CVE-2024-5042: Submariner-operator: rbac permissions can allow for the spread of node compromises
A flaw was found in the Submariner project. Due to unnecessary role-based access control permissions, a privileged attacker can run a malicious container on a node that may allow them to steal service account tokens and further compromise other nodes and potentially the entire cluster.
Security readout for executives and security teams
Plain-English summary
CVE-2024-5042 is an RBAC over-permission issue in Submariner-related components. An attacker who already has high privileges could use those permissions to run a malicious container on a node, steal service account tokens, and expand compromise across nodes or the cluster.
Executive priority
Treat this as a cluster containment risk, not a first-entry vulnerability. Prioritize patching affected OpenShift Data Foundation and Submariner deployments where privileged users, operators, or node workloads are high-value targets.
Technical view
The flaw is classified as CWE-250 and scored CVSS 6.6. Sources describe unnecessary RBAC permissions in submariner-operator that may enable a privileged attacker to deploy a malicious container, access service account tokens, and escalate impact across a Kubernetes/OpenShift cluster.
Likely exposure
Exposure is most likely in environments running affected submariner-operator versions or listed Red Hat OpenShift Data Foundation 4.16/4.20 EL9 packages. Internet exposure is not the main condition; attacker privilege inside the cluster is required.
Exploitation context
The source bundle does not show CISA KEV listing or confirmed active exploitation. Exploitation requires high privileges and high attack complexity, but successful abuse could materially worsen an existing node or cluster compromise.
Researcher notes
Evidence supports an overbroad RBAC condition enabling post-compromise expansion. The bundle does not provide exploit details, public exploitation evidence, or complete fixed-version mapping for all affected entries, so validation should anchor on vendor advisories and local package inventory.
Mitigation direction
Apply relevant Red Hat errata updates for affected OpenShift Data Foundation packages.
Check vendor guidance for fixed submariner-operator versions before upgrading.
Review Submariner/operator RBAC permissions and remove unnecessary privileges where supported.
Limit who can create privileged workloads or modify operator service accounts.
Monitor for unexpected service account token use and privileged container activity.
Validation and detection
Inventory clusters using submariner-operator and affected ODF package names.
Compare installed versions with the affected versions in CVE and Red Hat advisories.
Review ClusterRole and ClusterRoleBinding assignments for Submariner components.
Check audit logs for unexpected privileged workload creation on nodes.
Look for unusual service account token use after node-level compromise indicators.
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cwe · low confidence lookup
CWE-250: Exact CWE lookup
Use the exact CWE identifier as the starting point before reviewing related ATT&CK behavior. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.
The affected technology mentions containers, so container-specific ATT&CK technique review may help. This is a Glexia inferred lookup path, not an official MITRE, ATT&CK, or CVE Program mapping.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.
1CVSS vectors
5Timeline events
2ADP providers
6Source links
SSVC decision data
CISA-ADPCISA Coordinator
Timestamp
Version
2.0.3
Exploitation: noneAutomatable: noTechnical Impact: total
CVSS vector scores
1 official score
We collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.