Bugzilla (bugzilla.redhat.com) will be under maintenance for infrastructure upgrades and will not be available on July 31st between 12:30 AM - 05:30 AM UTC. We appreciate your understanding and patience. You can follow status.redhat.com for details.
Bug 1886635 (CVE-2020-8563) - CVE-2020-8563 kubernetes: Secret leaks in kube-controller-manager when using vSphere Provider
Summary: CVE-2020-8563 kubernetes: Secret leaks in kube-controller-manager when using ...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2020-8563
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1887278 1887279 1896318
Blocks: 1883756
TreeView+ depends on / blocked
 
Reported: 2020-10-09 01:37 UTC by Sam Fowler
Modified: 2021-06-15 13:50 UTC (History)
18 users (show)

Fixed In Version: kubernetes 1.19.3
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in kubernetes. Clusters running on VSphere, using VSphere as a cloud provider a with logging level set to 4 or above, VSphere cloud credentials will be leaked in the cloud controller manager's log.
Clone Of:
Environment:
Last Closed: 2020-12-14 18:47:11 UTC


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2020:5260 0 None None None 2020-12-14 13:10:02 UTC
Red Hat Product Errata RHSA-2020:5633 0 None None None 2021-02-24 15:10:16 UTC

Description Sam Fowler 2020-10-09 01:37:10 UTC
In Kubernetes clusters running on VSphere, using VSphere as a cloud provider a with logging level set to 4 or above, VSphere cloud credentials will be leaked in the cloud controller manager's log.


Upstream Fix:

https://github.com/kubernetes/kubernetes/pull/95236

Comment 2 Sam Fowler 2020-10-09 01:55:30 UTC
Acknowledgments:

Name: the Kubernetes Product Security Committee
Upstream: Kaizhe Huang (derek0405)

Comment 6 Sam Fowler 2020-10-13 02:27:24 UTC
Statement:

OpenShift Container Platform (OCP) versions before 4.6 are not affected by this vulnerability as they are based on Kubernetes versions before 1.19. Only Kubernetes versions 1.19.0 through 1.19.2 are affected by this vulnerability.

Comment 7 Sam Fowler 2020-10-13 02:27:26 UTC
Mitigation:

Ensure that the logging level is below 4. Additionally, protect unauthorized access to cluster logs.

For OCP, the logging level for core components can be configured using operators, e.g. for kube-controller-manager:
https://docs.openshift.com/container-platform/latest/rest_api/operator_apis/kubecontrollermanager-operator-openshift-io-v1.html#specification

In OCP, a logging level of "Debug" is equivalent to 4: 
https://github.com/openshift/api/blob/master/operator/v1/types.go#L96

The default logging level is "Normal", which is equivalent to 2. Clusters running with the default level are not vulnerable to this issue.

Comment 10 errata-xmlrpc 2020-12-14 13:10:02 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.6

Via RHSA-2020:5260 https://access.redhat.com/errata/RHSA-2020:5260

Comment 11 Product Security DevOps Team 2020-12-14 18:47:11 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-8563

Comment 12 errata-xmlrpc 2021-02-24 15:10:12 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.7

Via RHSA-2020:5633 https://access.redhat.com/errata/RHSA-2020:5633


Note You need to log in before you can comment on or make changes to this bug.