[Security Advisory] CVE-2024-10220: Arbitrary command execution through gitRepo volume

102 views
Skip to first unread message

Craig Ingram

unread,
Nov 20, 2024, 10:44:40 AMNov 20
to kubernete...@googlegroups.com, d...@kubernetes.io, kubernetes-sec...@googlegroups.com, kubernetes-se...@googlegroups.com, distributors-announce

Hello Kubernetes Community,


A security vulnerability was discovered in Kubernetes that could allow a user with the ability to create a pod and associate a gitRepo volume to execute arbitrary commands beyond the container boundary. This vulnerability leverages the hooks folder in the target repository to run arbitrary commands outside of the container's boundary.

Please note that this issue was originally publicly disclosed with a fix in July (#124531), and we are retroactively assigning it a CVE to assist in awareness and tracking.

This issue has been rated High (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N) (score: 8.1), and assigned CVE-2024-10220.

Am I vulnerable?

This CVE affects Kubernetes clusters where pods use the in-tree gitRepo volume to clone a repository to a subdirectory. If the Kubernetes cluster is running one of the affected versions listed below, then it is vulnerable to this issue.

Affected Versions

  • kubelet v1.30.0 to v1.30.2

  • kubelet v1.29.0 to v1.29.6

  • kubelet <= v1.28.11

How do I mitigate this vulnerability?

To mitigate this vulnerability, you must upgrade your Kubernetes cluster to one of the fixed versions listed below. 

Additionally, since the gitRepo volume has been deprecated, the recommended solution is to perform the Git clone operation using an init container and then mount the directory into the Pod's container. An example of this approach is provided here.

Fixed Versions

  • kubelet v1.31.0

  • kubelet v1.30.3

  • kubelet v1.29.7

  • kubelet v1.28.12

Detection

To detect whether this vulnerability has been exploited, you can use the following command to list all pods that use the in-tree gitRepo volume and clones to a .git subdirectory. 

kubectl get pods --all-namespaces -o json | jq '.items[] | select(.spec.volumes[].gitRepo.directory | endswith("/.git")) | {name: .metadata.name, namespace: .metadata.namespace}


If you find evidence that this vulnerability has been exploited, please contact secu...@kubernetes.io

Additional Details

See the GitHub issue for more details: https://github.com/kubernetes/kubernetes/issues/128885 

Acknowledgements

This vulnerability was reported and mitigated by Imre Rad.


Thank You,

Craig Ingram on behalf of the Kubernetes Security Response Committee


Red Hat Product Security

unread,
Nov 21, 2024, 12:19:30 AMNov 21
to kubernetes-sec...@googlegroups.com, distributo...@kubernetes.io, kubernete...@googlegroups.com, kubernetes-se...@googlegroups.com, d...@kubernetes.io

Hello!

INC3249969 ([Security Advisory] CVE-2024-10220: Arbitrary command execution through gitRepo volume) has been updated.

Opened for: distributo...@kubernetes.io
Followers: kubernete...@googlegroups.com, d...@kubernetes.io, kubernetes-sec...@googlegroups.com, kubernetes-se...@googlegroups.com, distributo...@kubernetes.io

Abhishek Raj updated your request with the following comments:

Hi,
 
I'm writing to acknowledge receipt of your request. We are reviewing the ticket and an Analyst will report back as soon as possible.
 
Thanks!

How can I track and update my request?

To respond, reply to this email. You may also create a new email and include the request number (INC3249969) in the subject.

Thank you,
Product Security

 
Ref:MSG97992795
Reply all
Reply to author
Forward
0 new messages