CVE-2024-5037 Overview
CVE-2024-5037 is an authentication bypass vulnerability in Red Hat OpenShift's Telemeter component. The flaw allows an attacker to use a forged JSON Web Token (JWT) to bypass the issuer (iss) claim verification during authentication. The root cause maps to CWE-290: Authentication Bypass by Spoofing.
The vulnerability affects Red Hat OpenShift Container Platform and Red Hat OpenShift Distributed Tracing. Successful exploitation enables a remote, unauthenticated attacker to impersonate a trusted client and access protected Telemeter endpoints over the network.
Critical Impact
Attackers can forge JWTs to bypass issuer validation in OpenShift Telemeter, gaining unauthorized access to telemetry endpoints without credentials or user interaction.
Affected Products
- Red Hat OpenShift Container Platform 4.0
- Red Hat OpenShift Distributed Tracing 2.0
- OpenShift Telemeter component (pkg/authorize/jwt/client_authorizer.go)
Discovery Timeline
- 2024-06-05 - CVE-2024-5037 published to the National Vulnerability Database (NVD)
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2024-5037
Vulnerability Analysis
The vulnerability resides in the Telemeter JWT client authorizer logic located in pkg/authorize/jwt/client_authorizer.go. Telemeter is the Red Hat OpenShift service that collects cluster telemetry and forwards it to Red Hat. It relies on JWT-based authentication to validate clients.
Under specific conditions, the authorizer fails to correctly enforce the iss (issuer) claim during token verification. An attacker who can craft a JWT with a manipulated issuer value can pass authentication checks that should have rejected the token. The impact is limited to confidentiality. Integrity and availability are not directly affected.
Root Cause
The defect lies in how the Telemeter authorizer validates the JWT issuer claim. When certain code paths execute, the iss check is bypassed, allowing tokens issued by an untrusted source to be treated as valid. The flaw is an instance of CWE-290, where authentication relies on a spoofable identifier.
Attack Vector
The attack is performed remotely over the network with no privileges and no user interaction. An attacker constructs a forged JWT and submits it to a Telemeter endpoint. If the bypass conditions are met, the request is authorized as a legitimate client. Details of the affected validation logic are referenced in the GitHub OpenShift Telemeter source.
No public proof-of-concept exploit is listed in the enriched data, and the CVE is not present on the CISA Known Exploited Vulnerabilities catalog.
Detection Methods for CVE-2024-5037
Indicators of Compromise
- Authentication events at Telemeter endpoints originating from unexpected external IP ranges or non-cluster sources.
- JWTs presented to Telemeter where the iss claim does not match the configured trusted issuer or contains malformed values.
- Spikes in Telemeter API requests outside normal cluster telemetry cadence.
Detection Strategies
- Enable verbose authentication logging on the Telemeter service and audit decoded JWT headers and claims, especially iss, aud, and sub.
- Correlate Telemeter access logs with OpenShift API audit logs to identify telemetry submissions not tied to a known cluster identity.
- Compare token issuers observed at runtime against the allowlist of OpenShift-issued trusted issuers.
Monitoring Recommendations
- Forward Telemeter and OpenShift audit logs to a centralized SIEM for retention and correlation across clusters.
- Alert on repeated authentication attempts that present tokens with unrecognized or rotated issuer values.
- Monitor for upgrades or restarts of OpenShift components to confirm patched Telemeter versions are running.
How to Mitigate CVE-2024-5037
Immediate Actions Required
- Apply the Red Hat security advisories that ship the fixed Telemeter component: RHSA-2024:4151, RHSA-2024:4156, RHSA-2024:4329, RHSA-2024:4484, and RHSA-2024:5200.
- Inventory clusters running OpenShift Container Platform 4.0 and OpenShift Distributed Tracing 2.0 and prioritize them for patching.
- Rotate any JWT signing keys and client credentials used by Telemeter after upgrading.
Patch Information
Red Hat addressed the issuer validation flaw in the Telemeter authorizer code referenced in the Red Hat CVE record for CVE-2024-5037 and tracked in Red Hat Bugzilla #2272339. Related upstream Kubernetes work is referenced in Kubernetes Pull Request #123540. Customers should apply the listed RHSA errata corresponding to their OpenShift version.
Workarounds
- Restrict network exposure of Telemeter endpoints to trusted networks and management planes using firewall rules or NetworkPolicies.
- Enforce mutual TLS between cluster components and Telemeter to add a second authentication factor independent of the JWT iss claim.
- Until patches are applied, increase monitoring sensitivity on Telemeter authentication failures and unusual issuer values.
# Example: verify the OpenShift cluster version and apply available updates
oc get clusterversion
oc adm upgrade
# Example: restrict Telemeter endpoint exposure with a NetworkPolicy
oc apply -f - <<EOF
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: restrict-telemeter
namespace: openshift-monitoring
spec:
podSelector:
matchLabels:
app.kubernetes.io/name: telemeter-client
policyTypes:
- Ingress
ingress:
- from:
- namespaceSelector:
matchLabels:
name: openshift-monitoring
EOF
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
