It is reported that as a result of cluster-reader having view access on all builds in all projects, the cluster reader is able to escalate to also create builds in all projects since they have access to the secret key for the webhook. A project viewer has the same ability to escalate but is obviously scoped to the single project. The main problem is that we have confidential information (webhook tokens) that lives in a non-confidential resource.
Acknowledgments: Name: Jessica Forrester (Red Hat)
This was fixed in the release of OpenShift 3.9 via RHBA-2018:0489
Are 3.2 and 3.7 affected as well?
This issue also affects all OCP 3.x versions prior to 3.9. If you don't make use of the cluster-reader, or project viewer roles this issue
Mitigation: Don't use webhook tokens to trigger builds. Alternatively don't rely on project viewer, or cluster-reader permissions from preventing those users from running builds.
Statement: The OpenShift Enterprise cluster-read can access webhook tokens, [1], which would allow an attacker with cluster-reader permissions, [2], or project viewer, [3], to view confidential webhook tokens. [1] https://docs.openshift.com/container-platform/3.7/dev_guide/builds/triggering_builds.html#webhook-triggers [2] https://docs.openshift.com/container-platform/3.7/admin_guide/manage_rbac.html [3] https://docs.openshift.com/container-platform/3.7/admin_solutions/user_role_mgmt.html#adding-a-role-to-a-user