1947361 – (CVE-2021-3495) CVE-2021-3495 kiali/kiali-operator: can deploy specified image to any namespace

Bug 1947361 (CVE-2021-3495) - CVE-2021-3495 kiali/kiali-operator: can deploy specified image to any namespace

Summary: CVE-2021-3495 kiali/kiali-operator: can deploy specified image to any namespace

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2021-3495
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1947362 1948689
TreeView+	depends on / blocked

Reported:	2021-04-08 09:56 UTC by Marian Rehak
Modified:	2023-08-31 23:51 UTC (History)
CC List:	7 users (show)
Fixed In Version:	kiali/kiali-operator 1.33.0, kiali/kiali-operator 1.24.7
Clone Of:
Environment:
Last Closed:	2021-05-12 02:33:48 UTC
Embargoed:

Attachments	(Terms of Use)

Description Marian Rehak 2021-04-08 09:56:28 UTC

If you create a kiali instance, then you can specify any project in yaml and it will be installed there, ignoring the rights to this project. If current user has edit permissions to 'user-namespace' but not to 'any-namespace', kiali anyway will be created in 'any-namespace'.

Reference:

https://issues.redhat.com/browse/KIALI-3278

Comment 3 Mark Cooper 2021-04-13 04:04:40 UTC

Very similar to https://access.redhat.com/security/cve/cve-2020-14306 where an attacker would need some level of privilege to begin with.

Comment 4 Mark Cooper 2021-04-16 04:08:09 UTC

Upstream fix: https://github.com/kiali/kiali-operator/pull/278

Comment 5 Mark Cooper 2021-04-16 11:28:13 UTC

Acknowledgments:

Name: Vladimir Andryushin (VTB Bank (PJSC))

Comment 9 errata-xmlrpc 2021-05-11 23:41:17 UTC

This issue has been addressed in the following products:

  OpenShift Service Mesh 2.0

Via RHSA-2021:1544 https://access.redhat.com/errata/RHSA-2021:1544

Comment 10 Product Security DevOps Team 2021-05-12 02:33:48 UTC

This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-3495

Comment 11 Mark Cooper 2021-05-12 02:51:53 UTC

External References:

https://kiali.io/news/security-bulletins/kiali-security-003/

Comment 13 Mark Cooper 2021-05-12 04:51:05 UTC

Statement:

In regards to the ServiceMesh `openshift-service-mesh/kiali-rhel7` container, it has been superseded by the `openshift-service-mesh/kiali-rhel8` container and is no longer supported.

Note You need to log in before you can comment on or make changes to this bug.