With a specially crafted request, users are able to establish a connection through the Kubernetes API server to backend servers, then send arbitrary requests over the same connection directly to the backend, authenticated with the Kubernetes API server’s TLS credentials used to establish the backend connection.
Mitigation: See the vulnerability article for mitigation procedures.
Upstream commit https://github.com/kubernetes/apimachinery/commit/b5d13f078af116d09ad9c323357497a0e9f623fc
Created kubernetes tracking bugs for this issue: Affects: fedora-all [bug 1655686]
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 3.2 Via RHSA-2018:3742 https://access.redhat.com/errata/RHSA-2018:3742
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 3.11 Via RHSA-2018:3537 https://access.redhat.com/errata/RHSA-2018:3537
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 3.3 Via RHSA-2018:3754 https://access.redhat.com/errata/RHSA-2018:3754
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 3.4 Via RHSA-2018:3752 https://access.redhat.com/errata/RHSA-2018:3752
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 3.10 Via RHSA-2018:3549 https://access.redhat.com/errata/RHSA-2018:3549
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 3.6 Via RHSA-2018:3598 https://access.redhat.com/errata/RHSA-2018:3598
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 3.9 Via RHSA-2018:2908 https://access.redhat.com/errata/RHSA-2018:2908
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 3.8 Via RHSA-2018:3551 https://access.redhat.com/errata/RHSA-2018:3551
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 3.5 Via RHSA-2018:3624 https://access.redhat.com/errata/RHSA-2018:3624
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 3.7 Via RHSA-2018:2906 https://access.redhat.com/errata/RHSA-2018:2906
Acknowledgments: Name: the Kubernetes Product Security Team Upstream: Darren Shepherd
Statement: In versions 3.6 and higher of OpenShift Container Platform, this vulnerability allows cluster-admin level access to any API hosted by an aggregated API server. This includes the ‘service catalog’ API which is installed by default in 3.7 and later. Cluster-admin level access to the service catalog allows creation of brokered services by an unauthenticated user with escalated privileges in any namespace and on any node. This could lead to an attacker being allowed to deploy malicious code, or alter existing services.
External References: https://groups.google.com/forum/#!topic/kubernetes-announce/GVllWCg6L88 https://access.redhat.com/security/vulnerabilities/3716411
Created origin tracking bugs for this issue: Affects: fedora-all [bug 1656650]