There exists a Server Side Request Forgery (SSRF) vulnerability in kube-controller-manager that allows certain authorized users to leak up to 500 bytes of arbitrary information from the master's host network, including secrets from the kube-apiserver through the unauthenticated localhost port (if enabled). An attacker with permissions to create a pod with certain built-in Volume types (GlusterFS, Quobyte, StorageFS, ScaleIO) or permissions to create a StorageClass can cause kube-controller-manager to make GET requests or POST requests without an attacker controlled request body from the master's host network.
Statement: OpenShift Container Platform does not expose kube-apiserver through an unauthenticated localhost port. However, other link-local addresses are reachable without authentication that allow an attacker to access sensitive data. The version of heketi shipped with Red Hat Gluster Storage 3 includes the affected client side code for heketi and quobyte volume plugin, however the vulnerable functionality is currently not used by the product and hence this issue has been rated as having a security impact of Low. Red Hat Openshift Container Storage 4.2 is not affected by this vulnerability as rook-ceph-operator container does not include support for affected volume plugins(storageos, scaleio, glusterfs, quobyte).
External References: https://groups.google.com/forum/#!topic/kubernetes-security-announce/kEK27tqqs30
Created origin tracking bugs for this issue: Affects: fedora-all [bug 1842692]
Mitigation: Restrict use of the vulnerable volume type and restrict StorageClass write permissions via RBAC
Upstream Issue: https://github.com/kubernetes/kubernetes/issues/91542 Upstream Patches: https://github.com/kubernetes/kubernetes/pull/89794 (master) https://github.com/kubernetes/kubernetes/pull/89796 (1.18.1+) https://github.com/kubernetes/kubernetes/pull/89837 (1.17.5+) https://github.com/kubernetes/kubernetes/pull/89838 (1.16.9+) https://github.com/kubernetes/kubernetes/pull/89839 (1.15.12+)
Acknowledgments: Name: the Kubernetes Product Security Committee Upstream: Brice Augras (Groupe-Asten), Christophe Hauquiert (Nokia)
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.3 Via RHSA-2020:2440 https://access.redhat.com/errata/RHSA-2020:2440
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.3 Via RHSA-2020:2441 https://access.redhat.com/errata/RHSA-2020:2441
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.4 Via RHSA-2020:2448 https://access.redhat.com/errata/RHSA-2020:2448
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.4 Via RHSA-2020:2449 https://access.redhat.com/errata/RHSA-2020:2449
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-8555
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 3.11 Via RHSA-2020:2479 https://access.redhat.com/errata/RHSA-2020:2479
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.2 Via RHSA-2020:2594 https://access.redhat.com/errata/RHSA-2020:2594