{ "threat_severity" : "Moderate", "public_date" : "2024-05-16T00:00:00Z", "bugzilla" : { "description" : "submariner-operator: RBAC permissions can allow for the spread of node compromises", "id" : "2280921", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2280921" }, "cvss3" : { "cvss3_base_score" : "6.6", "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:H/A:N", "status" : "verified" }, "cwe" : "CWE-250", "details" : [ "A flaw was found in the Submariner project. Due to unnecessary role-based access control permissions, a privileged attacker can run a malicious container on a node that may allow them to steal service account tokens and further compromise other nodes and potentially the entire cluster.", "A flaw was found in the Submariner project. Due to unnecessary role-based access control permissions, a privileged attacker can run a malicious container on a node that may allow them to steal service account tokens and further compromise other nodes and potentially the entire cluster." ], "statement" : "For the submariner operator in Red Hat Advanced Cluster Management for Kubernetes, the submariner-security outlined potential vulnerabilities regarding RBAC permissions being too broad. Those permissions make it possible to create, patch or update statefulsets or replicasets resources. This may allow new privileged containers escaping them and gaining root privileges on any worker nodes where those containers have been deployed within the cluster.", "affected_release" : [ { "product_name" : "RHODF-4.16-RHEL-9", "release_date" : "2024-07-17T00:00:00Z", "advisory" : "RHSA-2024:4591", "cpe" : "cpe:/a:redhat:openshift_data_foundation:4.16::el9", "package" : "odf4/odf-multicluster-rhel9-operator:v4.16.0-19" }, { "product_name" : "Red Hat Openshift Data Foundation 4.2", "release_date" : "2026-04-02T00:00:00Z", "advisory" : "RHSA-2026:6503", "cpe" : "cpe:/a:redhat:openshift_data_foundation:4.20::el9", "package" : "odf4/cephcsi-rhel9:sha256:147e1ff243a190e7db6af5a450ab9ee45a6c138beb1428605296c5a39d8c2cd9" }, { "product_name" : "Red Hat Openshift Data Foundation 4.2", "release_date" : "2026-04-02T00:00:00Z", "advisory" : "RHSA-2026:6503", "cpe" : "cpe:/a:redhat:openshift_data_foundation:4.20::el9", "package" : "odf4/cephcsi-rhel9-operator:sha256:457e7c141b8e04ebe23f8b89da6d2a1a86ea5be46e9893b9207bd16a1e7e92b2" }, { "product_name" : "Red Hat Openshift Data Foundation 4.2", "release_date" : "2026-04-02T00:00:00Z", "advisory" : "RHSA-2026:6503", "cpe" : "cpe:/a:redhat:openshift_data_foundation:4.20::el9", "package" : "odf4/mcg-core-rhel9:sha256:0e1a41e4284bb482365de3b2d2e799fe4b53af86743b56ccae50a236eac23897" }, { "product_name" : "Red Hat Openshift Data Foundation 4.2", "release_date" : "2026-04-02T00:00:00Z", "advisory" : "RHSA-2026:6503", "cpe" : "cpe:/a:redhat:openshift_data_foundation:4.20::el9", "package" : "odf4/mcg-rhel9-operator:sha256:23e29e78ab6586896be041a0d759d0a47bf5a3708ba816574bc996baee4af946" }, { "product_name" : "Red Hat Openshift Data Foundation 4.2", "release_date" : "2026-04-02T00:00:00Z", "advisory" : "RHSA-2026:6503", "cpe" : "cpe:/a:redhat:openshift_data_foundation:4.20::el9", "package" : "odf4/ocs-client-console-rhel9:sha256:40b76923ce5df4062bfd3a6c617874e230b4b47cf998081b0c552141d93a81b0" }, { "product_name" : "Red Hat Openshift Data