{
  "threat_severity" : "Moderate",
  "public_date" : "2020-10-14T00:00:00Z",
  "bugzilla" : {
    "description" : "kubernetes: Secret leaks in kube-controller-manager when using vSphere Provider",
    "id" : "1886635",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=1886635"
  },
  "cvss3" : {
    "cvss3_base_score" : "6.3",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N",
    "status" : "verified"
  },
  "cwe" : "CWE-117",
  "details" : [ "In Kubernetes clusters using VSphere as a cloud provider, with a logging level set to 4 or above, VSphere cloud credentials will be leaked in the cloud controller manager's log. This affects < v1.19.3.", "A flaw was found in kubernetes. Clusters running on VSphere, using VSphere as a cloud provider a with logging level set to 4 or above, VSphere cloud credentials will be leaked in the cloud controller manager's log." ],
  "statement" : "OpenShift Container Platform (OCP) versions before 4.6 are not affected by this vulnerability as they are based on Kubernetes versions before 1.19. Only Kubernetes versions 1.19.0 through 1.19.2 are affected by this vulnerability.",
  "acknowledgement" : "Red Hat would like to thank the Kubernetes Product Security Committee for reporting this issue. Upstream acknowledges Kaizhe Huang (derek0405) as the original reporter.",
  "affected_release" : [ {
    "product_name" : "Red Hat OpenShift Container Platform 4.6",
    "release_date" : "2020-12-14T00:00:00Z",
    "advisory" : "RHSA-2020:5260",
    "cpe" : "cpe:/a:redhat:openshift:4.6::el7",
    "package" : "openshift-0:4.6.0-202012051246.p0.git.94231.efc9027.el7"
  }, {
    "product_name" : "Red Hat OpenShift Container Platform 4.7",
    "release_date" : "2021-02-24T00:00:00Z",
    "advisory" : "RHSA-2020:5633",
    "cpe" : "cpe:/a:redhat:openshift:4.7::el8",
    "package" : "openshift4/ose-hyperkube:v4.7.0-202102130115.p0"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat OpenShift Container Platform 3.11",
    "fix_state" : "Not affected",
    "package_name" : "atomic-openshift",
    "cpe" : "cpe:/a:redhat:openshift:3.11"
  }, {
    "product_name" : "Red Hat Storage 3",
    "fix_state" : "Not affected",
    "package_name" : "heketi",
    "cpe" : "cpe:/a:redhat:storage:3"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2020-8563\nhttps://nvd.nist.gov/vuln/detail/CVE-2020-8563\nhttps://github.com/kubernetes/kubernetes/issues/95621\nhttps://groups.google.com/g/kubernetes-announce/c/ScdmyORnPDk" ],
  "name" : "CVE-2020-8563",
  "mitigation" : {
    "value" : "Ensure that the logging level is below 4. Additionally, protect unauthorized access to cluster logs.\nFor OCP, the logging level for core components can be configured using operators, e.g. for kube-controller-manager:\nhttps://docs.openshift.com/container-platform/latest/rest_api/operator_apis/kubecontrollermanager-operator-openshift-io-v1.html#specification\nIn OCP, a logging level of \"Debug\" is equivalent to 4: \nhttps://github.com/openshift/api/blob/master/operator/v1/types.go#L96\nThe default logging level is \"Normal\", which is equivalent to 2. Clusters running with the default level are not vulnerable to this issue.",
    "lang" : "en:us"
  },
  "csaw" : false
}