Date: Mon, 1 Jun 2020 09:04:49 -0700 From: Tim Allclair <tallclair@...gle.com> To: kubernetes-announce@...glegroups.com, "Kubernetes developer/contributor discussion" <kubernetes-dev@...glegroups.com>, kubernetes-security-announce@...glegroups.com, kubernetes-security-discuss <kubernetes-security-discuss@...glegroups.com>, oss-security@...ts.openwall.com, kubernetes+announcements@...coursemail.com Subject: CVE-2020-8555: Kubernetes: Half-Blind SSRF in kube-controller-manager Hello Kubernetes Community, There exists a Server Side Request Forgery (SSRF) vulnerability in kube-controller-manager that allows certain authorized users to leak up to 500 bytes of arbitrary information from unprotected endpoints within the master's host network (such as link-local or loopback services). This issue has been rated medium ( CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N <https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N>), and assigned CVE-2020-8555. Am I vulnerable? You may be vulnerable if: - You are running a vulnerable version (see below); - There are unprotected endpoints normally only visible from the Kubernetes master (including link-local metadata endpoints, unauthenticated services listening on localhost, or other services in the master's private network); and - Untrusted users can create pods with an affected volume type or modify storage classes. Affected Versions - kube-controller-manager v1.18.0 - kube-controller-manager v1.17.0 - v1.17.4 - kube-controller-manager v1.16.0 - v1.16.8 - kube-controller-manager < v1.15.11 The affected volume types are: GlusterFS, Quobyte, StorageFS, ScaleIO How do I mitigate this vulnerability? Prior to upgrading, this vulnerability can be mitigated by adding endpoint protections on the master or restricting usage of the vulnerable volume types (for example by constraining usage with a PodSecurityPolicy <https://kubernetes.io/docs/concepts/policy/pod-security-policy/#volumes-and-file-systems> or third-party admission controller such as Gatekeeper <https://github.com/open-policy-agent/gatekeeper>) and restricting StorageClass write permissions through RBAC. Fixed Versions The information leak was patched in the following versions: - kube-controller-manager v1.18.1+ - kube-controller-manager v1.17.5+ - kube-controller-manager v1.16.9+ - kube-controller-manager v1.15.12+ To upgrade, refer to the documentation: https://kubernetes.io/docs/tasks/administer-cluster/cluster-management/#upgrading-a-cluster Further work to protect against SSRF is underway and will be included in an upcoming patch release (details to follow). Additional Details See the GitHub issue for more details: https://github.com/kubernetes/kubernetes/issues/91542 Thank You, Tim Allclair on behalf of the Kubernetes Product Security Committee
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.