Foundation 4.2", "release_date" : "2026-04-02T00:00:00Z", "advisory" : "RHSA-2026:6503", "cpe" : "cpe:/a:redhat:openshift_data_foundation:4.20::el9", "package" : "odf4/ocs-client-rhel9-operator:sha256:0ea607acea5d6ad4aa853cb564e7c5e462c3d5f38814e2097142d44231437bd8" }, { "product_name" : "Red Hat Openshift Data Foundation 4.2", "release_date" : "2026-04-02T00:00:00Z", "advisory" : "RHSA-2026:6503", "cpe" : "cpe:/a:redhat:openshift_data_foundation:4.20::el9", "package" : "odf4/ocs-metrics-exporter-rhel9:sha256:74efeee9bddf97c549de6a6fa454d86f96d3afef8aaf2438b740403181579fcd" }, { "product_name" : "Red Hat Openshift Data Foundation 4.2", "release_date" : "2026-04-02T00:00:00Z", "advisory" : "RHSA-2026:6503", "cpe" : "cpe:/a:redhat:openshift_data_foundation:4.20::el9", "package" : "odf4/ocs-rhel9-operator:sha256:2f22bca94e282ce150235d74070465525b5fbd29070f1caec323f5f8d7be0db5" }, { "product_name" : "Red Hat Openshift Data Foundation 4.2", "release_date" : "2026-04-02T00:00:00Z", "advisory" : "RHSA-2026:6503", "cpe" : "cpe:/a:redhat:openshift_data_foundation:4.20::el9", "package" : "odf4/odf-cli-rhel9:sha256:1f58e36602f8e8704179762e4b94898ded50bb9d4643b829ac516165d5a66fe1" }, { "product_name" : "Red Hat Openshift Data Foundation 4.2", "release_date" : "2026-04-02T00:00:00Z", "advisory" : "RHSA-2026:6503", "cpe" : "cpe:/a:redhat:openshift_data_foundation:4.20::el9", "package" : "odf4/odf-cloudnative-pg-rhel9-operator:sha256:180f30e2f7ae5a1604c9ef3e8fdcdb2af37c53019280777c61375aef9cc6dee3" }, { "product_name" : "Red Hat Openshift Data Foundation 4.2", "release_date" : "2026-04-02T00:00:00Z", "advisory" : "RHSA-2026:6503", "cpe" : "cpe:/a:redhat:openshift_data_foundation:4.20::el9", "package" : "odf4/odf-console-rhel9:sha256:bc06753f9f013d4eed2705d5fbd727f916eab9f72c0c4d2cc33f6f064c58ecb1" }, { "product_name" : "Red Hat Openshift Data Foundation 4.2", "release_date" : "2026-04-02T00:00:00Z", "advisory" : "RHSA-2026:6503", "cpe" : "cpe:/a:redhat:openshift_data_foundation:4.20::el9", "package" : "odf4/odf-cosi-sidecar-rhel9:sha256:31bd7bff52021201beffb8f94e25635443390ed7c373fef546dd799c29a540dd" }, { "product_name" : "Red Hat Openshift Data Foundation 4.2", "release_date" : "2026-04-02T00:00:00Z", "advisory" : "RHSA-2026:6503", "cpe" : "cpe:/a:redhat:openshift_data_foundation:4.20::el9", "package" : "odf4/odf-csi-addons-rhel9-operator:sha256:0cb993a3f939cd30689f10f03110a6dec8317c9c5c69ed726e78bb9c70b7f3ee" }, { "product_name" : "Red Hat Openshift Data Foundation 4.2", "release_date" : "2026-04-02T00:00:00Z", "advisory" : "RHSA-2026:6503", "cpe" : "cpe:/a:redhat:openshift_data_foundation:4.20::el9", "package" : "odf4/odf-csi-addons-sidecar-rhel9:sha256:55351821e9c296bf419a0b6b4f8a08942303bde1f6b8c1c8d3e81d719bafd0d4" }, { "product_name" : "Red Hat Openshift Data Foundation 4.2", "release_date" : "2026-04-02T00:00:00Z", "advisory" : "RHSA-2026:6503", "cpe" : "cpe:/a:redhat:openshift_data_foundation:4.20::el9", "package" : "odf4/odf-external-snapshotter-rhel9-operator:sha256:3d8d9e2964d1c472f29ff5a67ff2b23188dbb9add8ccaa1cfa37ad1742825bf9" }, { "product_name" : "Red Hat Openshift Data Foundation 4.2", "release_date" : "2026-04-02T00:00:00Z", "advisory" : "RHSA-2026:6503", "cpe" : "cpe:/a:redhat:openshift_data_foundation:4.20::el9", "package" : "odf4/odf-external-snapshotter-sidecar-rhel9:sha256:0b5f12a165ad061ec151f9310fa5803717cb41f719802503125d982f5420edd0" }, { "product_name" : "Red