Plattform
go
Komponente
github.com/openshift/openshift-controller-manager
Behoben in
4.18.1
0.0.0-alpha.0.0.20240911
CVE-2024-45496 describes a critical Remote Code Execution (RCE) vulnerability discovered in OpenShift Container Platform. This flaw arises from the misuse of elevated privileges during the build initialization process, specifically within the git-clone container. Affected versions are those prior to 0.0.0-alpha.0.0.20240911. A patch has been released to address this vulnerability.
The impact of CVE-2024-45496 is severe. An attacker who can inject a malicious .gitconfig file during the build initialization phase can gain arbitrary command execution on the worker node. This effectively grants them root access to the node, allowing for complete control over the system. They could install malware, steal sensitive data, disrupt services, or pivot to other systems within the network. The privileged nature of the git-clone container amplifies the risk, as it bypasses standard container security restrictions. This vulnerability is particularly concerning given the critical role OpenShift plays in many organizations' container orchestration infrastructure.
This vulnerability is actively being tracked and considered high-risk. Public proof-of-concept exploits are likely to emerge, increasing the risk of widespread exploitation. The vulnerability's ease of exploitation, combined with the critical nature of OpenShift, makes it a prime target for attackers. While no active campaigns have been publicly confirmed, the KEV listing is pending, indicating a high probability of exploitation. The vulnerability was publicly disclosed on 2024-09-17.
Organizations deploying OpenShift Container Platform, particularly those with developer access granted to external contributors or automated build pipelines, are at significant risk. Environments utilizing custom build configurations or integrating external repositories should be prioritized for remediation.
• linux / server:
journalctl -u openshift-controller-manager -g 'git-clone' | grep -i error• windows / supply-chain:
Get-ScheduledTask | Where-Object {$_.TaskName -like '*openshift*'} | Format-List TaskName, Actions• generic web:
curl -I <openshift_build_endpoint>disclosure
patch
Exploit-Status
EPSS
0.13% (33% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2024-45496 is to immediately upgrade to OpenShift Container Platform version 0.0.0-alpha.0.0.20240911 or later. If upgrading is not immediately feasible, consider restricting developer access to the build process to prevent malicious .gitconfig files from being introduced. While not a complete solution, implementing strict network segmentation and limiting lateral movement capabilities can reduce the potential blast radius of a successful exploit. Review and harden the security context of the git-clone container to minimize its privileges. After upgrading, confirm the fix by attempting to trigger the build process with a crafted .gitconfig file and verifying that the malicious commands are not executed.
Aktualisieren Sie OpenShift Container Platform auf eine korrigierte Version. Weitere Details und Aktualisierungsanweisungen finden Sie in den Red Hat Security Advisories (RHSA) RHSA-2024:3718, RHSA-2024:6685 und RHSA-2024:6687.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2024-45496 is a critical Remote Code Execution vulnerability in OpenShift Container Platform, allowing attackers to execute arbitrary commands on worker nodes through a crafted .gitconfig file.
You are affected if you are running OpenShift Container Platform versions prior to 0.0.0-alpha.0.0.20240911 and have developer-level access to the build process.
Upgrade to OpenShift Container Platform version 0.0.0-alpha.0.0.20240911 or later. Restrict build process access and validate configuration files.
While active exploitation is not yet confirmed, the vulnerability's severity and ease of exploitation suggest a high likelihood of exploitation attempts.
Refer to the official OpenShift security advisory for detailed information and mitigation guidance: [https://security.openshift.io/](https://security.openshift.io/)
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine go.mod-Datei hoch und wir sagen dir sofort, ob du betroffen bist.