It does not affect OpenShift Enterprise or the standalone OpenShift Enterprise command line interface (CLI) application. The fix for this issue will be included in Open source release 5.6, and Open enterprise release 5.6. The fix will be included in releases 4.8, 4.7 and 4.6 to be released in the coming weeks. In the meantime, you can remove the JndiLookup.class file from your OpenShift Metering container image, as follows:
In addition to this, the fix for CVE-2021-44228 in OpenShift Enterprise does not affect OpenShift Enterprise command line interface (CLI) application, as the flaw only exists in the OpenShift Metering hive container image.
Risk of data leakage through OpenShift Metering endpoints
What is OpenShift Metering?
OpenShift Metering is the component of OpenShift used to monitor and collect data from your applications. It includes a number of components, including web services that provide REST interfaces for monitoring and controlling your application, and a graphical user interface (GUI).
OpenShift Meters report data back to OpenShift Standard Metering. So, if you are looking at lowering your costs without having to lose any data or functionality, you should use this release as an opportunity to upgrade the Standard Metering component.
OpenShift Metering Flaw and its Risk to an Organization
An OpenShift Metering flaw could lead to data being leaked through endpoints in the event that a user does not use an encrypted connection when connecting. When this happens, an attacker could potentially steal access tokens from the system and gain unauthorized access to resources.
The OpenShift Metering image was not designed with security in mind, and so it was not possible to provide a secure interface to the endpoint. The result is that any app deployed on the Metering server could have been exposed. This issue has been addressed by changing the JNDI endpoint in the OpenShift Metering image, so apps using that endpoint should be secured as needed.
OpenShift 5.6 will be released soon with this fix included. We recommend that you do not run applications on this image until it has been released.
Timeline
Published on: 08/24/2022 16:15:00 UTC
Last modified on: 08/29/2022 14:26:00 UTC
References
- https://bugzilla.redhat.com/show_bug.cgi?id=2033121
- https://access.redhat.com/security/cve/CVE-2021-44228
- https://github.com/kube-reporting/hive/pull/71
- https://access.redhat.com/security/cve/CVE-2021-4125
- https://github.com/kube-reporting/hive/pull/73
- https://github.com/kube-reporting/hive/pull/72
- https://access.redhat.com/security/cve/CVE-2021-45046
- https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-4125