Beware of Cross-Namespace Requests in Red Hat OpenShift Data Science!

CVECVE-2023-0923
CVSScvssV3_1: 8
SourceCVE-2023-0923

Red Hat OpenShift Data Science (RHODS) is a popular platform for running Jupyter notebooks and machine learning workloads on Kubernetes. However, security researchers recently discovered a vulnerability, tracked as CVE-2023-0923, that could allow unauthorized access to notebooks from other projects or namespaces.

The issue stems from a lack of proper authorization checks in the Kubernetes service that manages Jupyter notebooks. By default, any pod running in OpenShift would be able to make requests to the Jupyter API and potentially access notebook files without permission. An attacker could exploit this by running a specially crafted pod that retrieves notebook contents, even if they are not supposed to have access.

This cross-namespace access flaw poses risks like unintended data leakage, as sensitive files could be exposed to the wrong users. Attackers may also be able to run malicious code in other users’ notebooks or modify their contents.

The good news is Red Hat has addressed this vulnerability and assigned it a CVSS severity score of 8 out of 10. To protect yourself, make sure to keep your OpenShift installation and RHODS updated with the latest security patches from Red Hat. You should also carefully configure network policies and role-based access controls to restrict communication between namespaces as much as possible.

If you use RHODS, be on high alert for this vulnerability and contact your Red Hat representative if you have any other security concerns. Taking a defense-in-depth approach is wise to prevent unauthorized access in your data science workloads.

References