CVE-2022-2403: 
NixOS vulnerability analysis and mitigation

A credentials leak vulnerability was discovered in the OpenShift Container Platform where the private key for the external cluster certificate was incorrectly stored in the oauth-serving-cert ConfigMaps, making it accessible to any authenticated OpenShift user or service-account (NVD). The vulnerability, identified as CVE-2022-2403, was discovered in June 2022 and affects OpenShift Container Platform versions 4.9 and 4.10.

The vulnerability has a CVSS v3.1 Base Score of 6.5 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N. The issue stems from the incorrect storage of the cluster's external certificate private key in the oauth-serving-cert ConfigMaps, specifically in the openshift-config-managed and openshift-console projects (Bugzilla). The vulnerability is classified under CWE-668 (Exposure of Resource to Wrong Sphere) and CWE-497 (Exposure of Sensitive System Information to an Unauthorized Control Sphere).

The vulnerability allows any authenticated OpenShift user or service account to access the private key for the external cluster certificate by reading the oauth-serving-cert ConfigMap in the openshift-config-managed namespace. This exposure could potentially compromise any web traffic secured using that certificate (NVD).

Red Hat has released fixes for affected versions through security advisories. OpenShift Container Platform 4.10 users should update to version 4.10.24 via RHSA-2022:5664, while OpenShift Container Platform 4.9 users should update to version 4.9.45 via RHSA-2022:5879 (Red Hat Advisory, Red Hat Advisory).