You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
When using a custom Cluster or Clients CA with a multistage CA chain consisting of multiple CAs, Strimzi incorrectly configures the trusted certificates for mTLS authentication on the internal as well as user-configured listeners. All CAs from the CA chain will be trusted. And users with certificates signed by any of the CAs in the chain will be able to authenticate.
The use of the custom CA chain in the Cluster CA affects the internal listeners used for internal replication between brokers and for the control plane communication between controllers, and between controllers and brokers.
The use of the custom CA chain in the Clients CA affects the listeners configured by the user and using mTLS (TLS Client Authentication). Listeners not using the mTLS authentication are not affected.
This issue affects only users using a custom Cluster or Clients CA with a multistage CA chain consisting of multiple CAs. It does not affect users using the Strimzi-managed Cluster and Clients CAs. It also does not affect users using a custom Cluster or Clients CA with only a single CA (i.e., no CA chain with multiple CAs).
This issue is fixed in Strimzi 0.50.1.
Alternatively, you can also, as a workaround, provide instead of the full CA chain as the custom CA, only the single CA that should be used.
reacted with thumbs up emoji reacted with thumbs down emoji reacted with laugh emoji reacted with hooray emoji reacted with confused emoji reacted with heart emoji reacted with rocket emoji reacted with eyes emoji
Strimzi
Uh oh!
There was an error while loading. Please reload this page.
-
When using a custom Cluster or Clients CA with a multistage CA chain consisting of multiple CAs, Strimzi incorrectly configures the trusted certificates for mTLS authentication on the internal as well as user-configured listeners. All CAs from the CA chain will be trusted. And users with certificates signed by any of the CAs in the chain will be able to authenticate.
This issue affects only users using a custom Cluster or Clients CA with a multistage CA chain consisting of multiple CAs. It does not affect users using the Strimzi-managed Cluster and Clients CAs. It also does not affect users using a custom Cluster or Clients CA with only a single CA (i.e., no CA chain with multiple CAs).
This issue is fixed in Strimzi 0.50.1.
Alternatively, you can also, as a workaround, provide instead of the full CA chain as the custom CA, only the single CA that should be used.
For more information, see GHSA-2qwx-rq6j-8r6j
Beta Was this translation helpful? Give feedback.
All reactions