CVE-2022-1677
First published: Mon Apr 18 2022(Updated: )
In OpenShift Container Platform, a user with permissions to create or modify Routes can craft a payload that inserts a malformed entry into one of the cluster router's HAProxy configuration files. This malformed entry can match any arbitrary hostname, or all hostnames in the cluster, and direct traffic to an arbitrary application within the cluster, including one under attacker control.
Credit: secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Redhat Openshift Container Platform | =3.11 | |
| Redhat Openshift Container Platform | =4.6 | |
| Redhat Openshift Container Platform | =4.7 | |
| Redhat Openshift Container Platform | =4.8 | |
| Redhat Openshift Container Platform | =4.9 | |
| Redhat Openshift Container Platform | =4.10 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://access.redhat.com/security/cve/CVE-2022-1677
- https://bugzilla.redhat.com/show_bug.cgi?id=2076211
- https://github.com/openshift/router/pull/381
- https://access.redhat.com/errata/RHSA-2022:2283
- https://access.redhat.com/errata/RHSA-2022:2268
- https://access.redhat.com/errata/RHSA-2022:2272
- https://access.redhat.com/errata/RHSA-2022:2264
- https://access.redhat.com/errata/RHSA-2022:2281
- https://access.redhat.com/security/cve/cve-2022-1677
Frequently Asked Questions
What is CVE-2022-1677?
CVE-2022-1677 is a vulnerability in OpenShift Container Platform that allows a user to craft a payload that inserts a malformed entry into the cluster router's HAProxy configuration files.
What is the severity of CVE-2022-1677?
The severity of CVE-2022-1677 is medium with a severity value of 6.3.
Which versions of OpenShift Container Platform are affected by CVE-2022-1677?
OpenShift Container Platform versions 3.11, 4.6, 4.7, 4.8, 4.9, and 4.10 are affected by CVE-2022-1677.
How can a user exploit CVE-2022-1677?
A user with permissions to create or modify Routes can exploit CVE-2022-1677 by crafting a payload that inserts a malformed entry into the cluster router's HAProxy configuration files.
Is there a fix available for CVE-2022-1677?
Yes, a fix for CVE-2022-1677 is available. Please refer to the following references for more information: [link1], [link2]
- collector/nvd-index
- agent/type
- agent/last-modified-date
- agent/softwarecombine
- agent/first-publish-date
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2022-1677
- agent/event
- agent/weakness
- agent/remedy
- agent/references
- agent/author
- agent/severity
- agent/tags
- agent/description
- collector/mitre-cve
- source/MITRE
- vendor/redhat
- canonical/redhat openshift container platform
- version/redhat openshift container platform/3.11
- version/redhat openshift container platform/4.6
- version/redhat openshift container platform/4.7
- version/redhat openshift container platform/4.8
- version/redhat openshift container platform/4.9
- version/redhat openshift container platform/4.10