Bug 2260371 (CVE-2024-25132)

Summary: CVE-2024-25132 openshift-dedicated: hive: hibernation controller denial of service
Product: [Other] Security Response Reporter: Robb Gatica <rgatica>
Component: vulnerabilityAssignee: Product Security <prodsec-ir-bot>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: ahanwate, arepton, dfreiber, drow, jburrell, security-response-team, vkumar
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the Hive hibernation controller component of OpenShift Dedicated. The ClusterDeployment.hive.openshift.io/v1 resource can be created with the spec.installed field set to true, regardless of the installation status, and a positive timespan for the spec.hibernateAfter value. If a ClusterSync.hiveinternal.openshift.io/v1alpha1 resource is also created, the hive hibernation controller will enter the reconciliation loop leading to a panic when accessing a non-existing field in the ClusterDeployment’s status section, resulting in a denial of service.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2258855    

Description Robb Gatica 2024-01-25 18:17:43 UTC 
Description:
The hive-controllers pod running in the hive namespace is responsible for
reconciling the custom resources for Hive. This pod bundles all controllers
for hive in a single binary and container.

The ClusterDeployment.hive.openshift.io/v1 resource can be created with the
spec.installed field set to true (regardless of the installation status)
and a positive timespan for the spec.hibernateAfter value. If a
ClusterSync.hiveinternal.openshift.io/v1alpha1 resource is also created,
the hive hibernation controller will enter the reconciliation loop and
panic shortly thereafter, when accessing a non-existing field in the
ClusterDeployment’s status section.

This Denial of Service is persistent: the problematic resources are picked
up for reconciliation when the pod starts. This crashes it, then the
scheduling logic restarts it. The resource faulty resource has to be
manually removed for the system to restore itself.

Note that the testing environment co-locates hive components to a single
cluster. It is therefore not clear whether the observed behavior is
plausible in a standard setting.

Impact:
By leveraging F-02 Bypass in Managed Resources Admission Webhook, a user
with developer privileges can cause the hive hibernation controller to
panic in a loop, causing the pod to be put in the CrashLoopBackOff state.
The hive hibernation controller is bundled in the hive controller,
rendering all other bundled controllers unavailable.
Recommendations

If this finding is applicable under normal deployment and resource creation
conditions, check if the fields used by the controller on user-controlled
objects are present before accessing them.