Bug 2308673 (CVE-2024-45497)

Summary: CVE-2024-45497 openshift-api: openshift-controller-manager/build: Build Process in OpenShift Allows Overwriting of Node Pull Credentials
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: asdas, bmontgom, chazlett, dfreiber, dpaolell, drow, eparis, gmalinko, jahealy, janstey, jburrell, jdelft, jupierce, lgarciaa, mbiarnes, npecka, nstielau, pdelbell, rstepani, security-response-team, sidsharm, sponnaga, talessio, vkumar, vlaad, ximhan, yuxzhu
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A flaw was found in the OpenShift build process, where the docker-build container is configured with a hostPath volume mount that maps the node's /var/lib/kubelet/config.json file into the build pod. This file contains sensitive credentials necessary for pulling images from private repositories. The mount is not read-only, which allows the attacker to overwrite it. By modifying the config.json file, the attacker can cause a denial of service by preventing the node from pulling new images and potentially exfiltrating sensitive secrets. This flaw impacts the availability of services dependent on image pulls and exposes sensitive information to unauthorized parties.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Deadline: 2024-12-15   

Description OSIDB Bzimport 2024-08-30 11:47:23 UTC 
A vulnerability in the OpenShift Container Platform allows an attacker with developer access to modify the config.json file on a worker node. By exploiting the build process and using a misconfigured pod that mounts /var/lib/kubelet/config.json without read-only restrictions, the attacker can overwrite the credentials file required for pulling container images. This leads to a denial of service, preventing the node from fetching images and potentially leaking sensitive credentials used to access private image repositories.
Comment 1 errata-xmlrpc 2025-06-26 00:18:58 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.18

Via RHSA-2025:9269 https://access.redhat.com/errata/RHSA-2025:9269
Comment 2 errata-xmlrpc 2025-07-02 03:53:02 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.16

Via RHSA-2025:9765 https://access.redhat.com/errata/RHSA-2025:9765
Comment 3 errata-xmlrpc 2025-07-02 17:25:36 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.14

Via RHSA-2025:9759 https://access.redhat.com/errata/RHSA-2025:9759
Comment 4 errata-xmlrpc 2025-07-09 04:04:21 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.17

Via RHSA-2025:10294 https://access.redhat.com/errata/RHSA-2025:10294
Comment 5 errata-xmlrpc 2025-07-10 01:34:23 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.12

Via RHSA-2025:10270 https://access.redhat.com/errata/RHSA-2025:10270
Comment 6 errata-xmlrpc 2025-07-17 02:10:36 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.13

Via RHSA-2025:10747 https://access.redhat.com/errata/RHSA-2025:10747