OpenShift ClusterRole blows wide open, Cisco UCM goes from SSRF to root

The OpenShift Pipelines operator binds a ClusterRole with write access to Kueue and cert-manager custom resources to the system:authenticated group. That means any authenticated cluster user can mess with workload scheduling, delete other tenants' Workload objects, or trick cert-manager into overwriting TLS secrets, including the default ingress certificate. This is a CVSS 9.6 privilege escalation that requires only basic cluster authentication.

Included because

authenticated access only; cluster-wide impact; CVSS 9.6; affects shared infrastructure component

Affected estate

OpenShift clusters running the OpenShift Pipelines operator with Kueue or cert-manager CRDs present.

How to check

Run: kubectl get clusterrolebinding tekton-scheduler-rolebinding -o yaml. If 'subjects' includes 'system:authenticated', you're exposed.

Action

Update the OpenShift Pipelines operator to the fixed release. As a stopgap, remove or scope down the tekton-scheduler-rolebinding ClusterRoleBinding.

Urgency

Patch immediately

Why it matters

Any authenticated user can overwrite TLS secrets or disrupt scheduling across the entire cluster, breaking ingress and cross-tenant isolation.

Source

Red Hat Security Advisory

A use-after-free race condition exists in OP-TEE's shared memory teardown logic for FF-A secure partitions. An attacker who can trigger concurrent shared memory operations could exploit this to corrupt memory in the secure world. This only applies if you've built OP-TEE as an SPMC for S-EL0 secure partitions (CFG_SECURE_PARTITION=y), which is not a default config.

Included because

secure world memory corruption; specific non-default configuration required; CVSS 7.8

Affected estate

Devices running OP-TEE 3.16.0 to 4.10.x built with CFG_SECURE_PARTITION=y (SPMC for S-EL0 SPs).

How to check

Check your OP-TEE build config for CFG_SECURE_PARTITION=y and verify the OP-TEE version string in your firmware build manifest or boot log.

Action

Update OP-TEE to 4.11.0. If you cannot update immediately, confirm CFG_SECURE_PARTITION is not enabled in your build.

Urgency

Patch this week

Why it matters

Memory corruption in the secure world can undermine the entire TrustZone trust boundary, potentially exposing secrets or enabling code execution in secure context.

Source

OP-TEE GitHub Advisory

The OpenShift Cloud Credential Operator in Mint mode provisions AWS IAM credentials with account-wide destructive permissions instead of scoping them to cluster-owned resources. If an attacker compromises those credentials, they can delete or modify AWS resources outside the cluster, affecting other workloads in the same AWS account.

Included because

credential compromise leads to cross-scope AWS impact; CVSS 7.2; common cloud deployment pattern

Affected estate

OpenShift clusters on AWS using the Cloud Credential Operator in Mint mode.

How to check

Run: oc get cloudcredential cluster -o jsonpath='{.spec.credentialsMode}'. If it returns 'Mint' or is empty (defaulting to Mint), you're affected. Then review the IAM policies attached to the operator's provisioned roles in your AWS console.

Action

Update the Cloud Credential Operator. Audit and restrict the IAM policies it created to cluster-scoped resources only.

Urgency

Patch this week

Why it matters

Compromised cluster credentials could destroy or modify AWS resources across the entire account, not just the cluster.

Source

Red Hat Security Advisory

The CRMEB Java e-commerce platform (version 1.4) has an SSRF bug in its QR code endpoint. An attacker can manipulate the URL parameter to make the server send arbitrary HTTP requests on their behalf, potentially reaching internal services. A public exploit already exists.

Included because

remotely exploitable; public exploit available; SSRF to internal network; no vendor response yet

Affected estate

CRMEB Java (crmeb_java) version 1.4 instances, specifically the base64 QR code endpoint in RestTemplateUtil.java.

How to check

Check your CRMEB deployment version and confirm whether the QR code endpoint (RestTemplateUtil.getForEntity) is publicly accessible.

Action

Block or restrict external access to the affected endpoint. Apply URL allowlisting at the application or WAF level until an official patch is released.

Urgency

Patch this week

Why it matters

Public exploit code exists. SSRF lets attackers probe and reach internal services from your server, potentially pivoting further into your network.

Source

NVD