During the installation of OpenShift Container Platform 4 clusters, bootstrap nodes are provisioned with anonymous authentication enabled on kubelet port 10250. A remote attacker able to reach this port during installation can make unauthenticated `/exec` requests to execute arbitrary commands within running containers. Bootstrap nodes are automatically removed when deployed with Installer Provisioned Infrastructure (IPI) and typically exist for less than an hour. Clusters deployed with User Provisioned Infrastructure (UPI) require an administrator to remove or reconfigure bootstrap nodes. Additionally, on AWS, Azure, GCP and OpenStack port 10250 is not remotely accessible on bootstrap nodes, due to security group configuration.
Upstream fix: https://github.com/openshift/installer/pull/4590
Mitigation: This issue is mitigated by default on AWS, Azure, GCP and OpenStack as port 10250 is not remotely accessible on bootstrap nodes. For other IPI platforms, bootstrap nodes only exist during the installation window so the exposure is limited. For UPI installations, administrators should prevent remote access to this port on bootstrap nodes and/or remove the nodes once installation is complete
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.6 Via RHSA-2021:0308 https://access.redhat.com/errata/RHSA-2021:0308
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2021-20198
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.5 Via RHSA-2021:0313 https://access.redhat.com/errata/RHSA-2021:0313
We have been needing to update the installer tags due to golang module importing issues. This CVE was incorrectly identified when vendoring the installer to v0.90.99. Adding this to the fix version to see if it resolves the issue.