CVE-2024-45497 is a vulnerability identified in OpenShift version 4.16 affecting the docker-build container configuration. The issue arises because the build container mounts the node's /var/lib/kubelet/config.json file as a hostPath volume into the build pod with read-write permissions instead of read-only. This config.json file contains sensitive credentials required for authenticating and pulling container images from private registries. Since the mount is writable, an attacker who can execute builds within OpenShift can modify or overwrite this file. Such modification can disrupt the node’s ability to pull new container images, causing denial of service for workloads dependent on image updates. Additionally, the attacker may exfiltrate sensitive credentials stored in the config.json file, leading to confidentiality breaches. The vulnerability requires the attacker to have build pod privileges (PR:L) but does not require user interaction (UI:N). The CVSS score of 7.6 reflects a high severity due to the combination of confidentiality, integrity, and availability impacts. Although no exploits are currently known in the wild, the vulnerability poses a significant risk to environments relying on OpenShift for container orchestration, especially those using private image registries. The flaw highlights a misconfiguration in volume mount permissions that should be corrected to prevent unauthorized modification of critical node configuration files.

For European organizations, this vulnerability can have severe operational and security consequences. Organizations using OpenShift 4.16 with private container registries risk service disruption due to denial of service caused by failed image pulls, potentially affecting production workloads and continuous deployment pipelines. The exposure of sensitive credentials in config.json can lead to unauthorized access to private registries, enabling attackers to steal proprietary container images or inject malicious images into the supply chain. This can undermine the integrity of deployed applications and lead to further compromise. The disruption of container image pulls can impact availability of critical services, especially in sectors like finance, healthcare, and manufacturing where containerized applications are integral. Confidentiality breaches may also violate data protection regulations such as GDPR, leading to legal and reputational damage. The requirement for build pod privileges means insider threats or compromised developer accounts pose a significant risk vector. Overall, the vulnerability threatens confidentiality, integrity, and availability of containerized workloads in European enterprises relying on OpenShift.

To mitigate CVE-2024-45497, organizations should immediately audit and restrict volume mount permissions in OpenShift build pods to ensure that sensitive hostPath volumes such as /var/lib/kubelet/config.json are mounted as read-only or not mounted at all. Implement strict role-based access control (RBAC) to limit who can create or modify build pods and restrict build privileges to trusted users only. Monitor build pod activities and file system changes to detect unauthorized modifications to critical configuration files. Apply any available vendor patches or updates from Red Hat as soon as they are released. Consider isolating build environments from nodes containing sensitive credentials or using alternative build strategies that do not require mounting sensitive host paths. Regularly rotate credentials stored in config.json and audit container registry access logs for suspicious activity. Employ runtime security tools to detect anomalous behavior in build pods. Finally, educate developers and DevOps teams about the risks of privileged build environments and enforce security best practices in CI/CD pipelines.