CVE-2024-6538
📋 TL;DR
This CVE describes a Server-Side Request Forgery (SSRF) vulnerability in OpenShift Console's /api/dev-console/proxy/internet endpoint. Authenticated users can make the console pod perform arbitrary HTTP requests to internal cluster services, bypassing intended internet-only restrictions. This affects OpenShift deployments with the console component enabled.
💻 Affected Systems
- Red Hat OpenShift Container Platform
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attacker accesses sensitive internal services, exfiltrates credentials or data, or performs lateral movement within the cluster network.
Likely Case
Information disclosure from internal services, reconnaissance of cluster network topology, or limited data exfiltration.
If Mitigated
Minimal impact if network segmentation prevents console pod from accessing sensitive services.
🎯 Exploit Status
Exploitation requires authenticated access to OpenShift Console.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check specific RHSA advisories for version details
Vendor Advisory: https://access.redhat.com/errata/RHSA-2025:14397
Restart Required: Yes
Instructions:
1. Review RHSA advisories for your OpenShift version. 2. Apply security updates via OpenShift update channels. 3. Restart affected console pods.
🔧 Temporary Workarounds
Network Policy Restriction
linuxImplement network policies to restrict console pod egress to only required external endpoints
oc apply -f network-policy.yaml
Endpoint Access Control
linuxUse OpenShift RBAC to restrict access to vulnerable endpoint
oc policy add-role-to-user -n openshift-console
🧯 If You Can't Patch
- Implement strict network segmentation to isolate console pods from sensitive internal services
- Enforce least-privilege access controls and monitor for suspicious proxy requests
🔍 How to Verify
Check if Vulnerable:
Check OpenShift Console version and compare against patched versions in RHSA advisoriesCheck Version:
oc get pods -n openshift-console -o jsonpath='{.items[*].spec.containers[*].image}'Verify Fix Applied:
Verify console pod version after update and test proxy endpoint functionality📡 Detection & Monitoring
Log Indicators:
- Unusual HTTP requests from console pods to internal cluster IPs
- Multiple requests to /api/dev-console/proxy/internet endpoint
Network Indicators:
- Console pods making unexpected internal network connections
- HTTP traffic from console to non-external destinations
SIEM Query:
source="openshift-console" AND uri_path="/api/dev-console/proxy/internet" AND dest_ip=~"10.*|192.168.*|172.*"🔗 References
- https://access.redhat.com/errata/RHSA-2025:14397
- https://access.redhat.com/errata/RHSA-2025:19058
- https://access.redhat.com/errata/RHSA-2025:7863
- https://access.redhat.com/errata/RHSA-2025:8280
- https://access.redhat.com/errata/RHSA-2025:8556
- https://access.redhat.com/security/cve/CVE-2024-6538
- https://bugzilla.redhat.com/show_bug.cgi?id=2296057
