1839942 – (CVE-2020-10752) CVE-2020-10752 openshift/openshift-apiserver: oauthtokens leaked to logs on panic

Bug 1839942 (CVE-2020-10752) - CVE-2020-10752 openshift/openshift-apiserver: oauthtokens leaked to logs on panic

Summary: CVE-2020-10752 openshift/openshift-apiserver: oauthtokens leaked to logs on p...

Keywords:
Status:	NEW
Alias:	CVE-2020-10752
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Nobody
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	1846657 1846658 1846659 1846660 1846661 1846662 1839944 1839945
Blocks:	1838942
TreeView+	depends on / blocked

Reported:	2020-05-26 05:21 UTC by Jason Shepherd
Modified:	2024-06-01 22:09 UTC (History)
CC List:	7 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description Jason Shepherd 2020-05-26 05:21:25 UTC

The OpenShift API Server failed to sufficiently protect OAuthTokens by leaking them in the logs when a API Server panic occured. An attacker with the ability to cause a API Server panic, and read the logs and use the leaked OAuthToken to log into the API Server with the leaked token.

Comment 7 Jason Shepherd 2020-06-10 03:15:43 UTC

The immediate problem is this line of code [1], however the fix is none trivial and requires a reworking of oauthtokens in OpenShift [2].

[1] https://github.com/openshift/origin/blob/master/vendor/k8s.io/kubernetes/staging/src/k8s.io/apiserver/pkg/server/filters/wrap.go#L39
[2] https://github.com/openshift/enhancements/pull/323

Comment 8 Jason Shepherd 2020-06-10 03:41:03 UTC

Statement:

OAuthTokens are only valid for 1 day by default.

Comment 9 Jason Shepherd 2020-06-10 03:41:05 UTC

Mitigation:

Ensure the OpenShift API Server logs are kept private

Note You need to log in before you can comment on or make changes to this bug.