{
  "threat_severity" : "Important",
  "public_date" : "2022-06-28T00:00:00Z",
  "bugzilla" : {
    "description" : "openshift: oauth-serving-cert configmap contains cluster certificate private key",
    "id" : "2101959",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2101959"
  },
  "cvss3" : {
    "cvss3_base_score" : "7.7",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N",
    "status" : "verified"
  },
  "cwe" : "CWE-497",
  "details" : [ "A credentials leak was found in the OpenShift Container Platform. The private key for the external cluster certificate was stored incorrectly in the oauth-serving-cert ConfigMaps, and accessible to any authenticated OpenShift user or service-account. A malicious user could exploit this flaw by reading the oauth-serving-cert ConfigMap in the openshift-config-managed namespace, compromising any web traffic secured using that certificate.", "A credentials leak was found in the OpenShift Container Platform. The private key for the external cluster certificate was stored incorrectly in the oauth-serving-cert ConfigMaps, and accessible to any authenticated OpenShift user or service-account. This flaw allows a malicious user to read the oauth-serving-cert ConfigMap in the openshift-config-managed namespace, compromising any web traffic secured using that certificate." ],
  "statement" : "All versions of the OpenShift Container Platform 4.9 and later are affected by this vulnerability.",
  "acknowledgement" : "Red Hat would like to thank Colin Smith (yoloClin, Radiant Security) for reporting this issue.",
  "affected_release" : [ {
    "product_name" : "Red Hat OpenShift Container Platform 4.10",
    "release_date" : "2022-07-25T00:00:00Z",
    "advisory" : "RHSA-2022:5664",
    "cpe" : "cpe:/a:redhat:openshift:4.10::el8",
    "package" : "openshift4/ose-cluster-authentication-operator:v4.10.0-202207160316.p0.g6a015c7.assembly.stream"
  }, {
    "product_name" : "Red Hat OpenShift Container Platform 4.9",
    "release_date" : "2022-08-09T00:00:00Z",
    "advisory" : "RHSA-2022:5879",
    "cpe" : "cpe:/a:redhat:openshift:4.9::el8",
    "package" : "openshift4/ose-cluster-authentication-operator:v4.9.0-202208020055.p0.g265030f.assembly.stream"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2022-2403\nhttps://nvd.nist.gov/vuln/detail/CVE-2022-2403" ],
  "name" : "CVE-2022-2403",
  "mitigation" : {
    "value" : "Removal of the private key from the ConfigMap, or modification of the RBAC permissions is not a sufficient mitigation on its own, as these will both be restored by the authentication-operator.\nThis flaw can be mitigated by deploying a custom webhook which filters out the private key from the target ConfigMap, preventing it from being restored by the authentication-operator. An example of this can be found here:\nhttps://github.com/sfowl/configmap-cleaner\nAfter upgrading to a fixed version of OpenShift or applying the mitigation, all ingress certificates should be rotated:\nhttps://docs.openshift.com/container-platform/4.10/security/certificates/replacing-default-ingress-certificate.html#replacing-default-ingress",
    "lang" : "en:us"
  },
  "csaw" : false
}