=====================================================================

                             CERT-Renater

                 Note d'Information No. 2021/VULN482
_____________________________________________________________________

DATE                : 16/09/2021

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Kubernetes versions prior to
                          1.22.2, 1.21.5, 1.20.11, 1.19.15
                     Sstems running kube-apiserver.

=====================================================================
https://groups.google.com/g/kubernetes-announce/c/-e9OlTcED5E
https://groups.google.com/g/kubernetes-announce/c/-2Dx8JdbzAo
_____________________________________________________________________


[Security Advisory] CVE-2021-25741: Symlink Exchange Can Allow Host
Filesystem Access


Hello Kubernetes Community,

A security issue was discovered in Kubernetes where a user may be able
to create a container with subpath volume mounts to access files &
directories outside of the volume, including on the host filesystem.

This issue has been rated High
(CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), and assigned CVE-2021-25741.


Affected Components and Configurations

This bug affects kubelet.

Environments where cluster administrators have restricted the ability to
create hostPath mounts are the most seriously affected. Exploitation
allows hostPath-like access without use of the hostPath feature, thus
bypassing the restriction.

In a default Kubernetes environment, exploitation could be used to
obscure misuse of already-granted privileges.


Affected Versions

    v1.22.0 - v1.22.1

    v1.21.0 - v1.21.4

    v1.20.0 - v1.20.10

    <= v1.19.14


Fixed Versions

This issue is fixed in the following versions:

    v1.22.2

    v1.21.5

    v1.20.11

    v1.19.15


Mitigation

To mitigate this vulnerability without upgrading kubelet, you can
disable the VolumeSubpath feature gate on kubelet and kube-apiserver,
and remove any existing Pods making use of the feature.

You can also use admission control to prevent less-trusted users from
running containers as root to reduce the impact of successful
exploitation.


Detection

If you find evidence that this vulnerability has been exploited, please
contact secu...@kubernetes.io


Additional Details

See Kubernetes Issue #104980 for more details.


Acknowledgements

This vulnerability was reported by Fabricio Voznika and Mark Wolters of
Google.

Thanks as well to Ian Coldwater, Duffie Cooley, Brad Geesaman, and Rory
McCune for the thorough security research that led to the discovery of
this vulnerability.


Thank You,

CJ Cullen on behalf of the Kubernetes Security Response Committee

_____________________________________________________________________


[Security Advisory] CVE-2020-8561: Webhook redirect in kube-apiserver


Hello Kubernetes Community,



A security issue was discovered in Kubernetes where actors that control
the responses of MutatingWebhookConfiguration or
ValidatingWebhookConfiguration requests are able to redirect kube-
apiserver requests to private networks of the apiserver. If that user
can view kube-apiserver logs when the log level is set to 10, they can
view the redirected responses and headers in the logs.


This issue has been rated Medium
(https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:N/A:N)
(4.1), and assigned
CVE-2020-8561
Am I vulnerable?


You may be vulnerable if `--profiling` is enabled on the kube-apiserver
and actors who control a validating or mutating webhook can access the
kube-apiserver process logs.


Affected Versions


This issue affects all known versions of kube-apiserver.

How do I mitigate this vulnerability?

This issue can be mitigated by not allowing kube-apiserver access to
sensitive resources or networks, or to reduce the “-v” flag value to
less than 10 and set the “--profiling” flag value to “false” (default
value is “true”). Setting the profiling flag to “false” prevents users
from dynamically modifying the kube-apiserver log level, and the flag
value Webhook requests may still be redirected to private networks with
a log level less than 10, but the response body will not be logged.


Fixed Versions

There is no fix for this issue at this time.


Detection

Examining kube-apiserver log responses is the only known method of
detection for this issue.

If you find evidence that this vulnerability has been exploited, please
contact secu...@kubernetes.io


Additional Details


See the GitHub issue for more details:
https://github.com/kubernetes/kubernetes/issues/104720
Acknowledgements


This vulnerability was reported by QiQi Xu


Thank You,


Micah Hausler on behalf of the Kubernetes Security Response Committee


=========================================================
+ CERT-RENATER       |    tel : 01-53-94-20-44          +
+ 23/25 Rue Daviel   |    fax : 01-53-94-20-41          +
+ 75013 Paris        |    email:cert@support.renater.fr +
=========================================================