Bug 2272948 (CVE-2024-31419)

Summary: CVE-2024-31419 cnv: information disclosure through the usage of vm-dump-metrics
Product: [Other] Security Response Reporter: Zack Miele <zmiele>
Component: vulnerabilityAssignee: Product Security <prodsec-ir-bot>
Status: NEW --- QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: dholler, dkenigsb, fdeutsch, jcanocan, oramraz, smullick
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: CNV 4.15.1 Doc Type: If docs needed, set a value
Doc Text:
An information disclosure flaw was found in OpenShift Virtualization. The DownwardMetrics feature was introduced to expose host metrics to virtual machine guests and is enabled by default. This issue could expose limited host metrics of a node to any guest in any namespace without being explicitly enabled by an administrator.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2270471    

Description Zack Miele 2024-04-03 12:42:08 UTC 
An information disclosure flaw was discovered in OpenShift Virtualization. The DownwardMetrics feature was introduced to expose host metrics to virtual machine guests and is enabled by default.  This could expose limited host metrics of a node to any guest in any namespace without being explicit enabled by an administrator.
Comment 3 Dominik Holler 2024-04-03 14:38:12 UTC 
@zmiele
Comment 4 Dominik Holler 2024-04-03 14:41:30 UTC 
Can the bug be already closed, and will this update the state in https://access.redhat.com/security/cve/CVE-2024-31419 ?
Comment 5 Zack Miele 2024-04-03 15:27:31 UTC 
Yes, I'll close this shortly.