The Migration Toolkit for Containers (MTC) enables you to migrate stateful application workloads between OpenShift Container Platform 4 clusters at the granularity of a namespace. By default the migration process should be available only for users with cluster-admin privileges on all clusters (source and target). The controller watches ALL namespaces, rather than strictly the openshift-migration namespace, what may lead to not-authorized usage of the Migration Toolkit for Containers (MTC). Users with permissions to create MigPlans and MigMigrations CRDs (namespace admins) may create them in their own namespace. That would provide a way to register their own (potentially crafted) cluster (source) with a MigCluster in their namespace on the target cluster and migrate malicious workload to the target cluster. Potentially that may lead to the exposure of sensitive information or even may provide a way to permission escalation.
Upstream PRs: https://github.com/konveyor/mig-controller/pull/1230 https://github.com/konveyor/mig-controller/pull/1228
This issue has been addressed in the following products: Red Hat Migration Toolkit for Containers 1.5 Via RHSA-2021:4848 https://access.redhat.com/errata/RHSA-2021:4848
This issue has been addressed in the following products: Red Hat Migration Toolkit for Containers 1.6 Via RHSA-2022:0202 https://access.redhat.com/errata/RHSA-2022:0202
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2021-3948