CVE-2024-45496
📋 TL;DR
This vulnerability in OpenShift Container Platform allows attackers with developer-level access to execute arbitrary commands on worker nodes by exploiting a privileged git-clone container during builds. Attackers can craft malicious .gitconfig files that trigger command execution, potentially leading to full node compromise. Organizations using vulnerable OpenShift versions are affected.
💻 Affected Systems
- Red Hat OpenShift Container Platform
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of worker nodes, lateral movement to other nodes or clusters, data exfiltration, and persistent backdoor installation.
Likely Case
Unauthorized code execution on worker nodes, privilege escalation to cluster-admin level, and potential access to sensitive workloads.
If Mitigated
Limited impact with proper RBAC controls, network segmentation, and build process restrictions.
🎯 Exploit Status
Exploitation requires developer credentials but is straightforward once access is obtained.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Multiple versions - see RHSA-2024:3718 and related advisories
Vendor Advisory: https://access.redhat.com/errata/RHSA-2024:3718
Restart Required: Yes
Instructions:
1. Review RHSA-2024:3718 and related advisories. 2. Update OpenShift Container Platform to patched versions. 3. Restart affected components as required. 4. Verify the fix by testing build processes.
🔧 Temporary Workarounds
Restrict Build Service Accounts
linuxLimit which service accounts can trigger builds and reduce their permissions.
oc adm policy remove-cluster-role-from-user system:build-strategy-custom <serviceaccount>
oc adm policy remove-cluster-role-from-user system:build-strategy-docker <serviceaccount>
oc adm policy remove-cluster-role-from-user system:build-strategy-jenkinspipeline <serviceaccount>
oc adm policy remove-cluster-role-from-user system:build-strategy-source <serviceaccount>
Implement Git Configuration Validation
allUse admission controllers or build hooks to validate .gitconfig files before processing.
🧯 If You Can't Patch
- Implement strict RBAC controls to limit who can trigger builds and access build configurations.
- Monitor build logs for unusual git clone activities and implement network segmentation for build nodes.
🔍 How to Verify
Check if Vulnerable:
Check OpenShift version against affected versions in RHSA advisories and verify if git-clone containers run with privileged security context.Check Version:
oc versionVerify Fix Applied:
After patching, verify the OpenShift version is updated and test that git-clone containers no longer run with privileged security context during builds.📡 Detection & Monitoring
Log Indicators:
- Unusual git clone operations in build logs
- Privileged container creation for git-clone
- Suspicious commands executed during build initialization
Network Indicators:
- Unexpected outbound connections from build nodes during git operations
SIEM Query:
source="openshift-build-logs" AND "git-clone" AND "privileged=true"🔗 References
- https://access.redhat.com/errata/RHSA-2024:3718
- https://access.redhat.com/errata/RHSA-2024:6685
- https://access.redhat.com/errata/RHSA-2024:6687
- https://access.redhat.com/errata/RHSA-2024:6689
- https://access.redhat.com/errata/RHSA-2024:6691
- https://access.redhat.com/errata/RHSA-2024:6705
- https://access.redhat.com/security/cve/CVE-2024-45496
- https://bugzilla.redhat.com/show_bug.cgi?id=2308661
