CVE-2024-45497 is a vulnerability identified in OpenShift version 4.16 affecting the docker-build container configuration. The issue arises because the build container mounts the host node's /var/lib/kubelet/config.json file as a hostPath volume into the build pod without enforcing read-only permissions. This config.json file contains sensitive credentials required for authenticating and pulling container images from private registries. Since the mount is writable, an attacker who gains access to the build pod can overwrite or modify this file. Such modification can disrupt the node's ability to pull new images, leading to denial of service (DoS) for workloads dependent on image updates. Additionally, by manipulating or reading this file, attackers may exfiltrate sensitive credentials, compromising confidentiality. The vulnerability requires the attacker to have privileges to run or control builds within the OpenShift environment but does not require user interaction. The CVSS 3.1 score is 7.6 (high), reflecting the network attack vector, low complexity, required privileges, no user interaction, and impacts on confidentiality, integrity, and high impact on availability. No known exploits have been reported in the wild as of the publication date. The flaw highlights a misconfiguration in volume mount permissions that can be exploited to escalate privileges and disrupt cluster operations.

For European organizations deploying OpenShift 4.16, this vulnerability poses significant risks. The ability to overwrite kubelet configuration files can lead to denial of service by preventing nodes from pulling updated container images, potentially causing service outages or degraded performance. Organizations relying on private container registries are at risk of credential exposure, which could lead to unauthorized access to proprietary or sensitive container images. This exposure can cascade into further compromise of internal systems if attackers leverage stolen credentials. The disruption of image pulls can affect continuous integration/continuous deployment (CI/CD) pipelines, delaying software updates and security patches. Given the critical role of container orchestration in modern cloud-native applications, the impact on availability and confidentiality can be substantial, especially in sectors like finance, healthcare, and critical infrastructure prevalent in Europe. The requirement for attacker privileges to run builds limits the attack surface but does not eliminate risk, particularly in multi-tenant or large-scale environments where build permissions may be more widely granted.

To mitigate CVE-2024-45497, European organizations should immediately audit their OpenShift 4.16 environments for docker-build container configurations that mount the /var/lib/kubelet/config.json file. The mount should be changed to read-only to prevent overwriting. If possible, restrict or remove hostPath volume mounts exposing sensitive files to build pods. Implement strict role-based access control (RBAC) policies to limit which users or service accounts can initiate builds or modify build configurations. Monitor build pod activities and file system changes on nodes for suspicious behavior indicative of attempts to modify kubelet config files. Apply any available patches or updates from Red Hat or OpenShift vendors as soon as they are released. Additionally, consider isolating build environments and using image pull secrets with minimal privileges. Regularly rotate credentials used in config.json and audit access logs for anomalous access patterns. Employ network segmentation to limit exposure of critical nodes and registries.