Critical Flaws in Red Hat OpenShift: CVE-2024-45496 (CVSS 9.9) & CVE-2024-7387 (CVSS 9.1)

by do son · Published September 17, 2024 · Updated September 18, 2024

CVE-2024-45496 & CVE-2024-7387 - OpenShift

Red Hat OpenShift, the industry-leading hybrid cloud platform, known for its robust security features and trusted by over 3,000 customers, including a significant portion of the Global Fortune 500, is facing two critical vulnerabilities that could significantly impact its security posture. These vulnerabilities—CVE-2024-45496 and CVE-2024-7387—target the OpenShift Container Platform’s build process, allowing attackers to execute arbitrary commands and potentially escalate privileges on affected nodes.

The first vulnerability, with a CVSS score of 9.9, CVE-2024-45496 is a severe flaw in OpenShift’s build process. The vulnerability arises due to a misuse of elevated privileges during build initialization, where the git-clone container is run with a privileged security context. This allows attackers with developer-level access to inject malicious code via a crafted .gitconfig file, resulting in arbitrary command execution on the worker node.

While this vulnerability represents a significant threat, Red Hat’s advisory emphasizes that it does not affect OpenShift’s “Custom” build strategy, as the custom strategy already grants developers permission to run arbitrary commands in privileged containers. This strategy is disabled by default, and the documentation highlights that it should only be enabled for highly trusted users, such as cluster administrators.

The second vulnerability, CVE-2024-7387, with a CVSS score of 9.1, introduces another serious risk to OpenShift environments. This flaw allows command injection via path traversal, exploiting the spec.source.secrets.secret.destinationDir attribute in the BuildConfig definition. Malicious users can override executable files inside the privileged build container, leading to arbitrary command execution on the node running the container.

Similar to CVE-2024-45496, Red Hat points out that the vulnerability is not considered a privilege escalation path when using the “Custom” build strategy, which is restricted to trusted users by default. As in the previous case, MicroShift and the Shipwright-based Builds for Red Hat OpenShift Operator are not affected by this vulnerability.

Red Hat plans to release patches for both vulnerabilities. In addition to applying the patches, Red Hat recommends that cluster administrators restrict the use of the affected build strategies (“Docker” and “Source”) to highly trusted users until the updates can be deployed.

These vulnerabilities serve as a stark reminder of the importance of keeping software up-to-date and following security best practices. Organizations that rely on OpenShift should act quickly to protect their clusters from potential attacks.