2134825 – Authorization for expand-spec endpoint missing

Bug 2134825 - Authorization for expand-spec endpoint missing

Summary: Authorization for expand-spec endpoint missing

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Container Native Virtualization (CNV)
Classification:	Red Hat
Component:	Infrastructure
Sub Component:
Version:	4.12.0
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Target Release:	4.12.0
Assignee:	Felix Matouschek
QA Contact:	Roni Kishner
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2022-10-14 13:04 UTC by Felix Matouschek
Modified:	2023-01-24 13:41 UTC (History)
CC List:	2 users (show)
Fixed In Version:	cnv v4.12.0-755
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2023-01-24 13:41:30 UTC
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
Github	kubevirt kubevirt pull 8720	None	Merged	Rename and authorization for namespaced expand-spec endpoint	2022-11-17 08:18:56 UTC
Github	kubevirt kubevirt pull 8785	None	Merged	[release-0.58] Rename and authorization for namespaced expand-spec endpoint	2022-11-21 08:46:51 UTC
Red Hat Issue Tracker	CNV-21848	None	None	None	2022-10-14 13:35:52 UTC
Red Hat Product Errata	RHSA-2023:0408	None	None	None	2023-01-24 13:41:41 UTC

Description Felix Matouschek 2022-10-14 13:04:58 UTC

Description of problem:

Calls to the expand-spec.subresources.kubevirt.io resource are not guarded by authorization, so anyone with access to the kube api may access the endpoint.

Access to Instancetypes and preferences referred to in calls to expand-spec is also not guarded by authorization.

Version-Release number of selected component (if applicable):

KubeVirt v0.58.0

How reproducible:

100%

Steps to Reproduce:
1. Make PUT request to /apis/subresources.kubevirt.io/v1/expand-spec endpoint with unprivileged cluster user. --> Access to endpoint is allowed.

2. Make PUT request to /apis/subresources.kubevirt.io/v1/expand-spec endpoint with unprivileged cluster user and refer to Instancetypes or preferences in namespaces the user has no access to. -> Spec is expanded although access to namespace was not granted.

Actual results:

Access to endpoint and referenced resources is not verified.

Expected results:

Access to endpoint and referenced resources is verified and only possible when according privileges were granted.

Additional info:

See PR https://github.com/kubevirt/kubevirt/pull/8570

Comment 1 Roni Kishner 2022-12-13 10:51:43 UTC

Verified on CNV-755 with following request:
method = PUT
url = "https://api.ssp-rk-412b.cnv-qe.rhcloud.com:6443/apis/subresources.kubevirt.io/v1/namespaces/<namespace_name>/expand-vm-spec"
body = json dict of vm menifest

Comment 5 errata-xmlrpc 2023-01-24 13:41:30 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Important: OpenShift Virtualization 4.12.0 Images security update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2023:0408

Note You need to log in before you can comment on or make changes to this bug.