Tuminoid

**Name of the Vulnerable Software and Affected Versions** baremetal-operator versions prior to 0.8.0 baremetal-operator versions prior to 0.6.2 baremetal-operator versions prior to 0.5.2 **Description** The Bare Metal Operator (BMO) implements a Kubernetes API for managing bare metal hosts in Metal3. The `BareMetalHost` (BMH) CRD allows the `userData`, `metaData`, and `networkData` for the provisioned host to be specified as links to Kubernetes Secrets. A user with access to create or edit a `BareMetalHost` can exfiltrate a `Secret` from another namespace by using it as e.g. the `userData` for provisioning some host. BMO will only read a key with the name `value` (or `userData`, `metaData`, or `networkData`), so that limits the exposure somewhat. Secrets used by other `BareMetalHost`s in different namespaces are always vulnerable. This vulnerability is only meaningful if the cluster has users other than administrators and users' privileges are limited to their respective namespaces. **Recommendations** For versions prior to 0.8.0, upgrade to version 0.8.0 or later. For versions prior to 0.6.2, upgrade to version 0.6.2 or later. For versions prior to 0.5.2, upgrade to version 0.5.2 or later. Prior to upgrading, duplicate the BMC Secrets to the namespace where the corresponding BMH is. After upgrade, remove the old Secrets. As a temporary workaround, configure BMO RBAC to be namespace scoped for Secrets, instead of cluster scoped, to prevent BMO from accessing Secrets from other namespaces.

**Name of the Vulnerable Software and Affected Versions** Dex version 2.37.0 **Description** Dex is an identity service that uses OpenID Connect to drive authentication for other apps. The issue arises from Dex serving HTTPS with insecure TLS 1.0 and TLS 1.1. The `tlsConfig` is ignored after the introduction of the "TLS cert reloader" in version 2.37.0, causing configured cipher suites to not be respected. This allows TLS 1.0 and TLS 1.1 connections to be decrypted by an attacker, potentially exposing traffic to Dex. The issue is fixed in Dex version 2.38.0. **Recommendations** For Dex version 2.37.0, update to version 2.38.0 to resolve the issue. As a temporary workaround, consider disabling the use of TLS 1.0 and TLS 1.1 until a patch is available. Restrict access to the vulnerable `cmd/dex/serve.go` module to minimize the risk of exploitation. Avoid using insecure cipher suites in the affected API endpoints until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Baremetal Operator versions prior to 0.3.0 **Description** The issue arises from the storage of `.htpasswd` files as ConfigMaps instead of Secrets by ironic and ironic-inspector deployed within Baremetal Operator using the included `deploy.sh`. This causes the plain-text username and hashed password to be readable by anyone having a cluster-wide read-access to the management cluster, or access to the management cluster's Etcd storage. **Recommendations** For versions prior to 0.3.0, update to version 0.3.0 or later to resolve the issue. As a temporary workaround, users may modify the kustomizations and redeploy the BMO, or recreate the required ConfigMaps as Secrets per instructions in baremetal-operator PR#1241.