CVE-2024-45497

Name of the Vulnerable Software and Affected Versions: OpenShift versions 4 JBoss Fuse version 7

Description: A flaw was found in the build process, where the docker-build container is configured with a hostPath volume mount that maps the node's /var/lib/kubelet/config.json file into the build pod. This file contains sensitive credentials necessary for pulling images from private repositories. The mount is not read-only, which allows an attacker to overwrite it. By modifying the config.json file, the attacker can cause a denial of service by preventing the node from pulling new images and potentially exfiltrating sensitive secrets. This issue impacts the availability of services dependent on image pulls and exposes sensitive information to unauthorized parties.

Recommendations: For OpenShift version 4, consider disabling the hostPath volume mount until a patch is available to prevent the overwrite of the config.json file. For JBoss Fuse version 7, restrict access to the config.json file to minimize the risk of exploitation. As a temporary workaround, avoid using the config.json file in the affected build pod until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.