Thibault Guittet

**Name of the Vulnerable Software and Affected Versions** BlueChi (affected versions not specified) **Description** A flaw exists in BlueChi, a multi-node systemd service controller used in RHIVOS. A user possessing root privileges on a managed node (qm) can create or override systemd service unit files impacting the host node. This can result in privilege escalation, unauthorized service execution, and potential system compromise. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: Yggdrasil (affected versions not specified) Description: A flaw was found in Yggdrasil, which acts as a system broker, allowing processes to communicate with other children's "worker" processes through the DBus component. Yggdrasil creates a DBus method to dispatch messages to workers, but it misses authentication and authorization checks, allowing every system user to call it. One available Yggdrasil worker acts as a package manager with capabilities to create and enable new repositories and install or remove packages. This flaw allows an attacker with access to the system to leverage the lack of authentication on the dispatch message to force the Yggdrasil worker to install arbitrary RPM packages, resulting in local privilege escalation, enabling the attacker to access and modify sensitive system data. Recommendations: At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** OpenShift Dedicated (affected versions not specified) **Description** A flaw was found in the Hive hibernation controller component. The ClusterDeployment.hive.openshift.io/v1 resource can be created with the spec.installed field set to true and a positive timespan for the spec.hibernateAfter value. If a ClusterSync.hiveinternal.openshift.io/v1alpha1 resource is also created, the hive hibernation controller will enter the reconciliation loop, leading to a denial of service when accessing a non-existing field in the ClusterDeployment’s status section. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** OpenShift Dedicated (affected versions not specified) **Description** A flaw was found in the Hive ClusterDeployments resource in OpenShift Dedicated. In certain conditions, this issue may allow a developer account on a Hive-enabled cluster to obtain cluster-admin privileges by executing arbitrary commands on the `hive/hive-controllers` pod. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: OpenShift versions 4 JBoss Fuse version 7 Description: A flaw was found in the build process, where the docker-build container is configured with a hostPath volume mount that maps the node's /var/lib/kubelet/config.json file into the build pod. This file contains sensitive credentials necessary for pulling images from private repositories. The mount is not read-only, which allows an attacker to overwrite it. By modifying the config.json file, the attacker can cause a denial of service by preventing the node from pulling new images and potentially exfiltrating sensitive secrets. This issue impacts the availability of services dependent on image pulls and exposes sensitive information to unauthorized parties. Recommendations: For OpenShift version 4, consider disabling the hostPath volume mount until a patch is available to prevent the overwrite of the config.json file. For JBoss Fuse version 7, restrict access to the config.json file to minimize the risk of exploitation. As a temporary workaround, avoid using the `config.json` file in the affected build pod until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** OpenShift Dedicated versions prior to v0.0.0-20240604173837-d1557bc283dd **Description** A flaw was found in the MustGather.managed.openshift.io Custom Defined Resource (CRD) of OpenShift Dedicated. This issue allows a non-privileged user on the cluster to create a MustGather object with a specially crafted file and set the most privileged service account to run the job, potentially escalating their privileges to a cluster administrator and pivoting to the AWS environment. **Recommendations** For OpenShift Dedicated versions prior to v0.0.0-20240604173837-d1557bc283dd, update to version v0.0.0-20240604173837-d1557bc283dd or later to resolve the issue. As a temporary workaround, consider restricting access to the MustGather CRD to prevent non-privileged users from creating specially crafted files.

Name of the Vulnerable Software and Affected Versions: ilab model serve component (affected versions not specified) Description: A vulnerability was found in the ilab model serve component, where improper handling of the `best of` parameter in the vllm JSON web API can lead to a Denial of Service (DoS). The API used for LLM-based sentence or chat completion accepts a `best of` parameter to return the best completion from several options. When this parameter is set to a large value, the API does not handle timeouts or resource exhaustion properly, allowing an attacker to cause a DoS by consuming excessive system resources. This leads to the API becoming unresponsive, preventing legitimate users from accessing the service. Recommendations: At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** OpenShift Container Platform (affected versions not specified) **Description** The issue is related to the misuse of elevated privileges in the OpenShift Container Platform's build process. During the build initialization step, the git-clone container is run with a privileged security context, allowing unrestricted access to the node. An attacker with developer-level access can provide a crafted `.gitconfig` file containing commands executed during the cloning process, leading to arbitrary command execution on the worker node. An attacker running code in a privileged container could escalate their permissions on the node running the container. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Fence Agents Remediation operator (affected versions not specified) **Description** A flaw was found in the Fence Agents Remediation operator, allowing a Remote Code Execution (RCE) primitive by supplying an arbitrary command to execute in the `--ssh-path`/`--telnet-path` arguments. This can lead to a privilege escalation, first as the service account running the operator, then to another service account with cluster-admin privileges. A low-privilege user, such as a user with developer access, can create a specially crafted FenceAgentsRemediation for a fence agent supporting `--ssh-path`/`--telnet-path` arguments to execute arbitrary commands on the operator's pod. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** OpenShift console (affected versions not specified) **Description** A flaw was found in the OpenShift console, where several endpoints use the `authHandler()` and `authHandlerWithUser()` middleware functions. When the default authentication provider is set to "openShiftAuth", these functions do not perform authentication checks, relying on the targeted service for authentication and authorization. This leads to data exposure due to a lack of proper credential verification. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Openshift console (affected versions not specified) **Description** A flaw was found in the Openshift console, specifically in the `/API/helm/verify` endpoint, which is responsible for fetching and verifying the installation of a Helm chart from a remote HTTP/HTTPS or local URI. The `authHandlerWithUser()` middleware function is supposed to gate access to this endpoint, but it does not verify the validity of the user's credentials, allowing unauthenticated users to access the endpoint. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** PackageKitd (affected versions not specified) **Description** A use-after-free flaw was found in PackageKitd. In some conditions, the order of cleanup mechanics for a transaction could be impacted, resulting in memory access on previously freed memory regions. Once freed, a memory region can be reused for other allocations, and any previously stored data in this memory region is considered lost. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** subscription-manager (affected versions not specified) **Description** A flaw in the authorization procedure of the D-Bus interface com.redhat.RHSM1 allows local privilege escalation. The interface exposes several methods to all users, which can change the state of the registration. By using the `com.redhat.RHSM1.Config.SetAll()` method, a low-privileged local user can tamper with the registration state, potentially unregistering the system or changing current entitlements. This issue can be exploited to set arbitrary configuration directives for /etc/rhsm/rhsm.conf, leading to local privilege escalation to an unconfined root. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Red Hat Single Sign-On for OpenShift container images (affected versions not specified) **Description** A flaw was found in Red Hat Single Sign-On for OpenShift container images, which are configured with an unsecured management interface enabled. This flaw allows an attacker to use this interface to deploy malicious code and access and modify potentially sensitive information in the app server configuration. The issue is related to the default access control settings of the Keycloak identity and access management tool, which can be exploited by a remote attacker to execute arbitrary code. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.