CVE-2023-0813 – This vulnerability in the Network Observability... (How to Fix)

Q: What is the severity of CVE-2023-0813?

CVE-2023-0813 has a CVSS score of 7.5 (HIGH). This vulnerability in the Network Observability plugin for OpenShift console allows authentication bypass when Loki authToken configuration is not set to FORWARD mode. Any user with access to the OpenShift Console can retrieve network flow data without proper authentication. This affects OpenShift clusters running the vulnerable Network Observability plugin.

📋 TL;DR

This vulnerability in the Network Observability plugin for OpenShift console allows authentication bypass when Loki authToken configuration is not set to FORWARD mode. Any user with access to the OpenShift Console can retrieve network flow data without proper authentication. This affects OpenShift clusters running the vulnerable Network Observability plugin.

💻 Affected Systems

Products:

OpenShift Container Platform
Red Hat OpenShift

Versions: OpenShift 4.12 with Network Observability plugin versions before 1.2.0

Operating Systems: Linux

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects clusters with Network Observability plugin installed. Vulnerability exists when Loki authToken configuration is NOT set to FORWARD mode.

📦 What is this software?

Network Observability by Redhat

View all CVEs affecting Network Observability →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Unauthorized users gain access to sensitive network flow data, potentially exposing internal network topology, communication patterns, and sensitive application data flows.

🟠

Likely Case

Internal users with console access can view network monitoring data they shouldn't have permission to access, potentially violating data segregation policies.

🟢

If Mitigated

With proper configuration (authToken set to FORWARD), authentication is enforced and only authorized users can access network flow data.

🌐 Internet-Facing: MEDIUM - While the console itself might be internet-facing, exploitation requires console access which typically requires authentication, though this vulnerability bypasses additional authorization checks.

🏢 Internal Only: HIGH - Internal users with console access can exploit this to bypass authorization controls and access network monitoring data.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires access to OpenShift Console. The vulnerability is a configuration-based authentication bypass rather than a code execution flaw.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Network Observability plugin 1.2.0

Vendor Advisory: https://access.redhat.com/errata/RHSA-2023:0786

Restart Required: Yes

Instructions:

1. Update OpenShift to version 4.12.0 or later. 2. Update Network Observability plugin to version 1.2.0 or later. 3. Ensure Loki authToken configuration is set to FORWARD mode. 4. Restart affected components.

🔧 Temporary Workarounds

Configure Loki authToken to FORWARD mode

linux

Set the Loki authToken configuration to FORWARD mode to enforce authentication

oc patch networkobservability/default --type=merge -p '{"spec":{"loki":{"authToken":"FORWARD"}}}'

🧯 If You Can't Patch

Apply the workaround to set Loki authToken configuration to FORWARD mode
Restrict access to OpenShift Console to only authorized users
Monitor for unauthorized access to network flow data

🔍 How to Verify

Check if Vulnerable:

Check Network Observability plugin version and Loki authToken configuration: oc get networkobservability/default -o json | jq '.spec.loki.authToken'

Check Version:

oc get networkobservability/default -o json | jq '.metadata.labels.app.kubernetes.io/version'

Verify Fix Applied:

Verify plugin version is 1.2.0 or later and authToken is set to FORWARD: oc get networkobservability/default -o json | jq '.metadata.labels.app.kubernetes.io/version' and oc get networkobservability/default -o json | jq '.spec.loki.authToken'

📡 Detection & Monitoring

Log Indicators:

Unauthorized access attempts to network flow endpoints
Authentication failures for network observability queries

Network Indicators:

Unusual network traffic patterns to Loki endpoints from unauthorized sources

SIEM Query:

source="openshift-console" AND (url_path="/api/network-observability" OR url_path="/api/loki") AND user NOT IN authorized_users_list

📊 Metadata

CVE ID: CVE-2023-0813

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE: CWE-285

Published: September 15, 2023

Last Updated: November 21, 2024

🔗 References

https://access.redhat.com/errata/RHSA-2023:0786 Vendor Advisory
https://access.redhat.com/security/cve/CVE-2023-0813 Vendor Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=2169468 Issue Tracking,Vendor Advisory
https://access.redhat.com/errata/RHSA-2023:0786 Vendor Advisory
https://access.redhat.com/security/cve/CVE-2023-0813 Vendor Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=2169468 Issue Tracking,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-0813, you might also want to check these: