Eclipse Che Unauthenticated Remote Code Execution and Secret Exfiltration Vulnerability

A vulnerability in Eclipse Che's che-machine-exec component allows unauthenticated remote execution of arbitrary commands and the exfiltration of secrets, such as SSH keys and tokens, from other users' Developer Workspace containers. This issue arises from an unauthenticated JSON-RPC over websocket API exposed on TCP port 3333, which can be accessed by any container on the same network segment.

Impact

Exploitation of this vulnerability could lead to unauthorized remote code execution on the affected containers and the theft of sensitive information, including SSH private keys and tokens, from other users' Developer Workspace containers.

Reproduction

The vulnerability can be reproduced by accessing the exposed JSON-RPC websocket API on TCP port 3333 of an affected Eclipse Che container. This can be done from another container on the same network segment, without any authentication. Once connected to the websocket, arbitrary commands can be executed, and secrets such as SSH keys can be retrieved.

Remediation

Users can upgrade to Red Hat OpenShift Dev Spaces versions 3.22.1, 3.23.1, or 3.24.1, all of which include the necessary fix for this vulnerability.