CVE-2024-45496: OpenShift Privilege Escalation Flaw

CVE-2024-45496 Overview

CVE-2024-45496 is a privilege escalation vulnerability in Red Hat OpenShift Container Platform's build process. The flaw resides in the git-clone container used during build initialization, which runs with a privileged security context. An attacker with developer-level access can supply a malicious .gitconfig file containing shell commands that execute during the cloning operation. Because the container runs privileged, the commands execute on the underlying worker node with elevated permissions. The issue is classified as Improper Privilege Management [CWE-269].

Critical Impact

Authenticated developer users can achieve arbitrary command execution on OpenShift worker nodes, escaping container boundaries and compromising the cluster host.

Affected Products

• Red Hat OpenShift Container Platform 4.x
• OpenShift builds using the git-clone privileged container
• Red Hat OpenShift API for Data Protection (OADP) components referenced in associated advisories

Discovery Timeline

• 2024-09-17 - CVE-2024-45496 published to NVD
• 2024-09-17 - Red Hat releases security advisories RHSA-2024:6685, 6687, 6689, 6691, and 6705
• 2026-04-15 - Last updated in NVD database

Technical Details for CVE-2024-45496

Vulnerability Analysis

The vulnerability stems from running the git-clone build initialization container with a privileged security context. Privileged containers in OpenShift bypass standard container isolation, granting full access to host devices, capabilities, and namespaces. When OpenShift performs a Git-based source build, it invokes git clone inside this privileged container before user code is built. Git honors directives in .gitconfig files, including hooks and helpers that execute arbitrary commands. An attacker who can submit a build configuration or repository content can plant a crafted .gitconfig that triggers command execution during the clone phase. Because the container is privileged, those commands execute with effective access to the worker node hosting the build pod.

Root Cause

The root cause is misuse of elevated privileges in the build pipeline. The build initialization step does not need privileged access for source retrieval, yet the git-clone container is configured with a privileged security context. This design choice combines an untrusted input surface (Git configuration parsed from attacker-controlled sources) with full node access, violating the principle of least privilege.

Attack Vector

The attacker requires developer-level credentials on the OpenShift cluster (PR:L in the CVSS vector). The attacker authors a Git repository or build input that includes a malicious .gitconfig containing directives such as core.sshCommand or credential helper hooks that execute shell commands. When OpenShift triggers the build, the git-clone container parses the configuration and executes the embedded commands on the worker node, enabling lateral movement, secret theft from kubelet credentials, or full cluster compromise via the scope change (S:C). No verified public proof-of-concept code is available; see the Red Hat CVE Analysis for CVE-2024-45496 for advisory-level technical detail.

Detection Methods for CVE-2024-45496

Indicators of Compromise

• Unexpected child processes spawned by the git-clone init container during build pods, especially shells, network utilities, or package managers.
• Outbound network connections from build pods to non-Git endpoints during the clone phase.
• Modification of host paths or kubelet credentials originating from build worker nodes.
• Build inputs or repositories containing .gitconfig files with core.sshCommand, credential.helper, or core.pager directives invoking shell commands.

Detection Strategies

• Audit OpenShift build pod specs for containers running with securityContext.privileged: true and correlate with build activity.
• Inspect repository contents and build inputs for suspicious .gitconfig directives before allowing builds to proceed.
• Monitor Kubernetes audit logs for build creations originating from low-privileged developer accounts followed by node-level anomalies.

Monitoring Recommendations

• Enable runtime process monitoring on worker nodes to flag unexpected processes launched under build pod cgroups.
• Forward OpenShift audit logs and node host telemetry to a centralized analytics platform for correlation.
• Alert on any privileged container execution that originates from the openshift-builds or related build namespaces.

How to Mitigate CVE-2024-45496

Immediate Actions Required

• Apply the Red Hat security updates referenced in RHSA-2024:6685, RHSA-2024:6687, RHSA-2024:6689, RHSA-2024:6691, and RHSA-2024:6705.
• Review and restrict which users hold developer-level build permissions in shared OpenShift clusters.
• Audit existing build configurations and repositories for malicious .gitconfig payloads.

Patch Information

Red Hat has released fixes through multiple advisories. Refer to RHSA-2024:6685, RHSA-2024:6687, RHSA-2024:6689, RHSA-2024:6691, RHSA-2024:6705, and the earlier RHSA-2024:3718 for component-specific package versions. Tracking details are available in Red Hat Bugzilla #2308661.

Workarounds

• Until patched, restrict OpenShift build creation to trusted service accounts and pipelines instead of individual developer accounts.
• Use external CI systems to perform Git cloning and supply pre-fetched source artifacts to OpenShift builds, avoiding the privileged git-clone container.
• Enforce SecurityContextConstraints (SCC) policies that prohibit privileged containers in build namespaces where feasible.

# Example: list build pods running privileged containers
oc get pods -A -o json | \
  jq '.items[] | select(.spec.containers[].securityContext.privileged==true) | {namespace: .metadata.namespace, name: .metadata.name}'

# Example: restrict the restricted-v2 SCC to non-privileged build service accounts
oc adm policy add-scc-to-user restricted-v2 -z builder -n <build-namespace>