Bug 1920764 (CVE-2021-20198) - CVE-2021-20198 openshift/installer: Bootstrap nodes allow anonymous authentication on kubelet port 10250
Summary: CVE-2021-20198 openshift/installer: Bootstrap nodes allow anonymous authentic...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2021-20198
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1920243 1920253 1920766 1920767 1922873
Blocks: 1920522 1926375
TreeView+ depends on / blocked
 
Reported: 2021-01-27 01:39 UTC by Sam Fowler
Modified: 2021-04-13 08:38 UTC (History)
22 users (show)

Fixed In Version: github.com/openshift/installer v0.9.0-master.0.20210125200451-95101da940b0
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the OpenShift Installer. During installation of OpenShift Container Platform 4 clusters, bootstrap nodes are provisioned with anonymous authentication enabled on kubelet port 10250. A remote attacker able to reach this port during installation can make unauthenticated `/exec` requests to execute arbitrary commands within running containers. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
Clone Of:
Environment:
Last Closed: 2021-02-08 14:41:51 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2021:0308 0 None None None 2021-02-08 13:50:43 UTC
Red Hat Product Errata RHSA-2021:0313 0 None None None 2021-02-09 13:34:11 UTC

Description Sam Fowler 2021-01-27 01:39:31 UTC 
During the installation of OpenShift Container Platform 4 clusters, bootstrap nodes are provisioned with anonymous authentication enabled on kubelet port 10250. A remote attacker able to reach this port during installation can make unauthenticated `/exec` requests to execute arbitrary commands within running containers. 

Bootstrap nodes are automatically removed when deployed with Installer Provisioned Infrastructure (IPI) and typically exist for less than an hour. Clusters deployed with User Provisioned Infrastructure (UPI) require an administrator to remove or reconfigure bootstrap nodes. Additionally, on AWS, Azure, GCP and OpenStack port 10250 is not remotely accessible on bootstrap nodes, due to security group configuration.
Comment 5 Sam Fowler 2021-01-27 04:52:13 UTC 
Upstream fix:

https://github.com/openshift/installer/pull/4590
Comment 7 Sam Fowler 2021-02-04 06:27:25 UTC 
Mitigation:

This issue is mitigated by default on AWS, Azure, GCP and OpenStack as port 10250 is not remotely accessible on bootstrap nodes. For other IPI platforms, bootstrap nodes only exist during the installation window so the exposure is limited. For UPI installations, administrators should prevent remote access to this port on bootstrap nodes and/or remove the nodes once installation is complete
Comment 8 errata-xmlrpc 2021-02-08 13:50:41 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.6

Via RHSA-2021:0308 https://access.redhat.com/errata/RHSA-2021:0308
Comment 9 Product Security DevOps Team 2021-02-08 14:41:51 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-20198
Comment 10 errata-xmlrpc 2021-02-09 13:34:09 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.5

Via RHSA-2021:0313 https://access.redhat.com/errata/RHSA-2021:0313
Note You need to log in before you can comment on or make changes to this bug.