PROVIDSD-3094 [kubernetes-announce] Re: [Security Advisory] [CSI snapshot-controller] CVE-2020-8569: snapshot-controller DoS

3 views
Skip to first unread message

prov...@babiel.com

unread,
Dec 15, 2020, 12:27:05 PM12/15/20
to kubernetes-se...@googlegroups.com
—-—-—-—
Bitte antworten Sie oberhalb dieser Linie.

Guten Tag kubernetes-se...@googlegroups.com,

timal...@gmail.com hat Sie als Teilnehmer zu der Anfrage "[kubernetes-announce] Re: [Security Advisory] [CSI snapshot-controller] CVE-2020-8569: snapshot-controller DoS" (Ticket PROVIDSD-3094) hinzugefügt. Für weitere Details rufen Sie - wenn Sie zugriffsberechtigt sind - bitte das Kundenportal auf.

~~~~~~~~~~~~~~ Text der Anfrage ~~~~~~~~~~~~~~

Correction:
Affected versions include v2.1.0 - v2.1.2. A new version, v2.1.3 has been released with the patch. Please see the previous announcement for issue details and mitigation instructions.

Thank You,

Tim Allclair on behalf of the Kubernetes Product Security Committee

On Tue, Nov 17, 2020 at 9:04 AM Tim Allclair <timal...@gmail.com> wrote:

Hello Kubernetes Community,

A security issue was discovered in the CSI snapshot-controller that could lead to a denial of service attack via authorized API requests.

This issue has been rated Medium and assigned CVE-2020-8569.

The snapshot-controller is an optional Kubernetes component that enables volume snapshot feature, which is beta in Kubernetes 1.19. It is installed typically as an add-on into a Kubernetes cluster. See https://kubernetes-csi.github.io/docs/snapshot-controller.html for details.

The snapshot-controller could panic when processing a VolumeSnapshot custom resource when:



  • The VolumeSnapshot referenced a non-existing PersistentVolumeClaim and the VolumeSnapshot did not reference any VolumeSnapshotClass.


  • The snapshot-controller crashes, is automatically restarted by Kubernetes, and processes the same VolumeSnapshot custom resource after the restart, entering an endless crashloop.

Only the volume snapshot feature is affected by this vulnerability. When exploited, users can’t take snapshots of their volumes or delete the snapshots. All other Kubernetes functionality is not affected.

Am I vulnerable?

You may be vulnerable if:



  • You run Kubernetes CSI snapshot-controller;


  • You are running a vulnerable version (see below);


  • Untrusted users can create VolumeSnapshot custom resources in API group
    snapshot.storage.k8s.io.

Affected Versions



  • snapshot-controller v3.0.0 - v3.0.1

How do I mitigate this vulnerability?

Prior to upgrading, this vulnerability can be mitigated by restricting creation of VolumeSnapshot custom resources in API group snapshot.storage.k8s.io only to trusted users.

Fixed Versions



  • snapshot-controller v3.0.2

If you're using a managed Kubernetes service, check with them on how to upgrade. If you're managing the snapshot-controller, then update the image to v3.0.2

Detection

The snapshot-controller Pod crashlooping could be an indication of this CVE being exploited. Check the health of the snapshot-controller Deployment and Pods.

If you find evidence that this vulnerability has been exploited, please contact secu...@kubernetes.io

Additional Details

See https://github.com/kubernetes-csi/external-snapshotter/issues/380 for a detailed reproducer and https://github.com/kubernetes-csi/external-snapshotter/pull/381 for a fix.

Acknowledgements

This vulnerability was reported by Qin Ping.

Thank You,

Tim Allclair on behalf of the Kubernetes Product Security Committee


You received this message because you are subscribed to the Google Groups "kubernetes-announce" group.
To unsubscribe from this group and stop receiving emails from it, send an email to kubernetes-anno...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/kubernetes-announce/CALXpagwd%3DyiextkRXFUfe%2B0ZbsPxyXbJY2w49OstZOM_ywx24g%40mail.gmail.com.

~~~~~~~~~~~~~~ Ende der Anfrage ~~~~~~~~~~~~~~

Aktueller Status dieses Tickets: "In Arbeit"

Bitte beachten Sie, dass diese Anfrage mit folgenden weiteren Personen geteilt wird: Newsletter, timal...@gmail.com, kubernetes-sec...@googlegroups.com, kubernetes-...@googlegroups.com und 4 weitere Personen

Reply all
Reply to author
Forward
0 new messages