Fwd: [Security Advisory] [CSI snapshot-controller] CVE-2020-8569: snapshot-controller DoS

Skip to first unread message

CJ Cullen

Nov 17, 2020, 4:00:35 PM11/17/20
to kubernetes-sec...@googlegroups.com, kubernete...@googlegroups.com

---------- Forwarded message ---------
From: Tim Allclair <timal...@gmail.com>
Date: Tue, Nov 17, 2020 at 9:04 AM
Subject: [Security Advisory] [CSI snapshot-controller] CVE-2020-8569: snapshot-controller DoS
To: <kubernetes-...@googlegroups.com>, <kubernete...@googlegroups.com>, <kuberne...@googlegroups.com>, <kubernetes-sec...@googlegroups.com>, kubernetes-security-discuss <kubernetes-se...@googlegroups.com>, <kubernetes+a...@discoursemail.com>

Hello Kubernetes Community,

A security issue was discovered in the CSI snapshot-controller that could lead to a denial of service attack via authorized API requests.

This issue has been rated Medium and assigned CVE-2020-8569.

The snapshot-controller is an optional Kubernetes component that enables volume snapshot feature, which is beta in Kubernetes 1.19. It is installed typically as an add-on into a Kubernetes cluster. See https://kubernetes-csi.github.io/docs/snapshot-controller.html for details.

The snapshot-controller could panic when processing a VolumeSnapshot custom resource when:

  • The VolumeSnapshot referenced a non-existing PersistentVolumeClaim and the VolumeSnapshot did not reference any VolumeSnapshotClass.

  • The snapshot-controller crashes, is automatically restarted by Kubernetes, and processes the same VolumeSnapshot custom resource after the restart, entering an endless crashloop.

Only the volume snapshot feature is affected by this vulnerability. When exploited, users can’t take snapshots of their volumes or delete the snapshots. All other Kubernetes functionality is not affected.

Am I vulnerable?

You may be vulnerable if:

  • You run Kubernetes CSI snapshot-controller;

  • You are running a vulnerable version (see below);

  • Untrusted users can create VolumeSnapshot custom resources in API group snapshot.storage.k8s.io.

Affected Versions

  • snapshot-controller v3.0.0 - v3.0.1

How do I mitigate this vulnerability?

Prior to upgrading, this vulnerability can be mitigated by restricting creation of VolumeSnapshot custom resources in API group snapshot.storage.k8s.io only to trusted users.

Fixed Versions

  • snapshot-controller v3.0.2

If you're using a managed Kubernetes service, check with them on how to upgrade. If you're managing the snapshot-controller, then update the image to v3.0.2


The snapshot-controller Pod crashlooping could be an indication of this CVE being exploited. Check the health of the snapshot-controller Deployment and Pods.

If you find evidence that this vulnerability has been exploited, please contact secu...@kubernetes.io

Additional Details

See https://github.com/kubernetes-csi/external-snapshotter/issues/380 for a detailed reproducer and https://github.com/kubernetes-csi/external-snapshotter/pull/381 for a fix.


This vulnerability was reported by Qin Ping.

Thank You,

Tim Allclair on behalf of the Kubernetes Product Security Committee

You received this message because you are subscribed to the Google Groups "kubernetes-security-discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email to kubernetes-security...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/kubernetes-security-discuss/CALXpagw2hxGCQO5KuSpMYpcufjO4KSu9SoGr7tEQFtXfJxJF3g%40mail.gmail.com.

Tim Allclair

Dec 15, 2020, 12:24:28 PM12/15/20
to kubernetes-...@googlegroups.com, kubernete...@googlegroups.com, kuberne...@googlegroups.com, kubernetes-sec...@googlegroups.com, kubernetes-security-discuss, kubernetes+a...@discoursemail.com
Affected versions include v2.1.0 - v2.1.2. A new version, v2.1.3 has been released with the patch. Please see the previous announcement for issue details and mitigation instructions.

Thank You,

Tim Allclair on behalf of the Kubernetes Product Security Committee

Reply all
Reply to author
0 new messages