CVE-2019-6648 in Container Ingress Service
Summary
by MITRE
On version 1.9.0, If DEBUG logging is enable, F5 Container Ingress Service (CIS) for Kubernetes and Red Hat OpenShift (k8s-bigip-ctlr) log files may contain BIG-IP secrets such as SSL Private Keys and Private key Passphrases as provided as inputs by an AS3 Declaration.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 12/13/2023
The vulnerability identified as CVE-2019-6648 affects the F5 Container Ingress Service (CIS) for Kubernetes and Red Hat OpenShift version 1.9.0, specifically when DEBUG logging is enabled. This issue represents a critical security flaw in how the k8s-bigip-ctlr component handles sensitive information during its operational execution. The vulnerability stems from improper logging practices that expose confidential data within log files, creating potential attack vectors for malicious actors who might gain access to these system logs.
The technical flaw occurs within the logging mechanism of the CIS controller when debug mode is activated. During normal operation, the controller processes AS3 declarations that contain sensitive information including SSL private keys and private key passphrases. When DEBUG logging is enabled, these confidential elements are inadvertently written to log files without proper sanitization or encryption. This behavior violates fundamental security principles and creates a scenario where attackers with access to the logging infrastructure can extract complete cryptographic material necessary for impersonating services or decrypting communications.
The operational impact of this vulnerability extends beyond simple information disclosure. The exposure of SSL private keys and passphrases within log files provides attackers with the means to perform man-in-the-middle attacks, impersonate legitimate services, and potentially decrypt sensitive communications. This vulnerability affects organizations using F5 CIS for Kubernetes and OpenShift deployments, particularly those with debug logging enabled in production or development environments. The risk is amplified when log files are stored in accessible locations or when multiple team members have access to these logs, as the exposure could occur without direct system compromise.
Organizations should immediately disable DEBUG logging in production environments and implement proper log sanitization procedures to prevent sensitive data exposure. The mitigation strategy involves configuring the controller to disable debug logging in production deployments and ensuring that any log retention policies do not include sensitive data. Additionally, organizations should implement proper access controls on log files and consider implementing log aggregation systems that can filter out sensitive information before storage. This vulnerability aligns with CWE-209, which addresses information exposure through logging, and represents a clear violation of the principle of least privilege as outlined in the MITRE ATT&CK framework under the technique of Credential Access through log file manipulation.