Bug 2385773 (CVE-2025-8415)

Summary: CVE-2025-8415 cryostat: authentication bypass if Network Policies are disabled
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: aazores, cmah, eaguilar, ebaron, jolong, pjindal, security-response-team
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A vulnerability was found in the Cryostat HTTP API. Cryostat's HTTP API binds to all network interfaces, allowing possible external visibility and access to the API port if Network Policies are disabled, allowing an unauthenticated, malicious attacker to jeopardize the environment.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description OSIDB Bzimport 2025-07-31 13:46:06 UTC 
A vulnerability was found in Cryostat HTTP API. Cryostat's HTTP API binds to all network interfaces, allowing possible external visibility to the API port. 


Cryostat's HTTP API binds to 0.0.0.0, potentially  allowing external connections to the API port (8181). The Cryostat container is placed into a Pod with an openshift-oauth-proxy container,  which is designed to hide the Cryostat HTTP API behind HTTPS and OpenShift OAuth authn/authz. The Cryostat API port is not exposed on any Service or Route, so it is not exposed externally to the cluster.

Cryostat release version 4.0.0 also creates Network Policy objects by default which control the network Ingresses. This effectively prevents the exposed API port from being reached by unexpected clients. However, if the underlying cluster network stack does not support Network Policies, or if the user who installed Cryostat configured its Custom Resource to explicitly disable Network Policies, then this layer of protection is ineffective.

Under these conditions, it becomes possible for an attacker within the cluster to determine the internal Pod IP of the Cryostat container and sent HTTP requests directly to its API port, bypassing the openshift-oauth-proxy completely, so no authn/authz is required.
Comment 3 errata-xmlrpc 2025-09-03 02:15:23 UTC 
This issue has been addressed in the following products:

  Cryostat 4 on RHEL 9

Via RHSA-2025:14919 https://access.redhat.com/errata/RHSA-2025:14919