Bug 2278035 (CVE-2024-4369)
| Summary: | CVE-2024-4369 cluster-image-registry-operator: Exposes a secret via env variable in pod definition on Azure | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Zack Miele <zmiele> |
| Component: | vulnerability | Assignee: | Product Security <prodsec-ir-bot> |
| Status: | NEW --- | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | dfreiber, drow, jburrell, sidakwo, vkumar |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | --- | |
| Doc Text: |
An information disclosure flaw was found in OpenShift's internal image registry operator. The AZURE_CLIENT_SECRET can be exposed through an environment variable defined in the pod definition, but is limited to Azure environments. An attacker controlling an account that has high enough permissions to obtain pod information from the openshift-image-registry namespace could use this obtained client secret to perform actions as the registry operator's Azure service account.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | Type: | --- | |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | |||
| Bug Blocks: | 2278036 | ||
|
Description
Zack Miele
2024-04-30 20:55:10 UTC
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.15 Via RHSA-2024:3889 https://access.redhat.com/errata/RHSA-2024:3889 This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.14 Via RHSA-2024:3881 https://access.redhat.com/errata/RHSA-2024:3881 |