CVE-2024-45497 is a vulnerability identified in the OpenShift 4.16 build process involving improper permission assignment on a critical resource. Specifically, the docker-build container mounts the node's /var/lib/kubelet/config.json file as a hostPath volume into the build pod. This file contains sensitive credentials used by the kubelet to authenticate and pull container images from private registries. The vulnerability arises because the mount is configured with write permissions rather than read-only, allowing an attacker with access to the build pod to modify or overwrite the config.json file. By doing so, the attacker can disrupt the node's ability to pull new images, effectively causing a denial of service (DoS) for workloads dependent on image updates. Additionally, the attacker can potentially exfiltrate sensitive secrets contained within the config.json file, compromising confidentiality. The CVSS 3.1 base score is 7.6 (high), reflecting network attack vector, low attack complexity, required privileges, no user interaction, and impacts on confidentiality, integrity, and high impact on availability. The flaw affects OpenShift version 4.16 and was published on December 31, 2024. Although no known exploits are reported in the wild, the vulnerability poses a significant risk due to the sensitive nature of the credentials and the critical role of image pulls in container orchestration. The root cause is the incorrect permission assignment on the hostPath volume mount, which should be read-only to prevent unauthorized modifications. This vulnerability highlights the importance of strict access controls on hostPath mounts in containerized environments.

The vulnerability can have severe impacts on organizations running OpenShift 4.16 clusters. By overwriting the kubelet's config.json file, attackers can cause denial of service by preventing nodes from pulling updated container images, potentially halting deployment pipelines and application updates. This disruption can lead to downtime or degraded service availability, affecting business continuity. Furthermore, the exposure of sensitive credentials within config.json risks unauthorized access to private container registries, enabling attackers to exfiltrate secrets or inject malicious images. This compromises confidentiality and integrity of container workloads. The attack requires privileges to the build pod but no user interaction, making it feasible for insiders or attackers who have compromised build processes. The scope includes all nodes running vulnerable OpenShift versions, potentially impacting large-scale container deployments. The combined impact on availability, confidentiality, and integrity makes this a critical operational and security risk for organizations relying on OpenShift for container orchestration.

To mitigate CVE-2024-45497, organizations should immediately review and update the configuration of docker-build containers to ensure the hostPath volume mount for /var/lib/kubelet/config.json is set to read-only. This prevents unauthorized modification of the kubelet credentials file. Applying vendor-provided patches or updates for OpenShift 4.16 that address this issue is critical once available. Until patches are deployed, restrict access to build pods by enforcing strict RBAC policies to limit which users or service accounts can initiate builds. Monitor build pod activities for suspicious file modifications or unexpected behavior related to config.json. Employ runtime security tools to detect and block unauthorized writes to sensitive hostPath mounts. Additionally, rotate credentials used in config.json regularly and audit image pull logs for anomalies. Consider isolating build environments from production nodes to reduce the attack surface. Finally, educate DevOps and security teams about the risks of writable hostPath mounts and enforce secure container build practices.