2101959 – (CVE-2022-2403) CVE-2022-2403 openshift: oauth-serving-cert configmap contains cluster certificate private key

Bug 2101959 (CVE-2022-2403) - CVE-2022-2403 openshift: oauth-serving-cert configmap contains cluster certificate private key

Summary: CVE-2022-2403 openshift: oauth-serving-cert configmap contains cluster certif...

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2022-2403
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2084054 2107024 2107025 2107026 2107027 2107028
Blocks:	2088253 2107095
TreeView+	depends on / blocked

Reported:	2022-06-28 22:14 UTC by Anten Skrabec
Modified:	2023-06-07 14:04 UTC (History)
CC List:	15 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:	A credentials leak was found in the OpenShift Container Platform. The private key for the external cluster certificate was stored incorrectly in the oauth-serving-cert ConfigMaps, and accessible to any authenticated OpenShift user or service-account. This flaw allows a malicious user to read the oauth-serving-cert ConfigMap in the openshift-config-managed namespace, compromising any web traffic secured using that certificate.
Clone Of:
Environment:
Last Closed:	2022-09-01 06:55:50 UTC
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2022:5664	0	None	None	None	2022-07-25 06:52:49 UTC
Red Hat Product Errata	RHSA-2022:5879	0	None	None	None	2022-08-09 14:00:59 UTC

Description Anten Skrabec 2022-06-28 22:14:21 UTC

the `oauth-serving-cert` configmap in openshift-config-managed and openshift-console projects contains the private key of the cluster external certificate

Comment 4 Sam Fowler 2022-07-14 22:54:28 UTC

Upstream fix:

https://github.com/openshift/cluster-authentication-operator/pull/573

Comment 8 errata-xmlrpc 2022-07-25 06:52:47 UTC

This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.10

Via RHSA-2022:5664 https://access.redhat.com/errata/RHSA-2022:5664

Comment 10 Marcus 2022-07-29 07:08:32 UTC

Hi everyone,

is there any existing plan to back-port the fix to OpenShift v4.9 as well?


Thanks in advance,
Marcus

Comment 11 oarribas 2022-08-01 12:29:36 UTC

Hi Marcus,


The fix for 4.9 is tracked in BZ 2107027.

Comment 12 Marcus 2022-08-02 05:32:46 UTC

THX @oarribas, unfortunately I'm not allowed to access. Is there a reason why for v4.9 it's a private RH BZ?... and for v4.10 it's public

Comment 14 errata-xmlrpc 2022-08-09 14:00:57 UTC

This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.9

Via RHSA-2022:5879 https://access.redhat.com/errata/RHSA-2022:5879

Comment 15 Product Security DevOps Team 2022-09-01 06:55:48 UTC

This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2022-2403

Note You need to log in before you can comment on or make changes to this bug.