REDHAT-BUG-2272339: High severity Openshift telemeter vulnerability
Description: When verifying the iss field, telemeter uses strings.Split(tokenData, ".") to extract the payload, which means that the user should submit a Compact type JWS Token. However, go-jose's jwt.ParseSigned(tokenData) also supports authenticating JWS Token of JSON type. That means if the attacker submits a Token like:
{ "fakeiss":".eyJpc3MiOiJhY2NvdW50cy5nb29nbGUuY29tIn0.", "protected":"", "header":"", "payload":"", "signature":"" }
The attacker can forge a token issued by Google to pass the verification(for example). If two server use the same pair of key, the attacker can use the token from the first server to deceive the second server, and cause the privilege escape. The original reporter has raised this issue to Kubernetes, and they have fixed this problem: https://github.com/kubernetes/kubernetes/pull/123540
---
https://github.com/openshift/telemeter Version: 4.17 Related Code: https://github.com/openshift/telemeter/blob/a9417a6062c3a31ed78c06ea3a0613a52f2029b2/pkg/authorize/jwt/clientauthorizer.go#L78
Affected Software
Event History
Frequently Asked Questions
What is the severity of REDHAT-BUG-2272339?
The severity of REDHAT-BUG-2272339 is categorized as important due to its impact on token authentication.
How do I fix REDHAT-BUG-2272339?
To fix REDHAT-BUG-2272339, ensure that the submitted tokens are Compact type JWS Tokens as required by the telemeter verification process.
What are the consequences of exploiting REDHAT-BUG-2272339?
Exploiting REDHAT-BUG-2272339 may lead to improper validation of JWT tokens, potentially allowing unauthorized access.
Which versions of OpenShift Telemetry are affected by REDHAT-BUG-2272339?
REDHAT-BUG-2272339 affects OpenShift Telemetry versions that utilize the vulnerable token verification method.
Is there a workaround for REDHAT-BUG-2272339?
A temporary workaround for REDHAT-BUG-2272339 is to manually validate and ensure that only Compact type JWS Tokens are accepted.