CVE-2024-1139 – A credentials leak vulnerability in the OpenShi... (How to Fix)

Q: What is the severity of CVE-2024-1139?

CVE-2024-1139 has a CVSS score of 7.7 (HIGH). A credentials leak vulnerability in the OpenShift Container Platform (OCP) cluster monitoring operator allows remote attackers with basic login credentials to access pod manifests and discover repository pull secrets. This affects OCP deployments where the cluster monitoring operator is running. Attackers could potentially obtain sensitive credentials used for container image pulls.

📋 TL;DR

A credentials leak vulnerability in the OpenShift Container Platform (OCP) cluster monitoring operator allows remote attackers with basic login credentials to access pod manifests and discover repository pull secrets. This affects OCP deployments where the cluster monitoring operator is running. Attackers could potentially obtain sensitive credentials used for container image pulls.

💻 Affected Systems

Products:

OpenShift Container Platform (OCP)

Versions: Multiple OCP versions as detailed in Red Hat advisories (check specific errata for exact ranges)

Operating Systems: RHEL CoreOS, RHEL

Default Config Vulnerable: ⚠️ Yes

Notes: Affects OCP deployments using the cluster monitoring operator. Requires attacker to have basic login credentials to access pod manifests.

⚠️ Manual Verification Required

This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.

Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).

🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.

Recommended Actions:

Review the CVE details at NVD
Check vendor security advisories for your specific version
Test if the vulnerability is exploitable in your environment
Consider updating to the latest version as a precaution

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers obtain repository pull secrets, potentially gaining access to private container registries, allowing them to pull proprietary images, inject malicious containers, or pivot to other systems using those credentials.

🟠

Likely Case

Unauthorized access to sensitive pull secrets that could be used to access private container registries or as part of a broader attack chain.

🟢

If Mitigated

Limited impact if proper network segmentation, credential rotation, and access controls prevent credential misuse even if discovered.

🌐 Internet-Facing: MEDIUM - Requires authenticated access but could affect internet-facing OCP clusters with exposed monitoring endpoints.

🏢 Internal Only: HIGH - Internal attackers or compromised accounts could exploit this to escalate privileges and access sensitive container registries.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW - Requires authenticated access but straightforward exploitation once credentials are obtained.

Exploitation requires basic login credentials to check pod manifests. No public exploit code identified at this time.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Multiple fixed versions available - see Red Hat advisories RHSA-2024:1887, RHSA-2024:1891, RHSA-2024:2047, RHSA-2024:2782

Vendor Advisory: https://access.redhat.com/security/cve/CVE-2024-1139

Restart Required: Yes

Instructions:

1. Update OCP to a patched version using 'oc adm upgrade' or through the web console. 2. Apply relevant Red Hat errata. 3. Restart affected monitoring operator pods. 4. Verify the fix by checking operator versions.

🔧 Temporary Workarounds

Restrict Access to Monitoring Endpoints

linux

Limit network access to cluster monitoring operator endpoints using network policies or firewalls.

oc apply -f network-policy.yaml (create appropriate NetworkPolicy)

Rotate Pull Secrets

linux

Rotate repository pull secrets to mitigate impact if credentials are leaked.

oc create secret docker-registry new-pull-secret --docker-server=registry.example.com --docker-username=user --docker-password=pass
oc patch serviceaccount default -p '{"imagePullSecrets": [{"name": "new-pull-secret"}]}'

🧯 If You Can't Patch

Implement strict network segmentation to isolate monitoring components from untrusted networks.
Enforce least privilege access controls and monitor for unauthorized access to pod manifests.

🔍 How to Verify

Check if Vulnerable:

Check OCP version and installed operators: 'oc get clusterversion' and 'oc get operators' to identify monitoring operator versions.

Check Version:

oc version, oc get clusterversion, oc get operators

Verify Fix Applied:

Verify OCP version is updated to patched release and monitoring operator shows updated version without vulnerable behavior.

📡 Detection & Monitoring

Log Indicators:

Unusual access patterns to monitoring operator endpoints
Unauthorized attempts to access pod manifests
Failed authentication attempts followed by successful manifest access

Network Indicators:

Suspicious traffic to monitoring operator ports from unauthorized sources
Unexpected outbound connections to container registries

SIEM Query:

source="openshift-audit.log" AND (operation="GET" AND objectRef.resource="pods" AND objectRef.subresource="manifest") AND user.username NOT IN ["system:serviceaccount:openshift-monitoring:prometheus-k8s", "allowed-users"]

📊 Metadata

CVE ID: CVE-2024-1139

CVSS v3 Score: 7.7 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N

CWE: CWE-200

Published: April 25, 2024

Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-1139, you might also want to check these: