Plateforme
go
Composant
github.com/openshift/openshift-apiserver
CVE-2025-14443 describes a Server-Side Request Forgery (SSRF) vulnerability within the OpenShift Apiserver component. This flaw allows an attacker to potentially initiate connections to unintended internal or external resources by manipulating image references. The vulnerability impacts versions of OpenShift Apiserver prior to the release containing the fix. Promptly upgrading to the patched version is crucial to address this security concern.
The SSRF vulnerability in OpenShift Apiserver arises from insufficient validation of IP addresses and network ranges within user-supplied image references. An attacker could craft malicious image references that, when processed by the Apiserver, trigger requests to internal services or external websites. This could expose sensitive internal data, allow unauthorized access to internal resources, or even be leveraged for reconnaissance purposes. Successful exploitation could lead to a significant compromise of the OpenShift cluster and its underlying infrastructure. The potential blast radius extends to any services accessible from within the cluster that are not properly secured.
CVE-2025-14443 was published on 2026-03-10. The vulnerability's severity is rated HIGH (CVSS 8.5). Currently, there are no publicly available proof-of-concept exploits. Its inclusion in the OpenShift Apiserver suggests a potential for widespread impact, given the component's critical role in OpenShift deployments. Monitor security advisories and threat intelligence feeds for any indications of active exploitation.
Organizations heavily reliant on OpenShift for container orchestration and application deployment are at significant risk. Specifically, deployments utilizing custom image registries or integrating with internal services accessible via image references are particularly vulnerable. Environments with limited network segmentation or inadequate firewall rules face a heightened risk of exploitation.
• linux / server:
journalctl -u kube-apiserver -g "image reference validation" | grep -i error• go / supply-chain:
Inspect the github.com/openshift/openshift-apiserver codebase for instances of image reference processing logic. Look for missing or inadequate IP/network range validation.
• generic web:
Monitor access logs for unusual outbound requests originating from the OpenShift Apiserver, particularly those involving internal IP addresses or unexpected domains.
disclosure
Statut de l'Exploit
EPSS
0.02% (percentile 4%)
CISA SSVC
Vecteur CVSS
The primary mitigation for CVE-2025-14443 is to upgrade to a version of OpenShift Apiserver that includes the fix. Consult the official OpenShift documentation for the specific upgrade procedure. If immediate upgrading is not feasible, consider implementing network segmentation to restrict the Apiserver's access to sensitive internal resources. Additionally, review and strengthen firewall rules to limit outbound connections from the Apiserver. While a direct WAF rule might be challenging, carefully inspecting image reference requests for suspicious patterns could offer some protection.
Mettez à jour vers une version de Red Hat OpenShift Container Platform 4 qui inclut la correction pour cette vulnérabilité. Consultez les notes de version de Red Hat pour obtenir des instructions spécifiques sur la façon de mettre à jour votre plateforme.
Analyses de vulnérabilités et alertes critiques directement dans votre boîte mail.
CVE-2025-14443 is a HIGH severity SSRF vulnerability in OpenShift Apiserver, allowing attackers to initiate connections to unintended resources via manipulated image references.
If you are running OpenShift Apiserver versions prior to the patched release, you are potentially affected by this SSRF vulnerability.
The recommended fix is to upgrade to a version of OpenShift Apiserver that includes the security patch. Consult the official OpenShift documentation for upgrade instructions.
As of the current date, there are no publicly known active exploitation campaigns targeting CVE-2025-14443, but it's crucial to remain vigilant.
Refer to the official OpenShift security advisories and release notes for details regarding CVE-2025-14443 and the corresponding fix.
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.
Téléverse ton fichier go.mod et nous te dirons instantanément si tu es affecté.