[Kubernetes Java Client] CVE-2021-25738: Code exec via yaml parsing

4 views
Skip to first unread message

Tim Allclair

unread,
May 17, 2021, 12:39:43 PM5/17/21
to kubernetes-announce, Kubernetes developer/contributor discussion, kubernetes-sec...@googlegroups.com, kubernetes-security-discuss, distributo...@kubernetes.io, kubernetes+a...@discoursemail.com

Hello Kubernetes Community,

A security issue was discovered in the Kubernetes Java client library where loading specially-crafted yaml can lead to code execution.

This issue has been rated Medium (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H), and assigned CVE-2021-25738.

Am I vulnerable?

If you process untrusted inputs with the Kubernetes Java Client you may be vulnerable to this issue.

Affected Versions

  • Kubernetes Java Client == v11.0.0

  • Kubernetes Java Client <= v10.0.1

  • Kubernetes Java Client <= v9.0.2

How do I mitigate this vulnerability?

Prior to upgrading, this vulnerability can be mitigated by validating inputs to the client.

Fixed Versions

  • Kubernetes Java Client >= v12.0.0

  • Kubernetes Java Client >= v11.0.1

Detection

If you find evidence that this vulnerability has been exploited, please contact secu...@kubernetes.io

Additional Details

See the GitHub issue for more details: https://github.com/kubernetes-client/java/issues/1698

Acknowledgements

This vulnerability was reported by Jordy Versmissen through our bug bounty.

Thank You,

Tim Allclair on behalf of the Kubernetes Product Security Committee


Brendan Burns

unread,
May 17, 2021, 3:06:50 PM5/17/21
to Tim Allclair, kubernetes-announce, Kubernetes developer/contributor discussion, kubernetes-sec...@googlegroups.com, kubernetes-security-discuss, distributo...@kubernetes.io, kubernetes+a...@discoursemail.com
One quick clarification:

The unaffected versions had >= when they should have had > (apologies for not catching that before this went out)

The correct unaffected versions are:

> 12.0.1
> 11.0.2


Thanks

--brendan


From: kuberne...@googlegroups.com <kuberne...@googlegroups.com> on behalf of Tim Allclair <timal...@gmail.com>
Sent: Monday, May 17, 2021 9:39 AM
To: kubernetes-announce <kubernete...@googlegroups.com>; Kubernetes developer/contributor discussion <kuberne...@googlegroups.com>; kubernetes-sec...@googlegroups.com <kubernetes-sec...@googlegroups.com>; kubernetes-security-discuss <kubernetes-se...@googlegroups.com>; distributo...@kubernetes.io <distributo...@kubernetes.io>; kubernetes+a...@discoursemail.com <kubernetes+a...@discoursemail.com>
Subject: [EXTERNAL] [Kubernetes Java Client] CVE-2021-25738: Code exec via yaml parsing
 
--
You received this message because you are subscribed to the Google Groups "Kubernetes developer/contributor discussion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to kubernetes-de...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/kubernetes-dev/CALXpagyX%2BdYSWr0iYTRGS4vgtqXHtK_YKF61zE%2BPAMSfpxRg5g%40mail.gmail.com.

Brendan Burns

unread,
May 17, 2021, 3:07:45 PM5/17/21
to Tim Allclair, kubernetes-announce, Kubernetes developer/contributor discussion, kubernetes-sec...@googlegroups.com, kubernetes-security-discuss, distributo...@kubernetes.io, kubernetes+a...@discoursemail.com
(oops, I also incremented the version numbers sigh​)

The correct unaffected versions are:

> 12.0.0
> 11.0.1



From: Brendan Burns <bbu...@microsoft.com>
Sent: Monday, May 17, 2021 12:06 PM
To: Tim Allclair <timal...@gmail.com>; kubernetes-announce <kubernete...@googlegroups.com>; Kubernetes developer/contributor discussion <kuberne...@googlegroups.com>; kubernetes-sec...@googlegroups.com <kubernetes-sec...@googlegroups.com>; kubernetes-security-discuss <kubernetes-se...@googlegroups.com>; distributo...@kubernetes.io <distributo...@kubernetes.io>; kubernetes+a...@discoursemail.com <kubernetes+a...@discoursemail.com>
Subject: Re: [EXTERNAL] [Kubernetes Java Client] CVE-2021-25738: Code exec via yaml parsing
 
Reply all
Reply to author
Forward
0 new messages