Bug 2269376 (CVE-2024-13484)

Summary: CVE-2024-13484 openshift-gitops-operator-container: Namespace Isolation Break
Product: [Other] Security Response Reporter: Patrick Del Bello <pdelbell>
Component: vulnerabilityAssignee: Product Security <prodsec-ir-bot>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: anjoseph, ellin, gsuckevi, jprabhak, security-response-team, shbose, wtam
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in openshift-gitops-operator-container. The openshift.io/cluster-monitoring label is applied to all namespaces that deploy an ArgoCD CR instance, allowing the namespace to create a rogue PrometheusRule. This issue can have adverse effects on the platform monitoring stack, as the rule is rolled out cluster-wide when the label is applied.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2269375    

Description Patrick Del Bello 2024-03-13 13:43:24 UTC 
Currently argocd applies the label openshift.io/cluster-monitoring to all namespaces that deploy a ArgoCD CR instance. This then allows the namespace
to create a rogue PrometheusRule that can then have adverse effects on the platform monitoring stack. As the label is applied the rule is rolled out
cluster wide.

This gives anyone who has argocd instances deployed a way to escalate out of their namespace isolation and affect the entire cluster.