CVE-2024-25133: 
Linux openSUSE vulnerability analysis and mitigation

A critical security flaw (CVE-2024-25133) was discovered in the Hive ClusterDeployments resource in OpenShift Dedicated. The vulnerability was disclosed on December 31, 2024. This issue affects the hive/hive-controllers pod in Hive-enabled clusters, potentially allowing developer accounts to gain unauthorized cluster-admin privileges (NVD, Red Hat Bugzilla).

The vulnerability exists in the AWS and Kubernetes client configuration handling within the Hive controllers. When processing ClusterDeployments resources, the controllers attempt to communicate with AWS for PrivateLink setup and remote cluster communication using user-controlled configuration. The flaw specifically involves the credentials_process configuration in AWS credentials files and users[].user.exec in Kubernetes client configurations, which can be manipulated to execute arbitrary commands under a privileged service account. The vulnerability has been assigned a CVSS v3.1 base score of 8.8 (HIGH) with vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H (NVD).

If exploited, this vulnerability allows a developer account on a Hive-enabled cluster to execute arbitrary commands on the hive/hive-controllers pod, effectively gaining cluster-admin privileges. This represents a significant privilege escalation risk that could lead to complete cluster compromise (Red Hat Bugzilla).

The recommended mitigation is to restrict RBAC configuration to only allow users belonging to cluster-admin to create ClusterDeployment.hive.openshift.io resources. If RBAC must be relaxed for dedicated-admin group users, they should be considered capable of performing this privilege escalation. Additionally, the vulnerability has been addressed by removing support for the dangerous credential_process feature and implementing a new mechanism for handling AWS role assumptions (GitHub PR).