First published: Tue Mar 25 2025(Updated: )
The Tempo Operator in OpenShift Distributed Tracing creates a ServiceAccount, ClusterRole, and ClusterRoleBinding when a user deploys a TempoStack or TempoMonolithic instance. This design allows any user with full access to their namespace to retrieve the associated ServiceAccount token and utilize it to make privileged API calls to: Validate bearer tokens using the TokenReview API. Check user permissions using the SubjectAccessReview API.
Affected Software | Affected Version | How to fix |
---|---|---|
Red Hat OpenShift Container Platform |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
The severity of REDHAT-BUG-2354811 is considered to be significant due to potential unauthorized access to sensitive resources.
To fix REDHAT-BUG-2354811, ensure that only authorized users have full access to their namespace and review the permissions associated with ServiceAccount, ClusterRole, and ClusterRoleBinding.
REDHAT-BUG-2354811 can lead to unauthorized users gaining access to the ServiceAccount token, potentially compromising the security of the OpenShift environment.
REDHAT-BUG-2354811 affects Red Hat OpenShift Container Platform, but specific versions should be confirmed with Red Hat's official documentation.
A possible workaround for REDHAT-BUG-2354811 is to limit namespace permissions and regularly audit ServiceAccount access to reduce exposure.