The image registry operator in OpenShift Container Platform version 4.4 and later logs sensitive information. An attacker able to obtain the log could gain read and write access to the storage backing the OpenShift Container Platform internal image registry.
Acknowledgments: Name: Adam Kaplan (Red Hat)
Mitigation: Ensure that the image registry operator logs remain private.
Upstream Patch: https://github.com/openshift/cluster-image-registry-operator/pull/527
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.3 Via RHSA-2020:2009 https://access.redhat.com/errata/RHSA-2020:2009
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-10712
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.2 Via RHSA-2020:2026 https://access.redhat.com/errata/RHSA-2020:2026
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.4 Via RHSA-2020:2136 https://access.redhat.com/errata/RHSA-2020:2136
Statement: References to internal container components making up OpenShift Container Platform 4.x itself all use digests to refer to container images [1]. Therefore any changes to the images in the registry storage will invalidate those references. This issue could allow an attacker to modify other container image content that is referred to by tag however. [1] https://www.redhat.com/en/blog/securing-deployment-openshift-container-platform-4