REDHAT-BUG-2233087: Medium severity openshift vulnerability
The opa-openshift component is responsible for authorizing the requests going to the LokiStack through the gateway. Requests are authenticated using a token and authorization happens by, among other things, checking for an RBAC privilege. To reduce the number of SubjectAccessReviews the result of the authorization is cached in opa-openshift for a while. Currently, the key used for this caching is just the token, which is too broad and allows a user with a token valid for one action to execute other actions as long as the authorization allowing the original action is still cached.
Affected Software
Event History
Frequently Asked Questions
What is the severity of REDHAT-BUG-2233087?
The severity of REDHAT-BUG-2233087 is categorized as critical.
How do I fix REDHAT-BUG-2233087?
To fix REDHAT-BUG-2233087, update to the latest patched version of the opa-openshift component.
What software is affected by REDHAT-BUG-2233087?
The affected software includes the OpenShift opa-openshift component.
What issue does REDHAT-BUG-2233087 address?
REDHAT-BUG-2233087 addresses problems related to authorization and RBAC privilege checks in the opa-openshift component.
When was REDHAT-BUG-2233087 reported?
REDHAT-BUG-2233087 was reported in 2023.