[Security Advisory] CVE-2021-25749: runAsNonRoot logic bypass for Windows containers

Skip to first unread message

Pushkar Joglekar

Sep 15, 2022, 5:37:36 PM9/15/22
to kubernete...@googlegroups.com, kubernetes-sec...@googlegroups.com

Hello Kubernetes Community,

A security issue was discovered in Kubernetes that could allow Windows workloads to run as ContainerAdministrator even when those workloads set the runAsNonRoot option to true .

This issue has been rated low and assigned CVE-2021-25749

Am I vulnerable?

All Kubernetes clusters with following versions, running Windows workloads with runAsNonRoot are impacted.

Affected Versions

  • kubelet v1.20 - v1.21
  • kubelet v1.22.0 - v1.22.13
  • kubelet v1.23.0 - v1.23.10
  • kubelet v1.24.0 - v1.24.4

How do I mitigate this vulnerability?

There are no known mitigations to this vulnerability.

Fixed Versions

  • kubelet v1.22.14
  • kubelet v1.23.11
  • kubelet v1.23.5
  • kubelet v1.25.0

To upgrade, refer to this documentation. For core Kubernetes: https://kubernetes.io/docs/tasks/administer-cluster/cluster-management/#upgrading-a-cluster


Kubernetes Audit logs may indicate if the user name was misspelled to bypass the restriction placed on which user is a pod allowed to run as.

If you find evidence that this vulnerability has been exploited, please contact secu...@kubernetes.io

Additional Details

See the GitHub issue for more details: https://github.com/kubernetes/kubernetes/issues/112192


This vulnerability was reported and fixed by Mark Rosetti (@marosset)

Thank You,

Pushkar Joglekar on behalf of the Kubernetes Security Response Committee

Reply all
Reply to author
0 new messages