Versions
Red Hat OpenShift Container Platform 4.6 and Red Hat OpenShift Container Platform 4.5.16
Openshift 4.9 onwards
Openshift 3.11 and 4.6 onwards
4.8.17
OpenShift 4.9
4.9.0
4.9
4.12.0
openshift 4.8
github.com/openshift/builder v0.0.0-20210118193943-6d10f5202a76
Recent CVEs
CVE-2023-3089
A compliance problem was found in the Red Hat OpenShift Container Platform. Red Hat discovered that, when FIPS mode was enabled, not all of the cryptographic modules in use were FIPS-validated.
CVE-2022-3259
Openshift 4.9 does not use HTTP Strict Transport Security (HSTS) which may allow man-in-the-middle (MITM) attacks.
CVE-2022-3262
A flaw was found in Openshift. A pod with a DNSPolicy of "ClusterFirst" may incorrectly resolve the hostname based on a service provided. This flaw allows an attacker to supply an incorrect name with the DNS search policy, affecting confidentiality and availability.
CVE-2022-3260
The response header has not enabled X-FRAME-OPTIONS, Which helps prevents against Clickjacking attack.. Some browsers would interpret these results incorrectly, allowing clickjacking attacks.
CVE-2022-2403
A credentials leak was found in the OpenShift Container Platform. The private key for the external cluster certificate was stored incorrectly in the oauth-serving-cert ConfigMaps, and accessible to any authenticated OpenShift user or service-account. A malicious user could exploit this flaw by reading the oauth-serving-cert ConfigMap in the openshift-config-managed namespace, compromising any web traffic secured using that certificate.
CVE-2022-1677
In OpenShift Container Platform, a user with permissions to create or modify Routes can craft a payload that inserts a malformed entry into one of the cluster router's HAProxy configuration files. This malformed entry can match any arbitrary hostname, or all hostnames in the cluster, and direct traffic to an arbitrary application within the cluster, including one under attacker control.
CVE-2022-1632
An Improper Certificate Validation attack was found in Openshift. A re-encrypt Route with destinationCACertificate explicitly set to the default serviceCA skips internal Service TLS certificate validation. This flaw allows an attacker to exploit an invalid certificate, resulting in a loss of confidentiality.
CVE-2021-4047
The release of OpenShift 4.9.6 included four CVE fixes for the haproxy package, however the patch for CVE-2021-39242 was missing. This issue only affects Red Hat OpenShift 4.9.
CVE-2021-3636
It was found in OpenShift, before version 4.8, that the generated certificate for the in-cluster Service CA, incorrectly included additional certificates. The Service CA is automatically mounted into all pods, allowing them to safely connect to trusted in-cluster services that present certificates signed by the trusted Service CA. The incorrect inclusion of additional CAs in this certificate would allow an attacker that compromises any of the additional CAs to masquerade as a trusted in-cluster service.
CVE-2020-14336
A flaw was found in the Restricted Security Context Constraints (SCC), where it allows pods to craft custom network packets. This flaw allows an attacker to cause a denial of service attack on an OpenShift Container Platform cluster if they can deploy pods. The highest threat from this vulnerability is to system availability.