OpenShift Dedicated Hive Hibernation Controller Denial-of-Service Vulnerability

A denial-of-service vulnerability has been identified in the Hive hibernation controller of OpenShift Dedicated. The issue arises when a ClusterDeployment resource is created with the installed field set to true and a positive timespan for the hibernateAfter value. If a ClusterSync resource is also created, the hibernation controller enters a reconciliation loop, leading to a panic as it tries to access a non-existent field in the ClusterDeployment's status. This causes the hive-controllers pod to crash and enter a CrashLoopBackOff state, disrupting all other bundled controllers.

Impact

Exploiting this vulnerability causes the hive hibernation controller to panic in a loop, crashing the pod and disrupting all other controllers bundled with it.

Reproduction

To reproduce this vulnerability, create a ClusterDeployment resource with the spec.installed field set to true and a positive value for spec.hibernateAfter. Then, create a ClusterSync resource. The hive hibernation controller will enter a reconciliation loop and panic when it tries to access a missing field in the ClusterDeployment's status, causing the hive-controllers pod to crash.