+ "details": "### Impact\nA vulnerability has been identified within Rancher Manager, where after removing a custom GlobalRole that gives administrative access or the corresponding binding, the user still retains access to clusters.\nThis only affects custom Global Roles that:\n- Have a `*` on `*` in `*` rule for resources\n- Have a `*` on `*` rule for non-resource URLs\n\nFor example\n```yaml\napiVersion: management.cattle.io/v3\nkind: GlobalRole\nmetadata:\n name: custom-admin\nrules:\n - apiGroups:\n - '*'\n resources:\n - '*'\n verbs:\n - '*'\n - nonResourceURLs:\n - '*'\n verbs:\n - '*'\n```\n\nSpecifically:\n- When a user is bound to a custom admin `GlobalRole`, a corresponding `ClusterRoleBinding` is created on all clusters that binds them to the cluster-admin `ClusterRole`.\n- When such a `GlobalRole` or the `GlobalRoleBinding` (e.g., when the user is unassigned from this role in UI) is deleted, the `ClusterRoleBinding` that binds them to the cluster-admin ClusterRole stays behind.\n\nThis issue allows a user to continue having access to clusters after they have been unassigned from the custom admin global role or the role has been deleted.\n\nPlease consult the associated [MITRE ATT&CK - Technique - Account Access Removal](https://attack.mitre.org/techniques/T1531/) for further information about this category of attack.\n\n### Patches\nThis vulnerability is addressed by removing the corresponding `ClusterRoleBindings` whenever the admin `GlobalRole` or its `GlobalRoleBindings` are deleted. Previously orphaned `ClusterRoleBindings` are marked with the annotation `authz.cluster.cattle.io/admin-globalrole-missing=true` and should be deleted manually.\n\nOrphaned ClusterRoleBindings can be listed with:\n```\nkubectl get clusterrolebinding -o jsonpath='{range .items[?(@.metadata.annotations.authz\\.cluster\\.cattle\\.io/admin-globalrole-missing==\"true\")]}{.metadata.name}{\"\\n\"}{end}'\n```\n\nPatched versions of Rancher include releases `v2.12.3`, `v2.11.7`.\n\nComplications with the restricted admin functionality prevented the patches from being included in `v2.10` and `v2.9`.\n\n### Workarounds\nIf the deployment can't be upgraded to a fixed version, users are advised to manually identify the orphaned `ClusterRoleBindings` and remove them.\n\n### References\nIf you have any questions or comments about this advisory:\n- Contact the [SUSE Rancher Security team](https://github.com/rancher/rancher/security/policy) for security related inquiries.\n- Open an issue in the [Rancher](https://github.com/rancher/rancher/issues/new/choose) repository.\n- Verify with our [support matrix](https://www.suse.com/suse-rancher/support-matrix/all-supported-versions/) and [product support lifecycle](https://www.suse.com/lifecycle/).",
![advisory-database[bot]](https://avatars.githubusercontent.com/in/21409?v=4&size=40){kind=avatar}
0 commit comments