Main Vulnerability Database SB2020121508

SB2020121508 - Multiple vulnerabilities in OpenShift Container Platform

Published: December 15, 2020

Security Bulletin ID SB2020121508

Severity

Low

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Local access

Highest impact Information disclosure

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 security vulnerability.

1) Inclusion of Sensitive Information in Log Files (CVE-ID: CVE-2020-8563)

The vulnerability allows a local user to gain access to sensitive information.

The vulnerability exists due to software stores sensitive information into log files. In Kubernetes clusters using VSphere as a cloud provider, with a logging level set to 4 or above, VSphere cloud credentials will be leaked in the cloud controller manager's log. A local user can read the log files and gain access to sensitive data.

Remediation

Install update from vendor's website.

References

https://access.redhat.com/errata/RHSA-2020:5260

Vulnerable Software

Red Hat OpenShift Container Platform: 4.6.0 - 4.6.7
openshift-clients (Red Hat package): 4.2.32-202005020632.git.1.1b0fab9.el8 - 4.5.0-202011121956.p0.git.3609.b4952c1.el8
openshift (Red Hat package): 4.1.10-201908060758.git.0.d81afa6.el7 - 4.5.0-202011131403.p0.git.0.d153f8f.el8
cri-o (Red Hat package): 1.13.11-0.7.dev.rhaos4.1.git9cb8f2f.el8 - 1.18.4-4.rhaos4.5.git6dee389.el8
openshift-kuryr (Red Hat package): 4.3.1-202002031701.git.1.cfa4a05.el8 - 4.5.0-202010091010.p0.git.1998.b73d461.el8
openshift-ansible (Red Hat package): 3.4.67-1.git.0.14a0b4d.el7
python-pyroute2 (Red Hat package): before 0.5.13-1.el8ost
python-eventlet (Red Hat package): before 0.25.2-3.el8ost
ironic-images (Red Hat package): before 15.1-20201201.1.el8