CVE-2025-2843 Overview
CVE-2025-2843 is a privilege escalation vulnerability in the Observability Operator. The Operator provisions a ServiceAccount bound to a ClusterRole when a namespace-scoped MonitorStack Custom Resource is deployed. A tenant with only namespace-level Kubernetes permissions can create a MonitorStack in an authorized namespace and impersonate the resulting ServiceAccount to gain cluster-wide privileges. This issue is tracked under CWE-266: Incorrect Privilege Assignment and affects multi-tenant Kubernetes and OpenShift environments where the Observability Operator is deployed.
Critical Impact
Authenticated namespace-scoped tenants can escalate to cluster-level privileges, breaking Kubernetes tenant isolation and exposing all cluster resources to compromise.
Affected Products
- Red Hat Observability Operator (see Red Hat Security Advisory RHSA-2025:21146)
- Kubernetes clusters running the Observability Operator with multi-tenant namespace delegation
- OpenShift environments using MonitorStack Custom Resources
Discovery Timeline
- 2025-11-12 - CVE-2025-2843 published to NVD
- 2026-04-15 - Last updated in NVD database
Technical Details for CVE-2025-2843
Vulnerability Analysis
The Observability Operator watches for MonitorStack Custom Resources within tenant namespaces. When a MonitorStack is created, the Operator provisions a backing ServiceAccount and binds it to a ClusterRole rather than a namespace-scoped Role. This binding grants the ServiceAccount cluster-wide read or write capabilities required for cross-namespace metric collection. The trust boundary breaks because the ServiceAccount resides inside the tenant namespace, where the tenant already holds get, list, and token-creation rights on local resources.
A tenant who controls a namespace can request a token for that ServiceAccount using the TokenRequest API or read the mounted token from a workload they schedule in the namespace. With that token, the tenant authenticates to the Kubernetes API server as a privileged identity and performs actions far beyond their delegated scope.
Root Cause
The root cause is an incorrect privilege assignment in the Operator's reconciliation logic. A namespace-scoped Custom Resource should never trigger creation of cluster-scoped RoleBindings for an identity that the tenant can impersonate. The Operator conflates the privileges needed by the controller with the privileges granted to the workload-side ServiceAccount.
Attack Vector
The attacker requires existing Kubernetes credentials with permission to create MonitorStack resources in at least one namespace. After creating the resource, the attacker waits for the Operator to provision the privileged ServiceAccount, then issues a token request against that account. The token authenticates against the Kubernetes API server with cluster-level rights, enabling secret exfiltration, cross-namespace workload deployment, and admission controller manipulation. No user interaction is required, and the attack is performed entirely over the Kubernetes API.
No public proof-of-concept exploit code is available. Refer to the Red Hat CVE Details page for vendor-provided technical context.
Detection Methods for CVE-2025-2843
Indicators of Compromise
- Unexpected TokenRequest or serviceaccounts/token subresource calls targeting Observability Operator-managed ServiceAccounts from tenant pods or users.
- MonitorStack Custom Resources created in namespaces not owned by platform or observability teams.
- API server audit entries where a ServiceAccount originating from a tenant namespace performs cluster-scoped get, list, or watch calls on secrets, nodes, or clusterrolebindings.
Detection Strategies
- Enable Kubernetes API server audit logging at RequestResponse level for serviceaccounts/token and MonitorStack resources, and alert on cross-namespace privileged actions.
- Inventory all ClusterRoleBindings that reference ServiceAccounts located in tenant namespaces and flag mismatches between subject namespace and role scope.
- Correlate MonitorStack creation events with subsequent token issuance and high-privilege API calls within a short time window.
Monitoring Recommendations
- Forward Kubernetes audit logs and Operator controller logs to a centralized SIEM or data lake for retention and query.
- Track changes to ClusterRole and ClusterRoleBinding objects associated with the Observability Operator namespace.
- Establish a baseline of expected MonitorStack consumers and alert on creations outside that baseline.
How to Mitigate CVE-2025-2843
Immediate Actions Required
- Apply the patched Observability Operator release referenced in RHSA-2025:21146.
- Revoke create, update, and patch permissions on MonitorStack resources for untrusted tenants until patching is complete.
- Audit existing ClusterRoleBindings created by the Operator and remove any that reference ServiceAccounts in tenant-controlled namespaces.
Patch Information
Red Hat has issued fixes via RHSA-2025:21146. Additional vendor context is available in Red Hat Bug Report #2355222 and the Red Hat CVE Details advisory. Apply the updated Operator version across all clusters and verify that newly provisioned MonitorStack resources no longer bind their ServiceAccount to a ClusterRole when the resource is namespace-scoped.
Workarounds
- Restrict creation of MonitorStack Custom Resources to platform administrators using RBAC Role or admission policy (Kyverno, OPA Gatekeeper, Validating Admission Policies).
- Deploy the Observability Operator only in clusters where namespace tenants are fully trusted, until patches are applied.
- Disable the TokenRequest API for tenant ServiceAccounts or use projected tokens with short audiences that exclude the Kubernetes API server.
# Block tenant creation of MonitorStack via Kyverno until patch is applied
kubectl apply -f - <<EOF
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: restrict-monitorstack-creation
spec:
validationFailureAction: Enforce
rules:
- name: only-platform-admins
match:
any:
- resources:
kinds:
- MonitorStack
exclude:
any:
- subjects:
- kind: Group
name: platform-admins
validate:
message: "MonitorStack creation is restricted pending CVE-2025-2843 remediation."
deny: {}
EOF
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
