Bug 2351350 (CVE-2025-2241)

Summary: CVE-2025-2241 hive: Exposure of VCenter Credentials via ClusterProvision in Hive / MCE / ACM
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: alcohan, gparvin, njean, owatkins, pahickey, rhaigner, security-response-team
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A flaw was found in Hive, a component of Multicluster Engine (MCE) and Advanced Cluster Management (ACM). This vulnerability causes VCenter credentials to be exposed in the ClusterProvision object after provisioning a VSphere cluster. Users with read access to ClusterProvision objects can extract sensitive credentials even if they do not have direct access to Kubernetes Secrets. This issue can lead to unauthorized VCenter access, cluster management, and privilege escalation.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description OSIDB Bzimport 2025-03-11 12:50:30 UTC 
Using hive (including via MCE or ACM) to provision a VSphere cluster requires supplying VCenter credentials via a Secret in the same namespace as the ClusterDeployment that declares the desired configuration of the cluster. These credentials are echoed back once the cluster is provisioned via the ClusterProvision object that hive creates in the same namespace. It is likely that customers don't realize this, and may have RBAC allowing
ClusterProvision read access to users who would otherwise not be trusted with VCenter credentials.