Bug 2262158 (CVE-2024-1139)

Summary: CVE-2024-1139 cluster-monitoring-operator: credentials leak
Product: [Other] Security Response Reporter: Nick Tait <ntait>
Component: vulnerabilityAssignee: Product Security <prodsec-ir-bot>
Status: NEW --- QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: dfreiber, dmohr, drow, gparvin, jburrell, jfajersk, lbainbri, njean, owatkins, pahickey, rhaigner, security-response-team, sidakwo, spasquie, vkumar
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
A credentials leak vulnerability was found in the cluster monitoring operator in OCP. This issue may allow a remote attacker who has basic login credentials to check the pod manifest to discover a repository pull secret.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2262168    

Description Nick Tait 2024-01-31 20:53:18 UTC 
The below issue was reported to ProdSec by Simon Pasquier:

In OCP, the telemeter-client pod running in the
openshift-monitoring has an annotation containing the cluster's pull secret
for the cloud.openshift.com and quay.io registries.

The cause of the bug is that we use the token string concatenated with the
hash [2] instead of writing the token string to the hash object and calling
Sum() with a nil slice.

The impact is that any user which can read the definition of the
telemeter-client pod and/or deployment gets access to the pull secret
token. Users with permissions from the cluster-reader clusterrole already
have access to the original pull secret because they can read the
"pull-secret" Secret in the openshift-config namespace.

The issue has been present since OCP 4.12 [3] [4].


[1] https://issues.redhat.com/browse/OCPBUGS-28650
[2]
https://github.com/openshift/cluster-monitoring-operator/blob/d45a3335c2bbada0948adef9fcba55c4e14fa1d7/pkg/manifests/manifests.go#L3135
[3] https://bugzilla.redhat.com/show_bug.cgi?id=2114721
[4] https://github.com/openshift/cluster-monitoring-operator/pull/1747
Comment 5 errata-xmlrpc 2024-04-25 15:50:57 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.15

Via RHSA-2024:1887 https://access.redhat.com/errata/RHSA-2024:1887
Comment 6 errata-xmlrpc 2024-05-02 16:37:32 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.13

Via RHSA-2024:2047 https://access.redhat.com/errata/RHSA-2024:2047