, 2107028 | ||
Bug Blocks: | 2088253, 2107095 |
Description
Anten Skrabec
2022-06-28 22:14:21 UTC
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.10 Via RHSA-2022:5664 https://access.redhat.com/errata/RHSA-2022:5664 Hi everyone, is there any existing plan to back-port the fix to OpenShift v4.9 as well? Thanks in advance, Marcus Hi Marcus, The fix for 4.9 is tracked in BZ 2107027. THX @oarribas, unfortunately I'm not allowed to access. Is there a reason why for v4.9 it's a private RH BZ?... and for v4.10 it's public This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.9 Via RHSA-2022:5879 https://access.redhat.com/errata/RHSA-2022:5879 This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2022-2403 |