In Kubernetes clusters running on VSphere, using VSphere as a cloud provider a with logging level set to 4 or above, VSphere cloud credentials will be leaked in the cloud controller manager's log. Upstream Fix: https://github.com/kubernetes/kubernetes/pull/95236
Acknowledgments: Name: the Kubernetes Product Security Committee Upstream: Kaizhe Huang (derek0405)
Introduced by: https://github.com/kubernetes/kubernetes/commit/9e0555446238b2dfe45805babc2b6982565c293d
Statement: OpenShift Container Platform (OCP) versions before 4.6 are not affected by this vulnerability as they are based on Kubernetes versions before 1.19. Only Kubernetes versions 1.19.0 through 1.19.2 are affected by this vulnerability.
Mitigation: Ensure that the logging level is below 4. Additionally, protect unauthorized access to cluster logs. For OCP, the logging level for core components can be configured using operators, e.g. for kube-controller-manager: https://docs.openshift.com/container-platform/latest/rest_api/operator_apis/kubecontrollermanager-operator-openshift-io-v1.html#specification In OCP, a logging level of "Debug" is equivalent to 4: https://github.com/openshift/api/blob/master/operator/v1/types.go#L96 The default logging level is "Normal", which is equivalent to 2. Clusters running with the default level are not vulnerable to this issue.
External References: https://groups.google.com/g/kubernetes-announce/c/ScdmyORnPDk https://github.com/kubernetes/kubernetes/issues/95621
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.6 Via RHSA-2020:5260 https://access.redhat.com/errata/RHSA-2020:5260
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-8563
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.7 Via RHSA-2020:5633 https://access.redhat.com/errata/RHSA-2020:5633