1902698 – (CVE-2020-27816) CVE-2020-27816 openshift/elasticsearch-operator: arbitrary URL redirection of the cluster logging kibana console

Bug 1902698 (CVE-2020-27816) - CVE-2020-27816 openshift/elasticsearch-operator: arbitrary URL redirection of the cluster logging kibana console

Summary: CVE-2020-27816 openshift/elasticsearch-operator: arbitrary URL redirection of...

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2020-27816
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	1898572 1902768
Blocks:	1899673
TreeView+	depends on / blocked

Reported:	2020-11-30 12:56 UTC by Przemyslaw Roguski
Modified:	2024-03-25 17:17 UTC (History)
CC List:	9 users (show)
Fixed In Version:	elasticsearch-operator-container 4.7
Doc Type:	---
Doc Text:	The elasticsearch-operator does not validate the namespace where kibana logging resource is created and due to that it is possible to replace the original openshift-logging console link (kibana console) to different one, created based on the new CR for the new kibana resource. This could lead to an arbitrary URL redirection or the openshift cluster logging console link damage.
Clone Of:
Environment:
Last Closed:	2021-02-08 14:41:48 UTC
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2021:0310	0	None	None	None	2021-02-08 13:41:41 UTC

Description Przemyslaw Roguski 2020-11-30 12:56:47 UTC

In the OpenShift Container Platform  4.x the kibana logging console might be manipulated or even completely damaged by any user who create kibana resource in a non openshift-logging namespace. Due to that the console links is recreated by the elasticsearch-operator based on the new CR. If the new kibana resource is removed then the openshift-logging console link does not back to the original one but completely is lost.

This flaw could lead to an arbitrary URL redirection or the openshift-logging console link full damage.

Comment 3 Przemyslaw Roguski 2020-11-30 13:02:06 UTC

Fixes:
https://github.com/openshift/elasticsearch-operator/pull/581
https://github.com/openshift/elasticsearch-operator/pull/587

Comment 4 Przemyslaw Roguski 2020-12-01 11:08:21 UTC

Acknowledgments:

Name: Aivaras Laimikis

Comment 5 errata-xmlrpc 2021-02-08 13:41:39 UTC

This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.6

Via RHSA-2021:0310 https://access.redhat.com/errata/RHSA-2021:0310

Comment 6 Product Security DevOps Team 2021-02-08 14:41:48 UTC

This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-27816

Note You need to log in before you can comment on or make changes to this bug.