RHSB-2022-001 Polkit Privilege Escalation - (CVE-2021-4034) - OSD/ROSA/ARO

Solution Verified - Updated -

Environment

  • OpenShift Dedicated (OSD)
  • Red Hat OpenShift on AWS (ROSA)
  • Azure Red Hat OpenShift (ARO)

Issue

  • How does RHSB-2022-001 Polkit Privilege Escalation - (CVE-2021-4034) affect Red Hat Managed Services?

  • Affects the following Red Hat Managed Services:

    • OpenShift Dedicated (OSD)
    • Red Hat OpenShift on AWS (ROSA)
    • Azure Red Hat OpenShift (ARO)
  • How can this CVE affect the environment?

  • In what ways can this be mitigated?

Resolution

  • You need to already have enough privileged access to be able to access the cluster nodes, which is not enabled by default.

    • A cluster-admin user or higher is needed to access polkit
  • It is not possible to elevate container permissions.

  • A fix will come in a future z-stream of OCP.

  • Please be sure to audit privileged access to the cluster to prevent any related issues.

Root Cause

Please see the following security bulletin for more information:

  • https://access.redhat.com/security/vulnerabilities/RHSB-2022-001

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.

Comments