CVE-2021-3344
📋 TL;DR
This vulnerability allows authenticated OpenShift users who can execute code during container build time to access credentials that are automatically mounted into the build container. They can then use these credentials to overwrite arbitrary container images in internal registries or escalate their privileges. This affects OpenShift deployments using the vulnerable builder component.
💻 Affected Systems
- OpenShift Container Platform
- OpenShift builder component
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
An attacker could compromise the entire OpenShift cluster by overwriting critical system images, gaining administrative access, and potentially exfiltrating sensitive data or disrupting operations.
Likely Case
Malicious users with build permissions could escalate privileges within the cluster, modify or replace container images, and potentially access credentials for other systems.
If Mitigated
With proper access controls and network segmentation, the impact is limited to the build environment, though credential exposure remains a concern.
🎯 Exploit Status
Exploitation requires authenticated access to OpenShift with build execution permissions and the ability to run arbitrary code during build time.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: OpenShift 4.6.18, 4.7.2, and later versions
Vendor Advisory: https://access.redhat.com/security/cve/cve-2021-3344
Restart Required: Yes
Instructions:
1. Update OpenShift to version 4.6.18, 4.7.2, or later. 2. Apply the security update through the OpenShift update mechanism. 3. Restart affected builder pods and nodes. 4. Verify the update was successful.
🔧 Temporary Workarounds
Restrict Build Permissions
linuxLimit which users can execute builds to only trusted administrators.
oc adm policy remove-cluster-role-from-group system:build-strategy-docker system:authenticated
oc adm policy remove-cluster-role-from-group system:build-strategy-source system:authenticated
Disable Automatic Credential Mounting
linuxModify build configurations to prevent automatic mounting of credentials.
oc patch buildconfig <name> -p '{"spec":{"source":{"secrets":[]}}}'
🧯 If You Can't Patch
- Implement strict role-based access control (RBAC) to limit build permissions to essential users only.
- Monitor build logs and container registry access for suspicious activity, particularly unauthorized image modifications.
🔍 How to Verify
Check if Vulnerable:
Check OpenShift version: oc version. If using OpenShift 4.6.x earlier than 4.6.18 or 4.7.x earlier than 4.7.2, you are vulnerable.Check Version:
oc versionVerify Fix Applied:
Verify OpenShift version is 4.6.18, 4.7.2, or later using oc version. Check that builder pods are running updated images.📡 Detection & Monitoring
Log Indicators:
- Unusual build activity from non-admin users
- Failed attempts to access credentials during builds
- Unexpected modifications to container images in registry logs
Network Indicators:
- Unusual network traffic from build pods to container registry
- Multiple image push attempts from build contexts
SIEM Query:
source="openshift-audit.log" AND (operation="CREATE" AND objectRef.resource="builds" AND user.username!="system:admin") OR (operation="UPDATE" AND objectRef.resource="imagestreamtags")