Bug 1947361 (CVE-2021-3495) - CVE-2021-3495 kiali/kiali-operator: can deploy specified image to any namespace
Summary: CVE-2021-3495 kiali/kiali-operator: can deploy specified image to any namespace
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2021-3495
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks: 1947362 1948689
TreeView+ depends on / blocked
 
Reported: 2021-04-08 09:56 UTC by Marian Rehak
Modified: 2021-05-12 04:51 UTC (History)
4 users (show)

Fixed In Version: kiali/kiali-operator 1.33.0, kiali/kiali-operator 1.24.7
Doc Type: If docs needed, set a value
Doc Text:
An incorrect access control flaw was found in the kiali-operator. This flaw allows an attacker with a basic level of access to the cluster (to deploy a kiali operand) to use this vulnerability and deploy a given image to anywhere in the cluster, potentially gaining access to privileged service account tokens. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
Clone Of:
Environment:
Last Closed: 2021-05-12 02:33:48 UTC


Attachments (Terms of Use)

Description Marian Rehak 2021-04-08 09:56:28 UTC
If you create a kiali instance, then you can specify any project in yaml and it will be installed there, ignoring the rights to this project. If current user has edit permissions to 'user-namespace' but not to 'any-namespace', kiali anyway will be created in 'any-namespace'.

Reference:

https://issues.redhat.com/browse/KIALI-3278

Comment 3 Mark Cooper 2021-04-13 04:04:40 UTC
Very similar to https://access.redhat.com/security/cve/cve-2020-14306 where an attacker would need some level of privilege to begin with.

Comment 4 Mark Cooper 2021-04-16 04:08:09 UTC
Upstream fix: https://github.com/kiali/kiali-operator/pull/278

Comment 5 Mark Cooper 2021-04-16 11:28:13 UTC
Acknowledgments:

Name: Vladimir Andryushin (VTB Bank (PJSC))

Comment 9 errata-xmlrpc 2021-05-11 23:41:17 UTC
This issue has been addressed in the following products:

  OpenShift Service Mesh 2.0

Via RHSA-2021:1544 https://access.redhat.com/errata/RHSA-2021:1544

Comment 10 Product Security DevOps Team 2021-05-12 02:33:48 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-3495

Comment 11 Mark Cooper 2021-05-12 02:51:53 UTC
External References:

https://kiali.io/news/security-bulletins/kiali-security-003/

Comment 13 Mark Cooper 2021-05-12 04:51:05 UTC
Statement:

In regards to the ServiceMesh `openshift-service-mesh/kiali-rhel7` container, it has been superseded by the `openshift-service-mesh/kiali-rhel8` container and is no longer supported.


Note You need to log in before you can comment on or make changes to this bug.