{
  "threat_severity" : "Moderate",
  "public_date" : "2020-10-14T00:00:00Z",
  "bugzilla" : {
    "description" : "kubernetes: Ceph RBD adminSecrets exposed in logs when loglevel >= 4",
    "id" : "1886640",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=1886640"
  },
  "cvss3" : {
    "cvss3_base_score" : "5.3",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N",
    "status" : "verified"
  },
  "cwe" : "CWE-117",
  "details" : [ "In Kubernetes clusters using Ceph RBD as a storage provisioner, with logging level of at least 4, Ceph RBD admin secrets can be written to logs. This occurs in kube-controller-manager's logs during provisioning of Ceph RBD persistent claims. This affects < v1.19.3, < v1.18.10, < v1.17.13.", "A flaw was found in kubernetes. If the logging level is to at least 4, and Ceph RBD is configured as a storage provisioner, then Ceph RBD admin secrets can be written to logs. This occurs in kube-controller-manager's logs during provisioning of Ceph RBD persistent claims." ],
  "statement" : "OpenShift Container Platform 4 does not support Ceph RBD persistent volumes, however the vulnerable code is included.",
  "acknowledgement" : "Red Hat would like to thank the Kubernetes Product Security Committee for reporting this issue. Upstream acknowledges Kaizhe Huang (derek0405) as the original reporter.",
  "affected_release" : [ {
    "product_name" : "Red Hat OpenShift Container Platform 4.6",
    "release_date" : "2021-01-18T00:00:00Z",
    "advisory" : "RHSA-2021:0037",
    "cpe" : "cpe:/a:redhat:openshift:4.6::el8",
    "package" : "openshift4/ose-hyperkube:v4.6.0-202101090040.p0",
    "impact" : "low"
  }, {
    "product_name" : "Red Hat OpenShift Container Platform 4.7",
    "release_date" : "2021-02-24T00:00:00Z",
    "advisory" : "RHSA-2020:5634",
    "cpe" : "cpe:/a:redhat:openshift:4.7::el7",
    "package" : "openshift-0:4.7.0-202102060108.p0.git.97095.7271b90.el7",
    "impact" : "low"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat OpenShift Container Platform 3.11",
    "fix_state" : "Will not fix",
    "package_name" : "atomic-openshift",
    "cpe" : "cpe:/a:redhat:openshift:3.11"
  }, {
    "product_name" : "Red Hat Storage 3",
    "fix_state" : "Not affected",
    "package_name" : "heketi",
    "cpe" : "cpe:/a:redhat:storage:3"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2020-8566\nhttps://nvd.nist.gov/vuln/detail/CVE-2020-8566\nhttps://github.com/kubernetes/kubernetes/issues/95624\nhttps://groups.google.com/g/kubernetes-announce/c/ScdmyORnPDk" ],
  "name" : "CVE-2020-8566",
  "mitigation" : {
    "value" : "OCP Clusters not using Ceph RBD volumes are not vulnerable to this issue. For clusters using Ceph RBD volumes, this can be mitigated by ensuring the logging level is below 4 and protecting unauthorized access to cluster logs.\nFor OCP, the logging level for core components can be configured using operators, e.g. for kube-controller-manager:\nhttps://docs.openshift.com/container-platform/latest/rest_api/operator_apis/kubecontrollermanager-operator-openshift-io-v1.html#specification\nIn OCP, a logging level of \"Debug\" is equivalent to 4: \nhttps://github.com/openshift/api/blob/master/operator/v1/types.go#L96\nThe default logging level is \"Normal\", which is equivalent to 2. Clusters running with the default level are not vulnerable to this issue.",
    "lang" : "en:us"
  },
  "csaw" : false
}