Ce mail provient de l'extérieur, restons vigilants

=====================================================================

                            CERT-Renater

                Note d'Information No. 2025/VULN363

_____________________________________________________________________

DATE                : 18/06/2025

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Kubernetes versions prior to 
                         1.30.2+, 1.29.6+, 1.28.11+, 1.27.15+.

=====================================================================
https://groups.google.com/g/kubernetes-security-announce/c/c5GAO73AWZc
_____________________________________________________________________

[Security Advisory] Race Condition in Go allows Volume Deletion in
older Kubernetes versions

Craig Ingram
17 juin 2025, 15:21:49
à kubernete...@googlegroups.com,d...@kubernetes.io,kubernetes-sec...
@googlegroups.com,kubernetes-se...@googlegroups.com,distributors-announce

Hello Kubernetes Community,

The Go team has released a fix in Go versions 1.21.11 and 1.22.4
addressing a symlink race condition when using os.RemoveAll. The
Kubernetes Security Response Committee received a report that this
issue could be abused in Kubernetes to delete arbitrary directories
on a Node with root permissions by a local non-root user with the
same UID as the user in a Pod.

The Go team has not issued a CVE for this, as it is considered a
hardening issue, and the SRC is following that decision as well. 


Am I affected?

Kubernetes built with Go versions prior to 1.21.11 or 1.22.4 are
affected. 


Affected Versions

- <1.30.2

- <1.29.6

- <1.28.11

- <1.27.15


How do I mitigate this issue?

Upgrade to a fixed (or newer) version of Kubernetes.


Fixed Versions

- 1.30.2+

- 1.29.6+

- 1.28.11+

- 1.27.15+

To upgrade, refer to the documentation:
https://kubernetes.io/docs/tasks/administer-cluster/cluster-upgrade/


Detection

This issue could be detected by looking for unexpected file deletions
on a Node.

If you find evidence that this vulnerability has been exploited,
please contact secu...@kubernetes.io


Additional Details

See the GitHub issue for more details:
https://github.com/kubernetes/kubernetes/issues/132267


Acknowledgements

This issue was reported by Addison Crump

Thank You,

Craig Ingram on behalf of the Kubernetes Security Response Committee


=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================