Strix
26.1K

CVE-2021-20238

LOWCVSS 3.7/10EPSS 0.73%

Last modified

CVE-2021-20238 is a low-severity vulnerability rated 3.7/10 on the CVSS scale. It was found in OpenShift Container Platform 4 that ignition config, served by the Machine Config Server, can be accessed externally from clusters without authentication. The MCS endpoint (port 22623) provides ignition configuration used for bootstrapping Nodes and can include some sensitive data, e.g. EPSS estimates a 0.73% chance of exploitation in the next 30 days.

Description

It was found in OpenShift Container Platform 4 that ignition config, served by the Machine Config Server, can be accessed externally from clusters without authentication. The MCS endpoint (port 22623) provides ignition configuration used for bootstrapping Nodes and can include some sensitive data, e.g. registry pull secrets. There are two scenarios where this data can be accessed. The first is on Baremetal, OpenStack, Ovirt, Vsphere and KubeVirt deployments which do not have a separate internal API endpoint and allow access from outside the cluster to port 22623 from the standard OpenShift API Virtual IP address. The second is on cloud deployments when using unsupported network plugins, which do not create iptables rules that prevent to port 22623. In this scenario, the ignition config is exposed to all pods within the cluster and cannot be accessed externally.

Metrics

CVSS 3.1
3.7/10

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

EPSS Probability
0.73%

49.7th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

Affected Software

VendorProductVersions
RedhatOpenshift Container Platform4.0
RedhatOpenshift Machine-Config-Operator<= 4.9.0

References

Timeline

Published
Last Modified
Status
Modified

Frequently Asked Questions

What is CVE-2021-20238?
It was found in OpenShift Container Platform 4 that ignition config, served by the Machine Config Server, can be accessed externally from clusters without authentication. The MCS endpoint (port 22623) provides ignition configuration used for bootstrapping Nodes and can include some sensitive data, e.g. registry pull secrets. There are two scenarios where this data can be accessed. The first is on Baremetal, OpenStack, Ovirt, Vsphere and KubeVirt deployments which do not have a separate internal API endpoint and allow access from outside the cluster to port 22623 from the standard OpenShift API Virtual IP address. The second is on cloud deployments when using unsupported network plugins, which do not create iptables rules that prevent to port 22623. In this scenario, the ignition config is exposed to all pods within the cluster and cannot be accessed externally.
How severe is CVE-2021-20238?
CVE-2021-20238 has a CVSS score of 3.7/10 (LOW severity). The EPSS model estimates a 0.73% probability of exploitation in the next 30 days.
How do I fix CVE-2021-20238?
Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2021-20238?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST