漏洞标题
N/A
漏洞描述信息
在OpenShift容器平台4中发现, Machine Config Server 提供的启动配置(ignition config)可以从集群外部访问,无需身份验证。MCS端点(port 22623)提供了用于启动节点的启动配置,并可能包括一些敏感数据,如注册表拉取密钥。有两种可以访问此数据的场景。第一种是使用Baremetal、 OpenStack、 Ovirt、 Vsphere 和 KubeVirt 部署,这些部署没有单独的内部 API 端点,并从标准 OpenShift API 虚拟 IP 地址外部访问 port 22623。第二种是使用不支持的网络插件的云计算部署,这些插件不会创建 iptables 规则,阻止访问 port 22623。在这种场景中,启动配置将暴露于集群中的所有节点,无法从外部访问。
CVSS信息
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
漏洞类别
N/A
漏洞标题
N/A
漏洞描述信息
It was found in OpenShift Container Platform 4 that ignition config, served by the Machine Config Server, can be accessed externally from clusters without authentication. The MCS endpoint (port 22623) provides ignition configuration used for bootstrapping Nodes and can include some sensitive data, e.g. registry pull secrets. There are two scenarios where this data can be accessed. The first is on Baremetal, OpenStack, Ovirt, Vsphere and KubeVirt deployments which do not have a separate internal API endpoint and allow access from outside the cluster to port 22623 from the standard OpenShift API Virtual IP address. The second is on cloud deployments when using unsupported network plugins, which do not create iptables rules that prevent to port 22623. In this scenario, the ignition config is exposed to all pods within the cluster and cannot be accessed externally.
CVSS信息
N/A
漏洞类别
认证机制不恰当
漏洞标题
Red Hat OpenShift Container Platform 访问控制错误漏洞
漏洞描述信息
Red Hat OpenShift Container Platform是美国红帽(Red Hat)公司的一套可帮助企业在物理、虚拟和公共云基础架构之间开发、部署和管理现有基于容器的应用程序的应用平台。 OpenShift Container Platform 4 存在访问控制错误漏洞,该漏洞源于 Machine Config Server 提供的 ignition config 无需身份验证即可从集群外部访问。
CVSS信息
N/A
漏洞类别
授权问题