CVE-2017-7517 An input validation vulnerability exists in Openshift Enterprise due to a 1:1 mapping of tenants in Hawkular Metrics and projects/namespaces in OpenShift.

This vulnerability has the potential to be exploited in a number of ways. For example, a malicious user could store credentials in the "MyProject" project that they own, or they could create a "MyProject" instance with the same name as a project they have access to and then access that project’s metrics.
In order to exploit this vulnerability, a user must have a valid project in Hawkular Metrics that they control. The OpenShift API v3 is not secure by default. This means that if a user tries to create a new OpenShift API v3 application that doesn’t have any valid API keys, they will be rejected. This means that any user with a valid Hawkular Metrics project can create a new instance of OpenShift API v3 and then use that API v3 application to access Hawkular Metrics metrics.

Summary

This vulnerability can be exploited in a number of ways. For example, a malicious user could create an OpenShift API v3 application that doesn't have any valid API keys and then access Hawkular Metrics metrics by using this new application.
OpenShift API v3 is not secure by default, so any user with a valid Hawkular Metrics project can create a new instance of OpenShift API v3 and use it to access Hawkular Metrics metrics.

Overview of the OpenShift API v3

OpenShift is a platform for enterprise applications on Kubernetes. The OpenShift API v3 is the interface between the user and the OpenShift platform. This means that it is possible to create custom application programming interfaces (APIs).
The OpenShift API v3 has three main methods:
1. Create a new application: public/private-image-api, public/private-load-balancer-api, public/private-pod-api, public/private-route53-restful-api, public/private-servicecatalog-apis, and public/private-serviceservicecatalog
2. Update an existing application: update an application with one or more name changes (e.g., change the name of "myapp" to "mysecondapp")
3. Delete an application: delete an application with one or more name changes

Description of the OpenShift API v3 and how it can be exploited

The OpenShift API v3 is a REST-based API that provides a way for apps to access and manipulate different parts of the OpenShift platform. A developer must have an account with a valid project in Hawkular Metrics before they can create an instance of the OpenShift API v3. The new project must also have valid API keys, which are required for any application that uses the OpenShift API v3. If a user creates a new OpenShift API v3 application without any valid keys, then it will be rejected by the platform. This means that any user with a valid Hawkular Metrics project can create an instance of the OpenShift API and use that instance to access Hawkular Metrics metrics.
While this vulnerability presents serious concerns, it is relatively easy to prevent. This type of exploit can be prevented by maintaining an updated list of all active projects in Hawkular Metrics. In addition, users must ensure they don't create duplicate projects in Hawkular Metrics and that their project has at least one valid key when they create their new application in OpenShift. While these methods would prevent most cases of this vulnerability, it is difficult to completely safeguard against malicious users trying to exploit this vulnerability using more complex methods like brute force or social engineering

Timeline

Published on: 10/17/2022 16:15:00 UTC
Last modified on: 10/19/2022 15:01:00 UTC

References

• https://access.redhat.com/security/cve/CVE-2017-7517
• https://bugzilla.redhat.com/show_bug.cgi?id=1470414
• https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-7517