CVE-2021-3528 – This vulnerability allows attackers with access... (How to Fix)

Q: What is the severity of CVE-2021-3528?

CVE-2021-3528 has a CVSS score of 8.8 (HIGH). This vulnerability allows attackers with access to log files to steal internal authentication tokens used between the noobaa operator and core components. These tokens can then be used to gain unauthorized access to the noobaa deployment, potentially enabling reading or modifying system configuration. Organizations running vulnerable versions of noobaa-operator are affected.

📋 TL;DR

This vulnerability allows attackers with access to log files to steal internal authentication tokens used between the noobaa operator and core components. These tokens can then be used to gain unauthorized access to the noobaa deployment, potentially enabling reading or modifying system configuration. Organizations running vulnerable versions of noobaa-operator are affected.

💻 Affected Systems

Products:

noobaa-operator

Versions: Versions before 5.7.0

Operating Systems: Linux-based container environments

Default Config Vulnerable: ⚠️ Yes

Notes: Affects deployments where noobaa-operator logs are accessible to unauthorized users.

📦 What is this software?

Noobaa Operator by Redhat

View all CVEs affecting Noobaa Operator →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full compromise of the noobaa deployment, allowing attackers to read sensitive data, modify configurations, disrupt operations, or pivot to other systems.

🟠

Likely Case

Unauthorized access to noobaa configuration and data, potentially leading to data exposure or service disruption.

🟢

If Mitigated

Limited impact if proper log access controls and network segmentation are in place, restricting attacker access to sensitive tokens.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires access to log files containing leaked AuthTokens.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 5.7.0 and later

Vendor Advisory: https://bugzilla.redhat.com/show_bug.cgi?id=1955601

Restart Required: Yes

Instructions:

1. Update noobaa-operator to version 5.7.0 or later. 2. Restart the noobaa-operator pod. 3. Verify the update was successful.

🔧 Temporary Workarounds

Restrict log file access

linux

Implement strict access controls on log files to prevent unauthorized users from reading them.

chmod 600 /var/log/noobaa-operator/*
setfacl -m u:noobaa:r /var/log/noobaa-operator/*

Rotate AuthTokens

linux

Manually rotate AuthTokens to invalidate any leaked tokens.

kubectl delete secret noobaa-auth-token
kubectl rollout restart deployment/noobaa-operator

🧯 If You Can't Patch

Implement strict access controls on log directories and files.
Monitor log access and implement alerting for unauthorized access attempts.

🔍 How to Verify

Check if Vulnerable:

Check noobaa-operator version: kubectl get deployment noobaa-operator -o jsonpath='{.spec.template.spec.containers[0].image}'

Check Version:

kubectl get deployment noobaa-operator -o jsonpath='{.spec.template.spec.containers[0].image}' | grep -o '5\.[0-9]*\.[0-9]*'

Verify Fix Applied:

Verify version is 5.7.0 or later and check logs for AuthToken exposure.

📡 Detection & Monitoring

Log Indicators:

AuthToken strings appearing in log files
Unauthorized access attempts to log directories

Network Indicators:

Unusual RPC traffic from unexpected sources using AuthTokens

SIEM Query:

source="noobaa-operator" AND "AuthToken"

📊 Metadata

CVE ID: CVE-2021-3528

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-522

Published: May 13, 2021

Last Updated: November 21, 2024

🔗 References

https://bugzilla.redhat.com/show_bug.cgi?id=1955601 Issue Tracking,Patch,Vendor Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=1955601 Issue Tracking,Patch,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-3528, you might also want to check these: