CVE-2023-3361 – This vulnerability in Red Hat OpenShift Data Sc... (How to Fix)

Q: What is the severity of CVE-2023-3361?

CVE-2023-3361 has a CVSS score of 7.7 (HIGH). This vulnerability in Red Hat OpenShift Data Science exposes S3 credentials in plain text when exporting pipelines from the Elyra notebook pipeline editor. Attackers who gain access to exported pipeline files can steal cloud storage credentials. This affects OpenShift Data Science users who export pipelines as Python DSL or YAML.

📋 TL;DR

This vulnerability in Red Hat OpenShift Data Science exposes S3 credentials in plain text when exporting pipelines from the Elyra notebook pipeline editor. Attackers who gain access to exported pipeline files can steal cloud storage credentials. This affects OpenShift Data Science users who export pipelines as Python DSL or YAML.

💻 Affected Systems

Products:

Red Hat OpenShift Data Science

Versions: OpenShift Data Science 1.x versions before the fix

Operating Systems: Linux (OpenShift/Kubernetes platforms)

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects pipeline exports from Elyra notebook pipeline editor as Python DSL or YAML. Requires S3 credentials configured in the cluster.

📦 What is this software?

Open Data Hub Dashboard by Opendatahub

View all CVEs affecting Open Data Hub Dashboard →

Openshift Data Science by Redhat

View all CVEs affecting Openshift Data Science →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers obtain S3 credentials leading to data exfiltration, unauthorized data modification, or lateral movement to other cloud resources.

🟠

Likely Case

Internal users or attackers with access to exported pipeline files can read sensitive S3 credentials stored in plain text.

🟢

If Mitigated

With proper access controls and monitoring, credential exposure is limited to authorized users who already have pipeline access.

🌐 Internet-Facing: LOW - This requires access to exported pipeline files, which are typically not internet-facing.

🏢 Internal Only: HIGH - Internal users or attackers who breach the environment can access sensitive credentials in exported files.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires access to exported pipeline files. No authentication bypass needed if files are accessible.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: OpenShift Data Science 1.28.0 and later

Vendor Advisory: https://access.redhat.com/security/cve/CVE-2023-3361

Restart Required: Yes

Instructions:

1. Update OpenShift Data Science to version 1.28.0 or later. 2. Restart affected components. 3. Verify pipeline exports no longer contain plain text credentials.

🔧 Temporary Workarounds

Disable pipeline exports

all

Temporarily disable pipeline export functionality in Elyra notebook pipeline editor

Credential rotation

all

Rotate all S3 credentials used by OpenShift Data Science pipelines

🧯 If You Can't Patch

Implement strict access controls on exported pipeline files and storage locations
Monitor and audit access to exported pipeline files for suspicious activity

🔍 How to Verify

Check if Vulnerable:

Export a pipeline from Elyra notebook pipeline editor as Python DSL or YAML and check if S3 credentials appear in plain text

Check Version:

oc get csv -n redhat-ods-operator | grep rhods-operator

Verify Fix Applied:

After patching, export a pipeline and confirm credentials are replaced with Kubernetes secret references instead of plain text

📡 Detection & Monitoring

Log Indicators:

Access to exported pipeline files containing credential strings
Unauthorized access attempts to pipeline export directories

Network Indicators:

Unusual S3 API calls from unexpected sources using exposed credentials

SIEM Query:

search 'pipeline_export' AND ('s3_access_key' OR 's3_secret_key' OR 'aws_access_key_id' OR 'aws_secret_access_key')

📊 Metadata

CVE ID: CVE-2023-3361

CVSS v3 Score: 7.7 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N

CWE: CWE-200

Published: October 4, 2023

Last Updated: November 21, 2024

🔗 References

https://access.redhat.com/security/cve/CVE-2023-3361 Third Party Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=2216588 Issue Tracking,Third Party Advisory
https://github.com/opendatahub-io/odh-dashboard/issues/1415 Issue Tracking
https://access.redhat.com/security/cve/CVE-2023-3361 Third Party Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=2216588 Issue Tracking,Third Party Advisory
https://github.com/opendatahub-io/odh-dashboard/issues/1415 Issue Tracking

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-3361, you might also want to check these: