CVE-2024-45497 is a high-severity vulnerability affecting OpenShift version 4.16, specifically related to the build process involving docker-build containers. The vulnerability arises because the docker-build container mounts the host's /var/lib/kubelet/config.json file into the build pod using a hostPath volume mount. This file contains sensitive credentials used by the node to pull container images from private repositories. Critically, the mount is not set to read-only, which allows an attacker with at least limited privileges to overwrite this configuration file. By modifying config.json, an attacker can disrupt the node's ability to pull new images, causing a denial of service (DoS) that impacts the availability of services relying on these images. Furthermore, the attacker may exfiltrate sensitive secrets contained within the file, compromising confidentiality. The vulnerability requires some level of privileges (PR:L) but no user interaction (UI:N), and it can be exploited remotely (AV:N). The impact affects confidentiality, integrity, and availability, with the most severe effect being availability due to potential DoS. Although no known exploits are currently reported in the wild, the vulnerability's nature and ease of exploitation make it a significant risk for environments using OpenShift 4.16. The flaw stems from incorrect permission assignment and insecure volume mount configuration, which violates the principle of least privilege and secure defaults in container orchestration environments.

For European organizations using OpenShift 4.16, this vulnerability poses a substantial risk to the availability and confidentiality of containerized applications. Disruption of image pulls can lead to service outages, impacting business continuity, especially for critical infrastructure, financial services, healthcare, and public sector organizations that rely heavily on containerized workloads. The potential exfiltration of sensitive credentials could lead to further compromise of private container registries, enabling attackers to deploy malicious images or escalate attacks within the network. Given the widespread adoption of OpenShift in Europe for hybrid cloud and on-premises deployments, the vulnerability could affect a broad range of sectors. The DoS aspect could also impact cloud service providers and managed service providers operating in Europe, leading to cascading effects on their customers. Additionally, the exposure of secrets may contravene GDPR requirements regarding data protection and breach notification, increasing regulatory and reputational risks for affected organizations.

European organizations should immediately audit their OpenShift 4.16 environments to identify any docker-build pods with hostPath volume mounts to /var/lib/kubelet/config.json. The mount must be changed to read-only to prevent overwriting. If possible, upgrade to a patched OpenShift version once available from Red Hat. In the interim, implement strict Role-Based Access Control (RBAC) policies to limit who can create or modify build pods and volume mounts. Employ runtime security tools to monitor and alert on unauthorized changes to critical files like config.json. Use image pull secrets with minimal privileges and rotate these credentials regularly. Network segmentation should be enforced to limit access to nodes and build pods. Additionally, consider implementing admission controllers or Pod Security Policies that prevent insecure hostPath mounts. Regularly review audit logs for suspicious activity related to build pods and image pulls. Finally, conduct incident response drills to prepare for potential DoS or credential compromise scenarios.