==================================================================== CERT-Renater Note d'Information No. 2021/VULN281 _____________________________________________________________________ DATE : 19/05/2021 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S):Systems running Kubernetes Java Client versions prior to 12.0.0, 11.0.1. ===================================================================== https://groups.google.com/g/kubernetes-announce/c/Nt5AP_lMK0E _____________________________________________________________________ [Kubernetes Java Client] CVE-2021-25738: Code exec via yaml parsing Hello Kubernetes Community, A security issue was discovered in the Kubernetes Java client library where loading specially-crafted yaml can lead to code execution. This issue has been rated Medium (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H), and assigned CVE-2021-25738. Am I vulnerable? If you process untrusted inputs with the Kubernetes Java Client you may be vulnerable to this issue. Affected Versions Kubernetes Java Client == v11.0.0 Kubernetes Java Client <= v10.0.1 Kubernetes Java Client <= v9.0.2 How do I mitigate this vulnerability? Prior to upgrading, this vulnerability can be mitigated by validating inputs to the client. Fixed Versions Kubernetes Java Client >= v12.0.0 Kubernetes Java Client >= v11.0.1 Detection If you find evidence that this vulnerability has been exploited, please contact secu...@kubernetes.io Additional Details See the GitHub issue for more details: https://github.com/kubernetes-client/java/issues/1698 Acknowledgements This vulnerability was reported by Jordy Versmissen through our bug bounty. Thank You, Tim Allclair on behalf of the Kubernetes Product Security Committee ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================