A critical privilege escalation vulnerability has been discovered in Red Hat OpenShift AI. This flaw allows a low-privileged user, such as a data scientist, to gain full administrative control over the AI platform by exploiting a weakness from within a standard user environment like a Jupyter notebook. Successful exploitation could lead to a complete compromise of the system, enabling theft of sensitive data and AI models, service disruption, and unauthorized access to the underlying infrastructure.

This vulnerability allows for privilege escalation within the Red Hat OpenShift AI environment. An authenticated but low-privileged attacker can execute specially crafted code from within a sandboxed environment, such as a Jupyter notebook pod. This action exploits a flaw in the service's container management or resource allocation, allowing the attacker to break out of their container, escalate their privileges on the underlying cluster node, and ultimately gain administrative (cluster-admin) access to the entire OpenShift AI platform.

This vulnerability is rated as critical severity with a CVSS score of 9.9, posing a severe and immediate risk to the organization. A successful exploit could lead to a complete takeover of the OpenShift AI environment, resulting in catastrophic consequences. Key business impacts include the theft or manipulation of proprietary AI models and sensitive training data, disruption of critical business operations dependent on AI/ML workloads, and the potential for attackers to move laterally from the compromised cluster into the broader corporate network. This could lead to significant financial loss, reputational damage, and regulatory penalties.

Immediate Action: Immediately update all instances of Red Hat OpenShift AI to the latest patched version as recommended by the vendor. After applying the patch, it is critical to monitor for any signs of post-patch exploitation attempts and to conduct a thorough review of all relevant access logs for any anomalous activity that occurred prior to the update.

Proactive Monitoring: Implement enhanced monitoring of the OpenShift AI environment. Security teams should look for unusual commands being executed within user pods (e.g., Jupyter notebooks), unexpected network connections from these pods to internal cluster services (like the Kubernetes API server), and any alerts from runtime security tools indicating potential container escape activity. Review audit logs for unauthorized privilege escalations or modifications to cluster-level roles and permissions.

Compensating Controls: If immediate patching is not feasible, implement the following compensating controls to mitigate risk:

• Apply stricter network policies to limit egress and pod-to-pod communication for all data science workloads.
• Enforce the principle of least privilege by reviewing and reducing permissions for all user and service accounts.
• Utilize runtime security solutions to detect and block suspicious in-container behavior and container escape attempts in real-time.
• Temporarily restrict or increase monitoring for accounts with access to create and run notebook instances.

Public Exploit Available: false

Given the critical severity (CVSS 9.9) of this privilege escalation vulnerability, we recommend treating its remediation as the highest priority. Although this CVE is not currently listed on the CISA KEV catalog, its potential impact warrants immediate action. Organizations must apply the vendor-supplied patches to all affected Red Hat OpenShift AI instances without delay. If patching is delayed, the compensating controls listed above must be implemented immediately to reduce the attack surface while preparing for the update.