REDHAT-BUG-2262158
First published: Wed Jan 31 2024(Updated: )
The below issue was reported to ProdSec by Simon Pasquier: In OCP, the telemeter-client pod running in the openshift-monitoring has an annotation containing the cluster's pull secret for the cloud.openshift.com and quay.io registries. The cause of the bug is that we use the token string concatenated with the hash [2] instead of writing the token string to the hash object and calling Sum() with a nil slice. The impact is that any user which can read the definition of the telemeter-client pod and/or deployment gets access to the pull secret token. Users with permissions from the cluster-reader clusterrole already have access to the original pull secret because they can read the "pull-secret" Secret in the openshift-config namespace. The issue has been present since OCP 4.12 [3] [4]. [1] <a href="https://issues.redhat.com/browse/OCPBUGS-28650">https://issues.redhat.com/browse/OCPBUGS-28650</a> [2] <a href="https://github.com/openshift/cluster-monitoring-operator/blob/d45a3335c2bbada0948adef9fcba55c4e14fa1d7/pkg/manifests/manifests.go#L3135">https://github.com/openshift/cluster-monitoring-operator/blob/d45a3335c2bbada0948adef9fcba55c4e14fa1d7/pkg/manifests/manifests.go#L3135</a> [3] <a class="bz_bug_link bz_status_CLOSED bz_closed bz_public " title="CLOSED ERRATA - telemeter-client pod does not use the updated pull secret when it is changed" href="show_bug.cgi?id=2114721">https://bugzilla.redhat.com/show_bug.cgi?id=2114721</a> [4] <a href="https://github.com/openshift/cluster-monitoring-operator/pull/1747">https://github.com/openshift/cluster-monitoring-operator/pull/1747</a>
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Red Hat OpenShift Container Platform for IBM LinuxONE | >=4.12 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://issues.redhat.com/browse/OCPBUGS-28650
- https://github.com/openshift/cluster-monitoring-operator/blob/d45a3335c2bbada0948adef9fcba55c4e14fa1d7/pkg/manifests/manifests.go#L3135
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2114721
- https://github.com/openshift/cluster-monitoring-operator/pull/1747
- https://access.redhat.com/errata/RHSA-2024:1887
- https://access.redhat.com/errata/RHSA-2024:2047
- https://access.redhat.com/errata/RHSA-2024:2782
- https://bugzilla.redhat.com/show_bug.cgi?id=2262158
Frequently Asked Questions
What is the severity of REDHAT-BUG-2262158?
The severity of REDHAT-BUG-2262158 is currently classified as a medium risk due to the exposure of sensitive data.
How do I fix REDHAT-BUG-2262158?
To fix REDHAT-BUG-2262158, users should ensure that the telemeter-client pod does not expose the cluster's pull secret as an annotation.
What versions of OpenShift are affected by REDHAT-BUG-2262158?
The vulnerability REDHAT-BUG-2262158 affects Red Hat OpenShift Container Platform version 4.12 and later.
Is there a workaround for REDHAT-BUG-2262158?
As a workaround for REDHAT-BUG-2262158, administrators can manually remove the sensitive annotations from the telemeter-client pod.
Who reported the REDHAT-BUG-2262158 vulnerability?
The vulnerability REDHAT-BUG-2262158 was reported to ProdSec by Simon Pasquier.
- agent/severity
- agent/description
- agent/first-publish-date
- agent/event
- agent/type
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2024-1139
- agent/references
- agent/last-modified-date
- agent/source
- agent/softwarecombine
- agent/tags
- agent/guess-ai
- agent/software-canonical-lookup
- agent/software-canonical-lookup-request
- vendor/red hat
- canonical/red hat openshift container platform for ibm linuxone