IBM Turbonomic Prometheus Integration Agent Excessive Permissions Vulnerability

A vulnerability exists in the IBM Turbonomic prometurbo agent versions 8.16.0 through 8.17.6, used for integrating with Prometheus to collect application metrics. This vulnerability allows for excessive cluster-wide permissions, including unrestricted read access to all secrets. An attacker who compromises the operator or its service account could exfiltrate sensitive credentials, escalate privileges, and potentially achieve full cluster compromise.

Impact

Exploitation of this vulnerability could lead to unauthorized access to all secrets within the cluster, allowing for the exfiltration of sensitive credentials, privilege escalation, and potentially a complete compromise of the cluster.

Remediation

Users are advised to upgrade to IBM Turbonomic prometurbo agent version 8.18.0. Follow the installation instructions available in the IBM Turbonomic documentation.