{"id":5170,"date":"2025-10-02T17:13:28","date_gmt":"2025-10-02T17:13:28","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=5170"},"modified":"2025-10-02T17:13:28","modified_gmt":"2025-10-02T17:13:28","slug":"red-hat-openshift-ai-weakness-allows-full-cluster-compromise-warns-advisory","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=5170","title":{"rendered":"Red Hat OpenShift AI weakness allows full cluster compromise, warns advisory"},"content":{"rendered":"
\n
\n
\n
\n
<\/div>\n

Red Hat has updated its OpenShift AI Service after discovering a vulnerability with a CVSS rating of 9.9 that would allow an attacker to take full control of a cluster and any applications running on it.<\/p>\n

Red Hat OpenShift AI<\/a> (RHOAI) \u2014 called Red Hat OpenShift Data Science until 2023 \u2014 is the company\u2019s Kubernetes-based platform for managing and deploying large language models (LLMs).<\/p>\n

It\u2019s too new to have suffered many CVE-level flaws, although the latest vulnerability, CVE-2025-10725<\/a>, counts as the worst yet with a CVSS rating of 9.9, which the US National Vulnerability Database considers \u201cCritical.\u201d But Red Hat minimized the issue, saying that according to its own rating scale, the vulnerability only rates as \u201cImportant\u201d because it requires authentication, albeit minimal, to exploit.<\/p>\n

According to Red Hat\u2019s advisory, an attacker exploiting it would be able to: \u201cSteal sensitive data, disrupt all services, and take control of the underlying infrastructure, leading to a total breach of the platform and all applications hosted on it.\u201d<\/p>\n

Normally, vulnerabilities are a coding issue, for example a buffer overflow. Unusually, the latest vulnerability is a design flaw in the way Red Hat implemented authorization on the platform\u2019s Role-Based Access Control (RBAC).<\/p>\n

Red Hat describes the root of the problem as being an \u201coverly permissive ClusterRole,\u201d jargon for the part of the Kubernetes RBAC system that sets out permissions for users, groups, or service accounts.<\/p>\n

As a result: \u201cA low-privileged attacker with access to an authenticated account, for example as a data scientist using a standard Jupyter notebook [a development environment], can escalate their privileges to a full cluster administrator.\u201d<\/p>\n

In other words, a low-privileged user can elevate their privileges to admin level. Delving into the Red Hat Bugzilla analysis<\/a> for the vulnerability reveals the full implications of this: a breakdown of tenant isolation which would affect all customers with applications running on the same cluster.<\/p>\n

That would, of course, still require an attacker to have passed authentication at a basic level, but as numerous attacks have shown, getting hold of credentials is child\u2019s play for modern cybercriminals.<\/p>\n

Fixing it<\/h2>\n

Red Hat advises admins to remove the ClusterRoleBinding component that associates the kueue-batch-user-role with the system:authenticated group while avoiding \u201cgranting broad permissions to system-level groups.\u201d<\/p>\n

In addition: \u201cThe permission to create jobs should be granted on a more granular, as-needed basis to specific users or groups, adhering to the principle of least privilege,\u201d said Red Hat. RHOAI images implementing a fix are versions 2.19<\/a> and 2.21<\/a>.<\/p>\n

The source of the vulnerability disclosure is unknown but was added to Red Hat\u2019s Open Security Issue Database (OSIDB) on September 19. Red Hat\u2019s advisory doesn\u2019t mention public exploitation, but sysadmins will doubtless want to check their environments out of an abundance of caution.<\/p>\n

Red Hat did not immediately respond to a request for further comment on these issues.<\/p>\n

AI and agentic AI have become a big focus for Red Hat in recent years across its core \u201cAI native\u201d RHEL 10 Linux<\/a> and OpenShift Container Platform<\/a>. The driver for this is demand for platforms that can run LLMs on cloud infrastructure, in Red Hat\u2019s case AWS, Azure, Google, and on-premises or private clouds.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"

Red Hat has updated its OpenShift AI Service after discovering a vulnerability with a CVSS rating of 9.9 that would allow an attacker to take full control of a cluster and any applications running on it. Red Hat OpenShift AI (RHOAI) \u2014 called Red Hat OpenShift Data Science until 2023 \u2014 is the company\u2019s Kubernetes-based […]<\/p>\n","protected":false},"author":0,"featured_media":5171,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-5170","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/5170"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=5170"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/5170\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/5171"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=5170"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=5170"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=5170"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}