1906267 – (CVE-2020-27836) CVE-2020-27836 cluster-ingress-operator: changes to loadBalancerSourceRanges overwritten by operator

Bug 1906267 (CVE-2020-27836) - CVE-2020-27836 cluster-ingress-operator: changes to loadBalancerSourceRanges overwritten by operator

Summary: CVE-2020-27836 cluster-ingress-operator: changes to loadBalancerSourceRanges ...

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2020-27836
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	1905490 1906560
Blocks:	1905803 1939568
TreeView+	depends on / blocked

Reported:	2020-12-10 05:06 UTC by Jason Shepherd
Modified:	2023-02-01 23:16 UTC (History)
CC List:	8 users (show)
Fixed In Version:	ose-cluster-ingress-operator-container-v4.6.0-202012161211.p0
Doc Type:	---
Doc Text:	A flaw was found in cluster-ingress-operator. A change to how the router-default service allows only certain IP source ranges could allow an attacker to access resources that would otherwise be restricted to specified IP ranges. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
Clone Of:
Environment:
Last Closed:	2020-12-21 13:31:04 UTC
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2020:5614	0	None	None	None	2020-12-21 13:23:54 UTC

Description Jason Shepherd 2020-12-10 05:06:31 UTC

Until the 4.6.6 version of OpenShift Container Platform changes to the router-default service to allow only certain IP source ranges was possible by directly editing the service object [1]. Since 4.6.6 changes to the loadBalancerSourceRanges field are overwritten to the default of all IP ranges. If a cluster is affected by this issue an attacker can use the flaw to access resources which should be restricted to the specified IP ranges.

[1] https://access.redhat.com/solutions/5158751

Comment 4 Jason Shepherd 2020-12-10 05:12:24 UTC

Upstream commit:

https://github.com/openshift/cluster-ingress-operator/pull/507

Comment 5 Jason Shepherd 2020-12-14 22:59:35 UTC

Mitigation:

Move the allowed IP source ranges from the loadBalancerSourceRanges setting to "service.beta.kubernetes.io/load-balancer-source-ranges" annotation. For example: 

oc -n openshift-ingress annotate svc/router-default service.beta.kubernetes.io/load-balancer-source-ranges=10.0.0.0/8,192.168.0.0/16

Comment 6 errata-xmlrpc 2020-12-21 13:23:52 UTC

This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.6

Via RHSA-2020:5614 https://access.redhat.com/errata/RHSA-2020:5614

Comment 7 Product Security DevOps Team 2020-12-21 13:31:04 UTC

This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-27836

Note You need to log in before you can comment on or make changes to this bug.