Red Hat OpenShift Router Server-Side Request Forgery Vulnerability via FQDN EndpointSlice

A server-side request forgery (SSRF) vulnerability has been identified in the OpenShift Router component of Red Hat OpenShift Container Platform 4. This flaw allows users with EndpointSlice write access to create a Service linked to an FQDN EndpointSlice that resolves to a cloud metadata endpoint. When this Service is accessed, the router proxies requests to the metadata endpoint, potentially disclosing instance credentials and other sensitive information. This vulnerability bypasses existing security measures that validate IP addresses, exploiting a weakness in how FQDN endpoints are handled.

Impact

Exploitation of this vulnerability allows for server-side request forgery, enabling the router to access cloud metadata endpoints and retrieve sensitive instance information, including credentials.

Reproduction

To reproduce this vulnerability, create a Service backed by an FQDN EndpointSlice that resolves to a cloud metadata endpoint, such as one pointing to 169.254.169.254. Then, create a Route targeting that Service. The router will proxy requests to the metadata endpoint, allowing access to sensitive instance data.