Bug 1825161 (CVE-2020-10712) - CVE-2020-10712 openshift/cluster-image-registry-operator: secrets disclosed in logs
Summary: CVE-2020-10712 openshift/cluster-image-registry-operator: secrets disclosed i...
Alias: CVE-2020-10712
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Depends On: 1825164 1825165 1825718 1825719 1825720
Blocks: 1824779
TreeView+ depends on / blocked
Reported: 2020-04-17 09:16 UTC by Jason Shepherd
Modified: 2020-07-09 20:34 UTC (History)
12 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in OpenShift Container Platform version 4.1 and later. Sensitive information was found to be logged by the image registry operator allowing an attacker able to gain access to those logs, to read and write to the storage backing the internal image registry. The highest threat from this vulnerability is to data integrity.
Clone Of:
Last Closed: 2020-05-12 10:33:28 UTC

Attachments (Terms of Use)

System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2020:2009 None None None 2020-05-12 05:11:48 UTC
Red Hat Product Errata RHSA-2020:2026 None None None 2020-05-13 11:27:49 UTC
Red Hat Product Errata RHSA-2020:2136 None None None 2020-05-18 15:44:26 UTC

Description Jason Shepherd 2020-04-17 09:16:26 UTC
The image registry operator in OpenShift Container Platform version 4.4 and later logs sensitive information. An attacker able to obtain the log could gain read and write access to the storage backing the OpenShift Container Platform internal image registry.

Comment 1 Jason Shepherd 2020-04-17 09:16:29 UTC

Name: Adam Kaplan (Red Hat)

Comment 10 Jason Shepherd 2020-04-20 03:48:19 UTC

References to internal container components making up OpenShift Container Platform 4.x itself all use digests to refer to container images [1]. Therefore any changes to the images in the registry storage will invalidate those references. This issue could allow an attacker to modify other container image content that is referred to by tag however.

[1] https://www.redhat.com/en/blog/securing-deployment-openshift-container-platform-4

Comment 11 Jason Shepherd 2020-04-21 23:24:51 UTC

Ensure that the image registry operator logs remain private.

Comment 12 Jason Shepherd 2020-05-05 00:15:04 UTC
Upstream Patch:


Comment 13 errata-xmlrpc 2020-05-12 05:11:47 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.3

Via RHSA-2020:2009 https://access.redhat.com/errata/RHSA-2020:2009

Comment 14 Product Security DevOps Team 2020-05-12 10:33:28 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):


Comment 15 errata-xmlrpc 2020-05-13 11:27:47 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.2

Via RHSA-2020:2026 https://access.redhat.com/errata/RHSA-2020:2026

Comment 16 errata-xmlrpc 2020-05-18 15:44:25 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.4

Via RHSA-2020:2136 https://access.redhat.com/errata/RHSA-2020:2136

Note You need to log in before you can comment on or make changes to this bug.