Mark Cooper

Name of the Vulnerable Software and Affected Versions: Kiali versions prior to 1.31.0 Description: An authentication bypass issue was found when the authentication strategy `OpenID` is used. The problem arises when Kiali assumes some token validation is handled by the underlying cluster with RBAC enabled, but this validation does not occur when OpenID `implicit flow` is used with RBAC turned off. This allows a malicious user to bypass authentication. Recommendations: For versions prior to 1.31.0, update to version 1.31.0 or later to resolve the issue. As a temporary workaround, consider disabling the `OpenID` authentication strategy or enabling RBAC to prevent exploitation. Restrict access to the `implicit flow` when using the `OpenID` authentication strategy to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** operator-framework/operator-metering (affected versions not specified) **Description** A flaw was discovered in the container operator-framework/operator-metering, which is shipped in Red Hat Openshift 4. This issue allows an attacker with access to the container to modify the /etc/passwd file, potentially leading to privilege escalation. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Istio pilot versions prior to 1.5.0-alpha.0 **Description** A NULL pointer dereference was found in the `getResourceVersion` function in `pkg/proxy/envoy/v2/debug.go`. If a particular HTTP GET request is made to the pilot API endpoint, it is possible to cause the Go runtime to panic, resulting in a denial of service to the istio-pilot application. **Recommendations** For versions prior to 1.5.0-alpha.0, update to version 1.5.0-alpha.0 or later to resolve the issue. As a temporary workaround, consider restricting access to the pilot API endpoint to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** openshift-service-mesh/istio-rhel8-operator versions through 1.1.3 **Description** The issue is related to an incorrect access control flaw in the operator, allowing an attacker with basic access to the cluster to deploy a custom gateway or pod to any namespace. This could potentially grant access to privileged service account tokens, posing a threat to data confidentiality, integrity, and system availability. The flaw is associated with the misuse of privileged APIs, which can be exploited by a remote attacker to elevate privileges and gain unauthorized access to protected information. **Recommendations** For versions through 1.1.3, consider restricting access to the `openshift-service-mesh/istio-rhel8-operator` to minimize the risk of exploitation, and avoid deploying custom gateways or pods to unauthorized namespaces until a fix is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** openshift/apb-base versions prior to 4.3.5 openshift/apb-base versions prior to 4.2.21 openshift/apb-base versions prior to 4.1.37 openshift/apb-base versions prior to 3.11.188-4 **Description** An insecure modification vulnerability in the /etc/passwd file was found in the container openshift/apb-base. An attacker with access to the container could use this flaw to modify /etc/passwd and escalate their privileges. **Recommendations** For versions prior to 4.3.5, update to version 4.3.5 or later. For versions prior to 4.2.21, update to version 4.2.21 or later. For versions prior to 4.1.37, update to version 4.1.37 or later. For versions prior to 3.11.188-4, update to version 3.11.188-4 or later.

**Name of the Vulnerable Software and Affected Versions** openshift/mediawiki versions prior to 4.3.0 **Description** A vulnerability was found in the openshift/mediawiki, where an insecure modification vulnerability in the /etc/passwd file allows an attacker with access to the container to modify /etc/passwd and escalate their privileges. The attacker can use this flaw to gain elevated access. **Recommendations** For versions prior to 4.3.0, update to version 4.3.0 or later to resolve the issue. As a temporary workaround, consider restricting access to the /etc/passwd file to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** openshift/mediawiki-apb versions prior to 4.3.0 **Description** A vulnerability was found in the container openshift/mediawiki-apb, where an insecure modification vulnerability in the /etc/passwd file allows an attacker with access to the container to modify /etc/passwd and escalate their privileges. **Recommendations** For versions prior to 4.3.0, update to version 4.3.0 or later to resolve the issue. As a temporary workaround, consider restricting access to the /etc/passwd file in the container until a patch is available.

**Name of the Vulnerable Software and Affected Versions** openshift/ocp-release-operator-sdk (affected versions not specified) openshift/ansible-operator-container as shipped in Openshift 4 (affected versions not specified) **Description** An insecure modification vulnerability in the /etc/passwd file was found. An attacker with access to the container could use this flaw to modify /etc/passwd and escalate their privileges. **Recommendations** For openshift/ocp-release-operator-sdk, at the moment, there is no information about a newer version that contains a fix for this vulnerability. For openshift/ansible-operator-container as shipped in Openshift 4, at the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** openshift-enterprise versions 3.11 openshift-enterprise versions 4.1 through 4.3 **Description** A security issue has been discovered where multiple containers in the affected versions modify the permissions of /etc/passwd, allowing users other than root to modify it. An attacker with access to the running container can exploit this to add a user and escalate their privileges. **Recommendations** For openshift-enterprise version 3.11, update to a version that includes the fix for this issue. For openshift-enterprise versions 4.1 through 4.3, update to a version that includes the fix for this issue. As a temporary workaround, consider restricting access to the containers to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Istio versions 1.2.10 and prior Istio versions 1.3 through 1.3.7 Istio versions 1.4 through 1.4.3 **Description** The issue is related to authentication bypass in Istio, where the Authentication Policy exact-path matching logic can be exploited to allow unauthorized access to HTTP paths. This can occur even if the paths are configured to require a valid JWT token for access. An attacker can manipulate the URI by adding characters such as ? or # to bypass the exact-path match. The vulnerability may allow a remote attacker to impact the confidentiality, integrity, and availability of protected information. **Recommendations** For Istio versions 1.2.10 and prior, update to a version that is not end-of-life to mitigate the risk. For Istio versions 1.3 through 1.3.7, update to a version later than 1.3.7. For Istio versions 1.4 through 1.4.3, update to a version later than 1.4.3. As a temporary workaround, consider restricting access to sensitive HTTP paths until a patch is available.