2081181 – (CVE-2022-1632) CVE-2022-1632 Openshift: ClusterIP Service TLS certificate not checked by route controller if re-encrypt Route destinationCACertificate field is explicitly set to default serviceCA

Bug 2081181 (CVE-2022-1632) - CVE-2022-1632 Openshift: ClusterIP Service TLS certificate not checked by route controller if re-encrypt Route destinationCACertificate field is explicitly set to default serviceCA

Summary: CVE-2022-1632 Openshift: ClusterIP Service TLS certificate not checked by rou...

Keywords:
Status:	NEW
Alias:	CVE-2022-1632
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Nobody
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2093936 2083320 2083321 2109273
Blocks:	2044612
TreeView+	depends on / blocked

Reported:	2022-05-02 22:45 UTC by Anten Skrabec
Modified:	2023-07-07 08:35 UTC (History)
CC List:	36 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:	An Improper Certificate Validation attack was found in Openshift. A re-encrypt Route with destinationCACertificate explicitly set to the default serviceCA skips internal Service TLS certificate validation. This flaw allows an attacker to exploit an invalid certificate, resulting in a loss of confidentiality.
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Knowledge Base (Solution)	6989132	0	None	None	None	2022-12-06 04:37:12 UTC

Description Anten Skrabec 2022-05-02 22:45:16 UTC

A re-encrypt Route with destinationCACertificate explicitly set to the default serviceCA seems to skip internal Service TLS certificate validation, errorless serving content even if target Service certificate and certificate provided by target Pod(s) differ. 
Note that if we don't set destinationCACertificate in the Route yaml manifest (the Route will still implicitly use the same default serviceCA certificate, as described on the doc [1]) we will correctly get a error page.

References:
https://bugzilla.redhat.com/show_bug.cgi?id=2041857

Comment 1 Sage McTaggart 2022-05-09 16:57:52 UTC

Created ansible-collection-community-kubernetes tracking bugs for this issue:

Affects: fedora-34 [bug 2083320]
Affects: fedora-35 [bug 2083321]

Comment 12 Sage McTaggart 2022-07-19 17:41:41 UTC

Is there an estimated "fixed in" or eta for the fix? Thanks!

Note You need to log in before you can comment on or make changes to this bug.

adudiak
akashem
aos-bugs
bcoca
bmontgom
chousekn
cmeyers
davidn
eparis
gblomqui
infra-sig
jburrell
jcammara
jhardy
jobarker
joelsmith
jokerman
kshier
mabashia
mfojtik
notting
nstielau
osapryki
pbunev
relrod
rpetrell
sdoran
shaising
smcdonal
sponnaga
stcannon
tfister
tkuratom
vkumar
xxia
yguenane