2239517 – (CVE-2023-5056) CVE-2023-5056 skupper-operator: privelege escalation via config map

Bug 2239517 (CVE-2023-5056) - CVE-2023-5056 skupper-operator: privelege escalation via config map

Summary: CVE-2023-5056 skupper-operator: privelege escalation via config map

Keywords:
Status:	NEW
Alias:	CVE-2023-5056
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	2238780
TreeView+	depends on / blocked

Reported:	2023-09-18 18:43 UTC by Chess Hazlett
Modified:	2023-11-06 08:58 UTC (History)
CC List:	6 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:	A flaw was found in the Skupper operator, which may permit a certain configuration to create a service account that would allow an authenticated attacker in the adjacent cluster to view deployments in all namespaces in the cluster. This issue permits unauthorized viewing of information outside of the user's purview.
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2023:6219	0	None	None	None	2023-10-31 18:04:50 UTC

Description Chess Hazlett 2023-09-18 18:43:11 UTC

The latest skupper operator allows privilege escalation on a kubernetes cluster. If the skupper operator is running and a user in a given namespace creates a ConfigMap with the name skupper-site and includes in the data the line, `cluster-permissions: "true"`, then the operator will  create a service account in that namespace that has cluster permissions enabling it to watch deployments in all namespaces on the cluster. This is the case even if the user creating that ConfigMap does not themselves have access to other namespaces.

The solution we propose is to make this feature optional at the operator level, and off by default. We have a patch ready for this (it has not been shared outside relevant Red Hat engineers) but want to be sure we follow the correct process.

Comment 3 errata-xmlrpc 2023-10-31 18:04:49 UTC

This issue has been addressed in the following products:

  Service Interconnect 1 for RHEL 9

Via RHSA-2023:6219 https://access.redhat.com/errata/RHSA-2023:6219

Note You need to log in before you can comment on or make changes to this bug.