Bug 2308661 (CVE-2024-45496)

Summary: CVE-2024-45496 openshift-controller-manager: Elevated Build Pods Can Lead to Node Compromise in OpenShift
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: adam.kaplan, asdas, bmontgom, chazlett, dfreiber, dpaolell, drow, eparis, gmalinko, jahealy, janstey, jburrell, jdelft, jupierce, lgarciaa, mbiarnes, npecka, nstielau, pdelbell, prodsec-dev, rpattath, rstepani, security-response-team, sidsharm, sponnaga, talessio, vkumar, vlaad, ximhan, yuxzhu, zmiele
Target Milestone: ---Keywords: Security
Target Release: ---Flags: adam.kaplan: needinfo? (prodsec-dev)
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in OpenShift. This issue occurs due to the misuse of elevated privileges in the OpenShift Container Platform's build process. During the build initialization step, the git-clone container is run with a privileged security context, allowing unrestricted access to the node. An attacker with developer-level access can provide a crafted .gitconfig file containing commands executed during the cloning process, leading to arbitrary command execution on the worker node. An attacker running code in a privileged container could escalate their permissions on the node running the container.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Deadline: 2024-09-16   

Description OSIDB Bzimport 2024-08-30 10:36:52 UTC 
A flaw was found in the OpenShift Container Platform where the initialization container for builds (git-clone) runs with elevated privileges. This misconfiguration allows an attacker with developer access to create a malicious .gitconfig file that executes arbitrary commands on a privileged build pod. As a result, the attacker can compromise the worker node hosting the build pod, potentially gaining access to all the workloads running on that node. The impact is critical, as it allows for the compromise of the node's identity and other nodes, depending on cluster configuration.
Comment 2 errata-xmlrpc 2024-09-19 00:12:39 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.13

Via RHSA-2024:6691 https://access.redhat.com/errata/RHSA-2024:6691
Comment 3 errata-xmlrpc 2024-09-19 05:30:46 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.14

Via RHSA-2024:6689 https://access.redhat.com/errata/RHSA-2024:6689
Comment 4 errata-xmlrpc 2024-09-19 05:38:58 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.16

Via RHSA-2024:6687 https://access.redhat.com/errata/RHSA-2024:6687
Comment 5 errata-xmlrpc 2024-09-19 09:30:49 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.15

Via RHSA-2024:6685 https://access.redhat.com/errata/RHSA-2024:6685
Comment 6 errata-xmlrpc 2024-09-19 13:25:45 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.12

Via RHSA-2024:6705 https://access.redhat.com/errata/RHSA-2024:6705