Bug 1825161 (CVE-2020-10712) - CVE-2020-10712 openshift/cluster-image-registry-operator: secrets disclosed in logs
Summary: CVE-2020-10712 openshift/cluster-image-registry-operator: secrets disclosed i...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2020-10712
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1825164 1825165 1825718 1825719 1825720
Blocks: 1824779
TreeView+ depends on / blocked
 
Reported: 2020-04-17 09:16 UTC by Jason Shepherd
Modified: 2021-02-16 20:15 UTC (History)
12 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in OpenShift Container Platform versions from 4.1 to 4.4 inclusive. Sensitive information was found to be logged by the image registry operator allowing an attacker able to gain access to those logs, to read and write to the storage backing the internal image registry. The highest threat from this vulnerability is to data integrity.
Clone Of:
Environment:
Last Closed: 2020-05-12 10:33:28 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2020:2009 0 None None None 2020-05-12 05:11:48 UTC
Red Hat Product Errata RHSA-2020:2026 0 None None None 2020-05-13 11:27:49 UTC
Red Hat Product Errata RHSA-2020:2136 0 None None None 2020-05-18 15:44:26 UTC

Description Jason Shepherd 2020-04-17 09:16:26 UTC 
The image registry operator in OpenShift Container Platform version 4.4 and later logs sensitive information. An attacker able to obtain the log could gain read and write access to the storage backing the OpenShift Container Platform internal image registry.
Comment 1 Jason Shepherd 2020-04-17 09:16:29 UTC 
Acknowledgments:

Name: Adam Kaplan (Red Hat)
Comment 11 Jason Shepherd 2020-04-21 23:24:51 UTC 
Mitigation:

Ensure that the image registry operator logs remain private.
Comment 12 Jason Shepherd 2020-05-05 00:15:04 UTC 
Upstream Patch:

https://github.com/openshift/cluster-image-registry-operator/pull/527
Comment 13 errata-xmlrpc 2020-05-12 05:11:47 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.3

Via RHSA-2020:2009 https://access.redhat.com/errata/RHSA-2020:2009
Comment 14 Product Security DevOps Team 2020-05-12 10:33:28 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-10712
Comment 15 errata-xmlrpc 2020-05-13 11:27:47 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.2

Via RHSA-2020:2026 https://access.redhat.com/errata/RHSA-2020:2026
Comment 16 errata-xmlrpc 2020-05-18 15:44:25 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.4

Via RHSA-2020:2136 https://access.redhat.com/errata/RHSA-2020:2136
Comment 19 Jason Shepherd 2020-11-08 22:54:38 UTC 
Statement:

References to internal container components making up OpenShift Container Platform 4.x itself all use digests to refer to container images [1]. Therefore any changes to the images in the registry storage will invalidate those references. This issue could allow an attacker to modify other container image content that is referred to by tag however.

[1] https://www.redhat.com/en/blog/securing-deployment-openshift-container-platform-4
Note You need to log in before you can comment on or make changes to this bug.