Security
Headlines
HeadlinesLatestCVEs

Tag

#kubernetes

Confidential cluster: Running Red Hat OpenShift clusters on confidential nodes

This is the first of a series of articles in which we will share how confidential computing (a set of hardware and software technologies designed to protect data in use) can be integrated into the Red Hat OpenShift cluster. Our goal is to enhance data security, so all data processed by workloads running on OpenShift can remain confidential at every stage.In this article, we will focus on the public cloud and examine how confidential computing with OpenShift can effectively address the trust issues associated with cloud environments. Confidential computing removes some of the barriers that high

Red Hat Blog
#ios#mac#red_hat#git#kubernetes#intel#amd#auth#ssl
Red Hat Security Advisory 2024-10517-03

Red Hat Security Advisory 2024-10517-03 - Red Hat OpenShift Container Platform release 4.17.7 is now available with updates to packages and images that fix several bugs.

GHSA-h36c-m3rf-34h9: Access to Archived Argo Workflows with Fake Token in `client` mode

### Summary When using `--auth-mode=client`, Archived Workflows can be retrieved with a fake or spoofed token via the GET Workflow endpoint: `/api/v1/workflows/{namespace}/{name}` When using `--auth-mode=sso`, all Archived Workflows can be retrieved with a valid token via the GET Workflow endpoint: `/api/v1/workflows/{namespace}/{name}` ### Details No authentication is performed by the Server itself on `client` tokens[^1]. Authentication & authorization is instead delegated to the k8s API server. However, the [Workflow Archive](https://github.com/argoproj/argo-workflows/blob/52cca7e079a4f6d76db303ac550b1876e51b3865/server/workflowarchive/archived_workflow_server.go) does not interact with k8s, and so any token that [_looks_](https://github.com/argoproj/argo-workflows/blob/52cca7e079a4f6d76db303ac550b1876e51b3865/server/auth/mode.go#L37) [valid](https://github.com/argoproj/argo-workflows/blob/52cca7e079a4f6d76db303ac550b1876e51b3865/server/auth/gatekeeper.go#L185) will be considere...

GHSA-27wf-5967-98gx: Kubernetes kubelet arbitrary command execution

The Kubernetes kubelet component allows arbitrary command execution via specially crafted gitRepo volumes.This issue affects kubelet: through 1.28.11, from 1.29.0 through 1.29.6, from 1.30.0 through 1.30.2.

GHSA-r4pg-vg54-wxx4: cert-manager ha a potential slowdown / DoS when parsing specially crafted PEM inputs

### Impact cert-manager packages which call the standard library `pem.Decode()` function can take a long time to process specially crafted invalid PEM data. If an attacker is able to modify PEM data which cert-manager reads (e.g. in a Secret resource), they may be able to use large amounts of CPU in the cert-manager controller pod to effectively create a denial-of-service (DoS) vector for cert-manager in the cluster. Secrets are limited in size to [1MiB](https://kubernetes.io/docs/concepts/configuration/secret/#restriction-data-size), which reduces the impact of this issue; it was discovered through an ~856kB fuzz test input which causes `pem.Decode` to take roughly 750ms to reject the input on an M2 Max Macbook Pro. By way of comparison, a valid PEM-encoded 4096-bit RSA key takes roughly 70µs to parse on the same machine. Given the required size of PEM data needed to present a realistic DoS vector, an attacker would need to create or insert many different large sized resources in...

GHSA-9c5p-35gj-jqp4: Rancher Helm Applications may have sensitive values leaked

### Impact A vulnerability has been identified within Rancher Manager whereby applications installed via Rancher Manager Apps Catalog store their Helm values directly into the `Apps` Custom Resource Definition, resulting in any users with `GET` access to it to be able to read any sensitive information that are contained within the Apps’ values. Additionally, the same information leaks into auditing logs when the audit level is set to equal or above 2. Application charts without sensitive data are not affected by this vulnerability. This vulnerability impacts any Helm applications installed on a Rancher Manager cluster, regardless of it being installed via the Marketplace or using the helm cli. Please consult the associated [MITRE ATT&CK - Technique - Exploitation for Privilege Escalation](https://attack.mitre.org/techniques/T1068/) for further information about this category of attack. ### Patches Patched versions include Rancher Manager `2.9.5` and `2.8.10`. The fix ensures that al...

GHSA-j5hq-5jcr-xwx7: github.com/rancher/steve's users can issue watch commands for arbitrary resources

### Impact A vulnerability has been discovered in Steve API (Kubernetes API Translator) in which users can watch resources they are not allowed to access, when they have at least some generic permissions on the type. For example, a user who can get a single secret in a single namespace can get all secrets in every namespace. During a `watch` request for a single ID, the following occurs: - In the case of a watch request for a single resource, Steve API will return a partition with the requested resource in it. In other cases, it will check the user's access when constructing partitions. - When a watch request for a single resource is issued, instead of using a client which impersonates the user making the request, Steve API will use the admin client, which can read all resources. This allows any requester to see the contents of any object such as secret keys, signing certificates, API tokens. Please consult the associated [MITRE ATT&CK - Technique - Valid Accounts](https://attack.m...

GHSA-h7wq-jj8r-qm7p: Kubernetes Nil pointer dereference in KCM after v1 HPA patch request

A flaw was found in kube-controller-manager. This issue occurs when the initial application of a HPA config YAML lacking a .spec.behavior.scaleUp block causes a denial of service due to KCM pods going into restart churn.

Red Hat Security Advisory 2024-9583-03

Red Hat Security Advisory 2024-9583-03 - Updated images are now available for Red Hat Advanced Cluster Security. The updated image includes a bug fix and security fixes. Issues addressed include a denial of service vulnerability.

Red Hat Security Advisory 2024-9102-03

Red Hat Security Advisory 2024-9102-03 - An update for podman is now available for Red Hat Enterprise Linux 9. Issues addressed include denial of service and information leakage vulnerabilities.