CVE-2024-5037 – This vulnerability in OpenShift's Telemeter all... (How to Fix)

Q: What is the severity of CVE-2024-5037?

CVE-2024-5037 has a CVSS score of 7.5 (HIGH). This vulnerability in OpenShift's Telemeter allows attackers to bypass JWT authentication by using forged tokens that evade issuer validation checks. It affects OpenShift environments using Telemeter for metrics collection. Attackers could potentially gain unauthorized access to telemetry data or system resources.

📋 TL;DR

This vulnerability in OpenShift's Telemeter allows attackers to bypass JWT authentication by using forged tokens that evade issuer validation checks. It affects OpenShift environments using Telemeter for metrics collection. Attackers could potentially gain unauthorized access to telemetry data or system resources.

💻 Affected Systems

Products:

OpenShift Container Platform
Red Hat OpenShift

Versions: Multiple versions as indicated in Red Hat advisories (specific versions in RHSA-2024:4151, RHSA-2024:4156, RHSA-2024:4329, RHSA-2024:4484, RHSA-2024:5200)

Operating Systems: Linux

Default Config Vulnerable: ⚠️ Yes

Notes: Affects Telemeter component specifically; requires JWT authentication to be enabled and configured.

📦 What is this software?

Openshift Container Platform by Redhat

View all CVEs affecting Openshift Container Platform →

Openshift Distributed Tracing by Redhat

View all CVEs affecting Openshift Distributed Tracing →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of Telemeter service allowing unauthorized access to sensitive metrics data, potential lateral movement to other OpenShift components, and data exfiltration.

🟠

Likely Case

Unauthorized access to telemetry data, potential privilege escalation within the Telemeter service, and manipulation of metrics collection.

🟢

If Mitigated

Limited impact with proper network segmentation and monitoring, potentially only affecting isolated Telemeter instances.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Requires ability to generate forged JWT tokens and knowledge of Telemeter configuration; attacker needs network access to Telemeter endpoint.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Multiple patched versions across different advisories (check specific RHSA for exact versions)

Vendor Advisory: https://access.redhat.com/errata/RHSA-2024:4151

Restart Required: Yes

Instructions:

1. Identify affected OpenShift version. 2. Apply relevant Red Hat security update via 'yum update' or OpenShift update process. 3. Restart Telemeter components. 4. Verify fix with version check.

🔧 Temporary Workarounds

Network Segmentation

linux

Restrict network access to Telemeter endpoints to trusted sources only

firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="TRUSTED_IP" port protocol="tcp" port="PORT" accept'
firewall-cmd --reload

JWT Validation Enhancement

all

Implement additional JWT validation checks beyond issuer verification

Configure Telemeter with additional JWT validation parameters in configuration files

🧯 If You Can't Patch

Implement strict network access controls to limit Telemeter exposure
Monitor Telemeter logs for unusual authentication attempts and JWT validation failures

🔍 How to Verify

Check if Vulnerable:

Check OpenShift version and Telemeter component version against Red Hat advisories

Check Version:

oc version && oc get pods -n openshift-monitoring | grep telemeter

Verify Fix Applied:

Verify updated version is installed and Telemeter service is running with patched components

📡 Detection & Monitoring

Log Indicators:

Failed JWT validation logs
Unusual authentication patterns to Telemeter endpoints
JWT tokens with unexpected issuer claims

Network Indicators:

Unusual traffic to Telemeter ports from unauthorized sources
Multiple authentication attempts with varying tokens

SIEM Query:

source="telemeter" AND ("JWT validation failed" OR "invalid issuer" OR "authentication bypass")

📊 Metadata

CVE ID: CVE-2024-5037

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE: CWE-290

Published: June 5, 2024

Last Updated: November 21, 2024

🔗 References

https://access.redhat.com/errata/RHSA-2024:4151
https://access.redhat.com/errata/RHSA-2024:4156
https://access.redhat.com/errata/RHSA-2024:4329
https://access.redhat.com/errata/RHSA-2024:4484
https://access.redhat.com/errata/RHSA-2024:5200
https://access.redhat.com/security/cve/CVE-2024-5037 Vendor Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=2272339 Issue Tracking,Vendor Advisory
https://github.com/kubernetes/kubernetes/pull/123540 Patch,Third Party Advisory
https://github.com/openshift/telemeter/blob/a9417a6062c3a31ed78c06ea3a0613a52f2029b2/pkg/authorize/jwt/client_authorizer.go#L78 Product
https://access.redhat.com/errata/RHSA-2024:4151
https://access.redhat.com/errata/RHSA-2024:4156
https://access.redhat.com/errata/RHSA-2024:4329
https://access.redhat.com/errata/RHSA-2024:4484
https://access.redhat.com/security/cve/CVE-2024-5037 Vendor Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=2272339 Issue Tracking,Vendor Advisory
https://github.com/kubernetes/kubernetes/pull/123540 Patch,Third Party Advisory
https://github.com/openshift/telemeter/blob/a9417a6062c3a31ed78c06ea3a0613a52f2029b2/pkg/authorize/jwt/client_authorizer.go#L78 Product

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-5037, you might also want to check these: