An issue was discovered in OpenShift Container Storage (OCS) 4, where internal RPC AuthTokens between the noobaa operator and the noobaa core are leaked into log files. Logs of noobaa operator are part of must gather data as any other OCS component logs, so the AuthToken can also be retrieved from must gather logs. A user with sufficient privileges could read the AuthToken from the logs and use them to access other resources.
Acknowledgments: Name: Martin Bukatovic (Red Hat)
Upstream PR: [master] https://github.com/noobaa/noobaa-operator/pull/569 [5.7.0] https://github.com/noobaa/noobaa-operator/pull/571
This issue has been addressed in the following products: Red Hat OpenShift Container Storage 4.7.0 on RHEL-8 Via RHSA-2021:2041 https://access.redhat.com/errata/RHSA-2021:2041
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2021-3528
This issue has been addressed in the following products: Red Hat OpenShift Container Storage 4.6.0 on RHEL-8 Via RHSA-2021:2479 https://access.redhat.com/errata/RHSA-2021:2479