The kube-rbac-proxy container, as used in Red Hat OpenShift Container Platform, does not honor TLS configurations allowing for the use of insecure ciphers and TLS 1.0. An attacker could target traffic sent over a TLS connection with a weak configuration and potentially break the encryption of the data stream.
The kube-rbac-proxy container as used in Red Hat OpenShift Container Platform does not honour TLS configurations, allowing for use of insecure ciphers and TLS 1.0. An attacker could potentially target a weak TLS configuration via a man-in-the-middle attack to discover sensitive information.
The fix for this issue properly applies the configured TLS settings and makes TLS 1.2 the default.
Name: Frederic Branczyk (Red Hat), Matthias Loibl (Red Hat), Max Inden (Red Hat)
This issue has been addressed in the following products:
Red Hat OpenShift Container Platform 3.11
Via RHBA-2019:0327 https://access.redhat.com/errata/RHBA-2019:0327