In Kubernetes, if the logging level is to at least 4, and Ceph RBD is configured as a storage provisioner, then Ceph RBD admin secrets can be written to logs. This occur's in kube-controller-manager's logs during provisioning of Ceph RBD persistent claims. Upstream Fix: https://github.com/kubernetes/kubernetes/pull/95245
Acknowledgments: Name: the Kubernetes Product Security Committee Upstream: Kaizhe Huang (derek0405)
Statement: OpenShift Container Platform 4 does not support Ceph RBD persistent volumes, however the vulnerable code is included.
Mitigation: OCP Clusters not using Ceph RBD volumes are not vulnerable to this issue. For clusters using Ceph RBD volumes, this can be mitigated by ensuring the logging level is below 4 and protecting unauthorized access to cluster logs. For OCP, the logging level for core components can be configured using operators, e.g. for kube-controller-manager: https://docs.openshift.com/container-platform/latest/rest_api/operator_apis/kubecontrollermanager-operator-openshift-io-v1.html#specification In OCP, a logging level of "Debug" is equivalent to 4: https://github.com/openshift/api/blob/master/operator/v1/types.go#L96 The default logging level is "Normal", which is equivalent to 2. Clusters running with the default level are not vulnerable to this issue.
External References: https://groups.google.com/g/kubernetes-announce/c/ScdmyORnPDk https://github.com/kubernetes/kubernetes/issues/95624
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.6 Via RHSA-2021:0037 https://access.redhat.com/errata/RHSA-2021:0037
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-8566
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.7 Via RHSA-2020:5634 https://access.redhat.com/errata/RHSA-2020:5634