Title |
Unauthenticated Access to Ignition Config in OpenShift Container Platform 4 |
Product |
OpenShift Container Platform 4 |
Vulnerable Version |
N/A |
Fixed Version |
N/A |
CVE Number |
CVE-2021-20238 |
Impact |
Medium |
External Links
|
https://access.redhat.com/security/cve/CVE-2021-20238 |
Credits |
Octav Opaschi (Detack GmbH) |
It was determined that the OpenShift Container Platform 4 exposes sensitive data through ignition config without authentication, on Baremetal, OpenStack, Ovirt, Vsphere and KubeVirt deployments which do not have a separate internal API endpoint and allow access from outside the cluster to port 22623 from the standard OpenShift API Virtual IP address. This is a partial discovery.
Red Hat® OpenShift® Container Platform is a consistent hybrid cloud foundation for building and scaling containerized applications. Benefit from streamlined platform installation and upgrades from one of the enterprise Kubernetes leaders.
Source: https://www.redhat.com/en/technologies/cloud-computing/openshift/container-platform
It was determined that the OpenShift Container Platform 4 exposes sensitive data through ignition config without authentication, on Baremetal, OpenStack, Ovirt, Vsphere and KubeVirt deployments which do not have a separate internal API endpoint and allow access from outside the cluster to port 22623 from the standard OpenShift API Virtual IP address. This is a partial discovery.
N/A
- If deployed on Baremetal, OpenStack, Ovirt, Vsphere or KubeVirt, check if the ignition config is accessible from outside the cluster, e.g.
https://api.$cluster_name.$base_domain:22623/config/worker
Prevent access to this endpoint with an external firewall or load balancer.
- To protect the MCS endpoint within clusters, use a supported network plugin with OpenShift, namely: OpenShift SDN, OVN Kubernetes or kuryr.
- Ensure untrusted workloads are not run with hostNetwork access.
