vulnerability

Red Hat OpenShift: CVE-2021-3636: openshift: Injected service-ca.crt incorrectly contains additional internal CAs

Try Surface Command

Back to search

Severity	CVSS	Published	Added	Modified
4	(AV:A/AC:L/Au:S/C:P/I:P/A:N)	Jul 29, 2021	Jul 29, 2021	Aug 11, 2025

Severity

CVSS

(AV:A/AC:L/Au:S/C:P/I:P/A:N)

Published

Jul 29, 2021

Added

Jul 29, 2021

Modified

Aug 11, 2025

Description

It was found in OpenShift, before version 4.8, that the generated certificate for the in-cluster Service CA, incorrectly included additional certificates. The Service CA is automatically mounted into all pods, allowing them to safely connect to trusted in-cluster services that present certificates signed by the trusted Service CA. The incorrect inclusion of additional CAs in this certificate would allow an attacker that compromises any of the additional CAs to masquerade as a trusted in-cluster service.

Solution

linuxrpm-upgrade-openshift

References

CVE-2021-3636
https://attackerkb.com/topics/CVE-2021-3636
CWE-287
CWE-295
REDHAT-RHSA-2021:2437

NEW

Explore Exposure Command

Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.

Try it today