Red Hat OpenShift Tempo Operator Cluster Role Binding Vulnerability Allowing Unauthorized Access to Cluster Metrics

A vulnerability exists in the Tempo Operator for Red Hat OpenShift distributed tracing. When the Jaeger UI Monitor Tab is activated in a Tempo instance managed by this Operator, it creates a ClusterRoleBinding for the Tempo instance's Service Account. This binding grants the cluster-monitoring-view ClusterRole, potentially allowing unauthorized access to cluster metrics. The vulnerability can be exploited by users with 'create' permissions on TempoStack and 'get' permissions on Secrets within a namespace, such as those with ClusterAdmin rights in a specific namespace.

Impact

Exploitation of this vulnerability allows for unauthorized access to cluster metrics by reading the token of the Tempo service account.

Reproduction

To reproduce this vulnerability, enable the Jaeger UI Monitor Tab in a Tempo instance managed by the Tempo Operator. Ensure that the user has 'create' permissions on TempoStack and 'get' permissions on Secrets in the namespace. Once these conditions are met, the user can access the Tempo service account token, which provides access to cluster metrics.

Remediation

Users can upgrade to Red Hat OpenShift distributed tracing Tempo version 3.5.1, which is available through the Red Hat Hybrid Cloud Console. For details on applying the update, refer to the Red Hat documentation on upgrading operators.