cve-2021-20238

Title

Unauthenticated Access to Ignition Config in OpenShift Container Platform 4

Product

OpenShift Container Platform 4

Vulnerable Version

N/A

Fixed Version

N/A

CVE Number

CVE-2021-20238

Impact

Medium

External Links

https://access.redhat.com/security/cve/CVE-2021-20238

Credits

Octav Opaschi (Detack GmbH)


It was determined that the OpenShift Container Platform 4 exposes sensitive data through ignition config without authentication, on Baremetal, OpenStack, Ovirt, Vsphere and KubeVirt deployments which do not have a separate internal API endpoint and allow access from outside the cluster to port 22623 from the standard OpenShift API Virtual IP address. This is a partial discovery.

 

Product Description

Red Hat® OpenShift® Container Platform is a consistent hybrid cloud foundation for building and scaling containerized applications. Benefit from streamlined platform installation and upgrades from one of the enterprise Kubernetes leaders.

Source: https://www.redhat.com/en/technologies/cloud-computing/openshift/container-platform

 

Vulnerability Description

It was determined that the OpenShift Container Platform 4 exposes sensitive data through ignition config without authentication, on Baremetal, OpenStack, Ovirt, Vsphere and KubeVirt deployments which do not have a separate internal API endpoint and allow access from outside the cluster to port 22623 from the standard OpenShift API Virtual IP address. This is a partial discovery.

 

Proof of Concept

N/A

 

Solution / Workaround

- If deployed on Baremetal, OpenStack, Ovirt, Vsphere or KubeVirt, check if the ignition config is accessible from outside the cluster, e.g.

https://api.$cluster_name.$base_domain:22623/config/worker

Prevent access to this endpoint with an external firewall or load balancer.

- To protect the MCS endpoint within clusters, use a supported network plugin with OpenShift, namely: OpenShift SDN, OVN Kubernetes or kuryr.

- Ensure untrusted workloads are not run with hostNetwork access.