Red Hat OpenShift AI Llama Stack Operator Network Policy Bypass Vulnerability

A vulnerability in the Red Hat OpenShift AI llama-stack-operator allows unauthorized access to Llama Stack services in different namespaces. This issue arises because there is no NetworkPolicy to restrict access to the llama-stack service endpoint, enabling users in one namespace to access another user's Llama Stack instance and potentially view or manipulate sensitive data. This vulnerability affects Red Hat OpenShift AI versions 2.24 and 2.25.

Impact

Exploitation of this vulnerability could lead to unauthorized access to sensitive data across different user namespaces within the same OpenShift AI instance.

Reproduction

To reproduce this vulnerability, create a LlamaStackDistribution in one namespace as UserA. This will generate a service endpoint that can be accessed using the llama_stack_client SDK. Without any Network Policy in place, UserB can access UserA's Llama Stack service from a different namespace by simply knowing the service endpoint. This can be verified by running a notebook that queries UserA's Llama Stack instance, demonstrating the unauthorized access.

Remediation

Users can upgrade to Red Hat OpenShift AI version 2.25.2, which includes important instructions for applying this update.