Insufficient Session Expiration Affecting github.com/rancher/rancher/pkg/settings package, versions >=2.7.0 <2.7.14 >=2.8.0 <2.8.5

github.com/rancher/rancher/pkg/settings is a complete container management platform

Affected versions of this package are vulnerable to Insufficient Session Expiration for deleted or disabled user accounts on the configured authentication provider (AP). An attacker in possession of formerly-active user credentials can gain access using the user tokens of the accounts associated with those users.

Administrators that are unable to update to a patched Rancher Manager version, are advised to delete Rancher users, via kubectl or through the UI, as soon as those users are deleted from the Authentication Provider. If a user needs to be temporarily disabled on the Authentication Provider, similar intervention will need to take place to reflect that change on Rancher Manager.

Below is a procedure to list and remove a deleted/disabled user in Rancher using kubectl (with a privileged kubeconfig).

1. List all users bound to a supported external auth provider, then returns username, uid, displayName and PrincipalIds which contains the related authprovider_user://ID

#!/bin/bash

for authprovider in {activedirectory,azure,common,genericoidc,github googleauth, keycloakoidc,ldap,oidc,publicapi,saml}
do 
    kubectl get users -o json | jq --arg authprovider "$authprovider" '.items[] | select(.principalIds[] | test("^" + $authprovider + "_user://")) | {username: .metadata.name, uid: .metadata.uid, displayName: .displayName, principalIds: .principalIds}'
done

2. Once the authprovider_user://ID (and/or DisplayName) is confirmed, remove the user from the Rancher UI or using kubectl delete users <USERNAME>.

• GitHub Commit
• GitHub Commit