Submariner-operator: rbac permissions can allow for the spread of node compromises
Summary
A flaw was found in the Submariner project. Due to unnecessary role-based access control permissions, a privileged attacker can run a malicious container on a node that may allow them to steal service account tokens and further compromise other nodes and potentially the entire cluster. Affected products named by the advisory: RHODF-4.16-RHEL-9; Red Hat Openshift Data Foundation 4.20; Red Hat Advanced Cluster Management for Kubernetes 2.
What this means
In plain English
A flaw was found in the Submariner project. Due to unnecessary role-based access control permissions, a privileged attacker can run a malicious container on a node that may allow them to steal service account tokens and further compromise other nodes and potentially the entire cluster. Affected products named by the advisory: RHODF-4.16-RHEL-9; Red Hat Openshift Data Foundation 4.20; Red Hat Advanced Cluster Management for Kubernetes 2. The flaw can allow operations or data access outside the authorization boundary intended by the affected product.
Vulnerable items
- RHODF-4.16-RHEL-9
- Red Hat Openshift Data Foundation 4.20
- Red Hat Advanced Cluster Management for Kubernetes 2 — Kubernetes orchestrates containerized applications across clusters of compute nodes.
Recommended action
Primary action: update to a vendor-listed fixed release: 0.14.9, 0.15.5, 0.16.7, 0.17.2, 0.18.0-rc0.
Rewritten locally from the scraped official advisory data above; no generative API is used. The vendor advisory is authoritative.
- before 0.14.9
- 0.15.0 before 0.15.5
- 0.16.0 before 0.16.7
- 0.17.0 before 0.17.2
- 0.18.0-m0 before 0.18.0-rc0
Official advisory · high-confidence parse· fetched 5 hours ago·verify at source
- 0.14.9
- 0.15.5
- 0.16.7
- 0.17.2
- 0.18.0-rc0
Official advisory · high-confidence parse· fetched 5 hours ago·verify at source
Mitigation
Upgrade to a fixed release: 0.14.9, 0.15.5, 0.16.7, 0.17.2, 0.18.0-rc0. That is the remediation for this advisory.
The vendor advisory may list additional interim mitigations or workarounds not captured here — review it before change work.
Official advisory · high-confidence parse· fetched 5 hours ago·verify at source
Discussion(0)
No comments yet. Share field notes, upgrade gotchas, or questions — verify against the vendor advisory before acting on community advice.
Sign in to join the discussion.