Hat Openshift Data Foundation 4.2", "release_date" : "2026-04-02T00:00:00Z", "advisory" : "RHSA-2026:6503", "cpe" : "cpe:/a:redhat:openshift_data_foundation:4.20::el9", "package" : "odf4/odf-multicluster-console-rhel9:sha256:08cd8df1f99ca92bd8c82a3ce345352f8a5223feac9f475293987dc6088bd607" }, { "product_name" : "Red Hat Openshift Data Foundation 4.2", "release_date" : "2026-04-02T00:00:00Z", "advisory" : "RHSA-2026:6503", "cpe" : "cpe:/a:redhat:openshift_data_foundation:4.20::el9", "package" : "odf4/odf-multicluster-rhel9-operator:sha256:13594f6f57bdd87477505288fee4a62c504daacdb6fc930e0c64c582edab4dbb" }, { "product_name" : "Red Hat Openshift Data Foundation 4.2", "release_date" : "2026-04-02T00:00:00Z", "advisory" : "RHSA-2026:6503", "cpe" : "cpe:/a:redhat:openshift_data_foundation:4.20::el9", "package" : "odf4/odf-must-gather-rhel9:sha256:2541e3c82807ec72336aa0151f05e8576eabe710eaa660efe6fe2a98ab0eff61" }, { "product_name" : "Red Hat Openshift Data Foundation 4.2", "release_date" : "2026-04-02T00:00:00Z", "advisory" : "RHSA-2026:6503", "cpe" : "cpe:/a:redhat:openshift_data_foundation:4.20::el9", "package" : "odf4/odf-rhel9-operator:sha256:1872fce9d3599368600ce07f81c6a2105bfdf10cb770fdeea57dd1e16f662789" }, { "product_name" : "Red Hat Openshift Data Foundation 4.2", "release_date" : "2026-04-02T00:00:00Z", "advisory" : "RHSA-2026:6503", "cpe" : "cpe:/a:redhat:openshift_data_foundation:4.20::el9", "package" : "odf4/odr-rhel9-operator:sha256:33e368d66244b241e6eb7e39eb886fa92bf358ddb5a3f231ef3585a7e91d3726" }, { "product_name" : "Red Hat Openshift Data Foundation 4.2", "release_date" : "2026-04-02T00:00:00Z", "advisory" : "RHSA-2026:6503", "cpe" : "cpe:/a:redhat:openshift_data_foundation:4.20::el9", "package" : "odf4/rook-ceph-rhel9-operator:sha256:253711dee2d7fdbf65756583ba63a73ed796b1205369e5ed9f48c253a67f4c0a" } ], "package_state" : [ { "product_name" : "Red Hat Advanced Cluster Management for Kubernetes 2", "fix_state" : "Affected", "package_name" : "rhacm2/lighthouse-agent-rhel9", "cpe" : "cpe:/a:redhat:acm:2" }, { "product_name" : "Red Hat Advanced Cluster Management for Kubernetes 2", "fix_state" : "Affected", "package_name" : "rhacm2/lighthouse-coredns-rhel9", "cpe" : "cpe:/a:redhat:acm:2" }, { "product_name" : "Red Hat Advanced Cluster Management for Kubernetes 2", "fix_state" : "Affected", "package_name" : "rhacm2/submariner-gateway-rhel9", "cpe" : "cpe:/a:redhat:acm:2" }, { "product_name" : "Red Hat Advanced Cluster Management for Kubernetes 2", "fix_state" : "Affected", "package_name" : "rhacm2/submariner-globalnet-rhel8", "cpe" : "cpe:/a:redhat:acm:2" }, { "product_name" : "Red Hat Advanced Cluster Management for Kubernetes 2", "fix_state" : "Affected", "package_name" : "rhacm2/submariner-rhel8-operator", "cpe" : "cpe:/a:redhat:acm:2" }, { "product_name" : "Red Hat Advanced Cluster Management for Kubernetes 2", "fix_state" : "Affected", "package_name" : "rhacm2/submariner-route-agent-rhel8", "cpe" : "cpe:/a:redhat:acm:2" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2024-5042\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-5042\nhttps://github.com/advisories/GHSA-2rhx-qhxp-5jpw" ], "name" : "CVE-2024-5042", "csaw" : false }