{
  "threat_severity" : "Moderate",
  "public_date" : "2020-06-01T00:00:00Z",
  "bugzilla" : {
    "description" : "kubernetes: Server side request forgery (SSRF) in kube-controller-manager allows users to leak secret information",
    "id" : "1821583",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=1821583"
  },
  "cvss3" : {
    "cvss3_base_score" : "6.3",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N",
    "status" : "verified"
  },
  "cwe" : "CWE-200",
  "details" : [ "The Kubernetes kube-controller-manager in versions v1.0-1.14, versions prior to v1.15.12, v1.16.9, v1.17.5, and version v1.18.0 are vulnerable to a Server Side Request Forgery (SSRF) that allows certain authorized users to leak up to 500 bytes of arbitrary information from unprotected endpoints within the master's host network (such as link-local or loopback services).", "A server side request forgery (SSRF) flaw was found in Kubernetes. The kube-controller-manager allows authorized users with the ability to create StorageClasses or certain Volume types to leak up to 500 bytes of arbitrary information from the master's host network. This can include secrets from the kube-apiserver through the unauthenticated localhost port (if enabled)." ],
  "statement" : "OpenShift Container Platform does not expose kube-apiserver through an unauthenticated localhost port. However, other link-local addresses are reachable without authentication that allow an attacker to access sensitive data.\nThe version of heketi shipped with Red Hat Gluster Storage 3 includes the affected client side code for heketi and quobyte volume plugin, however the vulnerable functionality is currently not used by the product and hence this issue has been rated as having a security impact of Low.\nRed Hat Openshift Container Storage 4.2 is not affected by this vulnerability as rook-ceph-operator container does not include support for affected volume plugins(storageos, scaleio, glusterfs, quobyte).",
  "acknowledgement" : "Red Hat would like to thank the Kubernetes Product Security Committee for reporting this issue. Upstream acknowledges Brice Augras (Groupe-Asten) and Christophe Hauquiert (Nokia) as the original reporters.",
  "affected_release" : [ {
    "product_name" : "Red Hat OpenShift Container Platform 3.11",
    "release_date" : "2020-06-18T00:00:00Z",
    "advisory" : "RHSA-2020:2479",
    "cpe" : "cpe:/a:redhat:openshift:3.11::el7",
    "package" : "atomic-openshift-0:3.11.232-1.git.0.a5bc32f.el7"
  }, {
    "product_name" : "Red Hat OpenShift Container Platform 4.2",
    "release_date" : "2020-07-01T00:00:00Z",
    "advisory" : "RHSA-2020:2594",
    "cpe" : "cpe:/a:redhat:openshift:4.2::el7",
    "package" : "openshift-0:4.2.36-202006211650.p0.git.0.1fe246f.el7"
  }, {
    "product_name" : "Red Hat OpenShift Container Platform 4.3",
    "release_date" : "2020-06-17T00:00:00Z",
    "advisory" : "RHSA-2020:2440",
    "cpe" : "cpe:/a:redhat:openshift:4.3::el7",
    "package" : "openshift-0:4.3.25-202006060952.git.1.96c30f6.el8"
  }, {
    "product_name" : "Red Hat OpenShift Container Platform 4.3",
    "release_date" : "2020-06-17T00:00:00Z",
    "advisory" : "RHSA-2020:2441",
    "cpe" : "cpe:/a:redhat:openshift:4.3::el7",
    "package" : "openshift4/ose-hyperkube:v4.3.25-202006081335"
  }, {
    "product_name" : "Red Hat OpenShift Container Platform 4.4",
    "release_date" : "2020-06-17T00:00:00Z",
    "advisory" : "RHSA-2020:2448",
    "cpe" : "cpe:/a:redhat:openshift:4.4::el7",
    "package" : "openshift-0:4.4.0-202006061254.git.1.dc84fb4.el8"
  }, {
    "product_name" : "Red Hat OpenShift Container Platform 4.4",
    "release_date" : "2020-06-17T00:00:00Z",
    "advisory" : "RHSA-2020:2449",
    "cpe" : "cpe:/a:redhat:openshift:4.4::el7",
    "package" : "openshift4/ose-hyperkube:v4.4.0-202006080610"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Openshift Container Storage 4",
    "fix_state" : "Not affected",
    "package_name" : "ocs4/rook-ceph-rhel8-operator",
    "cpe" : "cpe:/a:redhat:openshift_container_storage:4"
  }, {
    "product_name" : "Red Hat Storage 3",
    "fix_state" : "Fix deferred",
    "package_name" : "heketi",
    "cpe" : "cpe:/a:redhat:storage:3",
    "impact" : "low"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2020-8555\nhttps://nvd.nist.gov/vuln/detail/CVE-2020-8555\nhttps://groups.google.com/forum/#!topic/kubernetes-security-announce/kEK27tqqs30" ],
  "name" : "CVE-2020-8555",
  "mitigation" : {
    "value" : "Restrict use of the vulnerable volume type and restrict StorageClass write permissions via RBAC",
    "lang" : "en:us"
  },
  "csaw" : false
}