Openshift api admission checks does not enforce "custom-host" permissions

Vulnerability

The OpenShift API admission checks do not enforce the "custom-host" permission for ingress objects under certain circumstances [1], [2]. This flaw occurs when a cluster administrator revokes the "custom-host" permission from project administrators, but the admission checks still allow those administrators to set custom host names on ingress objects. The issue affects OpenShift Container Platform versions before the fix was applied.

Exploitation

An attacker who is a project administrator with the "custom-host" permission revoked by the cluster administrator can bypass the admission check by creating or modifying an ingress object with a custom host name. The attacker does not require any special network position or additional authentication beyond being a project administrator.

Impact

Successful exploitation allows the attacker to set custom host names on ingress objects despite lacking the required permission, violating the intended security boundaries. This could lead to host name collisions, unauthorized service exposure, or other impacts depending on the cluster configuration.

Mitigation

The specific fixed version is not disclosed in the available references [1], [2]. Cluster administrators should apply the latest OpenShift Container Platform updates as recommended by Red Hat. As a workaround, ensure that the "custom-host" permission is managed appropriately, though this does not fully mitigate the vulnerability due to the admission check bypass.