[Security Advisory] CVE-2021-25749: runAsNonRoot logic bypass for Windows containers

551 views

Skip to first unread message

Pushkar Joglekar

unread,

Sep 15, 2022, 5:37:31 PM9/15/22

to kubernete...@googlegroups.com, kubernetes-sec...@googlegroups.com

Hello Kubernetes Community,

A security issue was discovered in Kubernetes that could allow Windows workloads to run as ContainerAdministrator even when those workloads set the runAsNonRoot option to true .

This issue has been rated low and assigned CVE-2021-25749

Am I vulnerable?

All Kubernetes clusters with following versions, running Windows workloads with runAsNonRoot are impacted.

Affected Versions

kubelet v1.20 - v1.21
kubelet v1.22.0 - v1.22.13
kubelet v1.23.0 - v1.23.10
kubelet v1.24.0 - v1.24.4

How do I mitigate this vulnerability?

There are no known mitigations to this vulnerability.

Fixed Versions

kubelet v1.22.14
kubelet v1.23.11
kubelet v1.23.5
kubelet v1.25.0

To upgrade, refer to this documentation. For core Kubernetes: https://kubernetes.io/docs/tasks/administer-cluster/cluster-management/#upgrading-a-cluster

Detection

Kubernetes Audit logs may indicate if the user name was misspelled to bypass the restriction placed on which user is a pod allowed to run as.

If you find evidence that this vulnerability has been exploited, please contact secu...@kubernetes.io

Additional Details

See the GitHub issue for more details: https://github.com/kubernetes/kubernetes/issues/112192

Acknowledgements

This vulnerability was reported and fixed by Mark Rosetti (@marosset)

Thank You,

Pushkar Joglekar on behalf of the Kubernetes Security Response Committee

Reply all

Reply to author

Forward

0 new messages