CVE-2024-43803

Name of the Vulnerable Software and Affected Versions baremetal-operator versions prior to 0.8.0 baremetal-operator versions prior to 0.6.2 baremetal-operator versions prior to 0.5.2

Description The Bare Metal Operator (BMO) implements a Kubernetes API for managing bare metal hosts in Metal3. The BareMetalHost (BMH) CRD allows the userData, metaData, and networkData for the provisioned host to be specified as links to Kubernetes Secrets. A user with access to create or edit a BareMetalHost can exfiltrate a Secret from another namespace by using it as e.g. the userData for provisioning some host. BMO will only read a key with the name value (or userData, metaData, or networkData), so that limits the exposure somewhat. Secrets used by other BareMetalHosts in different namespaces are always vulnerable. This vulnerability is only meaningful if the cluster has users other than administrators and users' privileges are limited to their respective namespaces.

Recommendations For versions prior to 0.8.0, upgrade to version 0.8.0 or later. For versions prior to 0.6.2, upgrade to version 0.6.2 or later. For versions prior to 0.5.2, upgrade to version 0.5.2 or later. Prior to upgrading, duplicate the BMC Secrets to the namespace where the corresponding BMH is. After upgrade, remove the old Secrets. As a temporary workaround, configure BMO RBAC to be namespace scoped for Secrets, instead of cluster scoped, to prevent BMO from accessing Secrets from other namespaces.