1955601 – (CVE-2021-3528) CVE-2021-3528 NooBaa: noobaa-operator leaking RPC AuthToken into log files

Bug 1955601 (CVE-2021-3528) - CVE-2021-3528 NooBaa: noobaa-operator leaking RPC AuthToken into log files

Summary: CVE-2021-3528 NooBaa: noobaa-operator leaking RPC AuthToken into log files

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2021-3528
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	1935262 1956211
Blocks:	1937465 1955758
TreeView+	depends on / blocked

Reported:	2021-04-30 13:54 UTC by Hardik Vyas
Modified:	2021-06-17 15:46 UTC (History)
CC List:	1 user (show)
Fixed In Version:	noobaa-operator 5.7.0
Doc Type:	---
Doc Text:	A flaw was found in NooBaa, where internal RPC AuthTokens between the noobaa operator and the noobaa core are leaked into log files. An attacker with access to the log files could use this AuthToken to gain additional access into noobaa deployment and can read/modify system configuration.
Clone Of:
Environment:
Last Closed:	2021-05-19 14:33:46 UTC
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2021:2479	0	None	None	None	2021-06-17 15:46:43 UTC

Description Hardik Vyas 2021-04-30 13:54:26 UTC

An issue was discovered in OpenShift Container Storage (OCS) 4, where internal RPC AuthTokens between the noobaa operator and the noobaa core are leaked into log files. Logs of noobaa operator are part of must gather data as any other OCS component logs, so the AuthToken can also be retrieved from must gather logs. A user with sufficient privileges could read the AuthToken from the logs and use them to access other resources.

Comment 1 Hardik Vyas 2021-04-30 13:54:30 UTC

Acknowledgments:

Name: Martin Bukatovic (Red Hat)

Comment 3 Hardik Vyas 2021-04-30 13:59:42 UTC

Upstream PR: 

[master] https://github.com/noobaa/noobaa-operator/pull/569
[5.7.0] https://github.com/noobaa/noobaa-operator/pull/571

Comment 5 errata-xmlrpc 2021-05-19 09:14:49 UTC

This issue has been addressed in the following products:

  Red Hat OpenShift Container Storage 4.7.0 on RHEL-8

Via RHSA-2021:2041 https://access.redhat.com/errata/RHSA-2021:2041

Comment 6 Product Security DevOps Team 2021-05-19 14:33:46 UTC

This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-3528

Comment 7 errata-xmlrpc 2021-06-17 15:46:42 UTC

This issue has been addressed in the following products:

  Red Hat OpenShift Container Storage 4.6.0 on RHEL-8

Via RHSA-2021:2479 https://access.redhat.com/errata/RHSA-2021:2479

Note You need to log in before you can comment on or make changes to this bug.