CVE-2018-1085

Name of the Vulnerable Software and Affected Versions openshift-ansible versions prior to 3.9.23 openshift-ansible versions prior to 3.7.46

Description The issue is related to a misconfigured etcd file deployed by openshift-ansible, which causes SSL client certificate authentication to be disabled. This is due to quotations around the values of ETCD CLIENT CERT AUTH and ETCD PEER CLIENT CERT AUTH in etcd.conf, resulting in etcd being configured to allow remote users to connect without authentication if they can access the etcd server on the master nodes. An attacker could exploit this to read and modify data about the Openshift cluster in the etcd datastore, potentially adding another compute node or bringing down the entire cluster.

Recommendations For versions prior to 3.9.23, update to version 3.9.23 or later to resolve the issue. For versions prior to 3.7.46, update to version 3.7.46 or later to resolve the issue. As a temporary workaround, consider restricting access to the etcd server on the master nodes to minimize the risk of exploitation.