CVE-2021-25735: Validating Admission Webhook does not observe some previous fields

33 views

Skip to first unread message

Tim Allclair

unread,

Apr 14, 2021, 12:04:38 PM4/14/21

to kubernetes-announce, Kubernetes developer/contributor discussion, kubernetes-sec...@googlegroups.com, kubernetes-security-discuss, distributo...@kubernetes.io, kubernetes+a...@discoursemail.com

A security issue was discovered in kube-apiserver that could allow node updates to bypass a Validating Admission Webhook. You are only affected by this vulnerability if you run a Validating Admission Webhook for Nodes that denies admission based at least partially on the old state of the Node object.

This issue has been rated Medium (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H), and assigned CVE-2021-25735.

Note: This only impacts validating admission plugins that rely on old values in certain fields, and does not impact calls from kubelets that go through the built-in NodeRestriction admission plugin.

Affected Versions

kube-apiserver v1.20.0 - v1.20.5
kube-apiserver v1.19.0 - v1.19.9
kube-apiserver <= v1.18.17

Fixed Versions

This issue is fixed in the following versions:

kube-apiserver v1.21.0
kube-apiserver v1.20.6
kube-apiserver v1.19.10
kube-apiserver v1.18.18

Detection

If you find evidence that this vulnerability has been exploited, please contact secu...@kubernetes.io

Additional Details

See Kubernetes Issue #100096 for more details.

Acknowledgements

This vulnerability was reported by Rogerio Bastos & Ari Lima from RedHat

Thank You,

Tim Allclair on behalf of the Kubernetes Product Security Committee

Reply all

Reply to author

Forward

This conversation is locked

You cannot reply and perform actions on locked conversations.

0 new messages