Velero v1.4.3 and v1.5.2 released fixing [CVE-2020-3996] Restored PersistentVolumes may be bound to wrong PersistentVolumeClaims

89 views

Skip to first unread message

Nolan Brubaker

unread,

Oct 21, 2020, 1:01:03 PM10/21/20

to Project Velero

Hello all,

A vulnerability in Velero was found that could result in a PersistentVolume being bound to the wrong PersistentVolumeClaim at restore time. Details about this issue can be found at our security advisory for CVE-2020-3996.

Updated versions of Velero fixing this vulnerability are now available at

https://github.com/vmware-tanzu/velero/releases/tag/v1.4.3

https://github.com/vmware-tanzu/velero/releases/tag/v1.5.2

Docker images are available at

v1.4.3
v1.5.2

We urge all Velero users to upgrade as soon as possible to mitigate the effects of this race condition and ensure the integrity of their data.

Additionally, both v1.4.3 and v1.5.2 fix an issue with restoring CustomResourceDefinitions (thank you to Scott Seago of Red Hat for providing the fix) and v1.5.2 provides a fix for initializing ObjectStore plugins too often (thank you to Antony Bett of Dell EMC).

Full changelogs can be found below:

v1.4.3

v1.5.2

Special thanks to Arianit Uka for reporting the security issue and working with us to reproduce and understand it.

Thank you,

Nolan and the Velero team

Reply all

Reply to author

Forward

0 new messages