Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CVE-2021-25735: Validating Admission Webhook does not observe some previous fields #100096

Closed
cjcullen opened this issue Mar 10, 2021 · 6 comments
Closed

CVE-2021-25735: Validating Admission Webhook does not observe some previous fields #100096

cjcullen opened this issue Mar 10, 2021 · 6 comments
Labels
area/security committee/security-response Denotes an issue or PR intended to be handled by the product security committee. kind/bug Categorizes issue or PR as related to a bug. official-cve-feed Issues or PRs related to CVEs officially announced by Security Response Committee (SRC) sig/api-machinery Categorizes an issue or PR as relevant to SIG API Machinery. triage/accepted Indicates an issue or PR is ready to be actively worked on.

Comments

@cjcullen
Copy link
Member

cjcullen commented Mar 10, 2021
edited by tallclair

A security issue was discovered in kube-apiserver that could allow node updates to bypass a Validating Admission Webhook. You are only affected by this vulnerability if you run a Validating Admission Webhook for Nodes that denies admission based at least partially on the old state of the Node object.

This issue has been rated Medium (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H), and assigned CVE-2021-25735.

Note: This only impacts validating admission plugins that rely on old values in certain fields, and does not impact calls from kubelets that go through the built-in NodeRestriction admission plugin.

Affected Versions

  • kube-apiserver v1.20.0 - v1.20.5
  • kube-apiserver v1.19.0 - v1.19.9
  • kube-apiserver <= v1.18.17

Fixed Versions

This issue is fixed in the following versions:

Detection

If you find evidence that this vulnerability has been exploited, please contact security@kubernetes.io

Acknowledgements

This vulnerability was reported by Rogerio Bastos & Ari Lima from RedHat
@cjcullen cjcullen added the kind/bug Categorizes issue or PR as related to a bug. label Mar 10, 2021
@k8s-ci-robot k8s-ci-robot added needs-sig Indicates an issue or PR lacks a `sig/foo` label and requires one. needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. labels Mar 10, 2021
@k8s-ci-robot
Copy link
Contributor

@cjcullen: This issue is currently awaiting triage.

If a SIG or subproject determines this is a relevant issue, they will accept it by applying the triage/accepted label and provide further guidance.

The triage/accepted label can be added by org members by writing /triage accepted in a comment.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@tallclair tallclair changed the title [Reserved] CVE-2021-25735: Validating Admission Webhook does not observe some previous fields Apr 14, 2021
@tallclair tallclair added area/security committee/security-response Denotes an issue or PR intended to be handled by the product security committee. sig/api-machinery Categorizes an issue or PR as relevant to SIG API Machinery. labels Apr 14, 2021
@k8s-ci-robot k8s-ci-robot removed the needs-sig Indicates an issue or PR lacks a `sig/foo` label and requires one. label Apr 14, 2021
@tallclair tallclair added triage/accepted Indicates an issue or PR is ready to be actively worked on. and removed needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. labels Apr 14, 2021
@denisse-dev
Copy link

Hi, do you know if this vulnerability can be exploited remotely?

@lisa lisa mentioned this issue Apr 14, 2021
Closed
@tallclair
Copy link
Member

@da-edra Anyone authorized to update or patch nodes can potentially exploit this. So yes, it can be exploited remotely with proper authorization.

@denisse-dev
Copy link

@tallclair thanks. :)

@jaxesn jaxesn mentioned this issue Apr 14, 2021
Merged
@acyberrain
Copy link

@tallclair Found this: https://sysdig.com/blog/cve-2021-25735-kubernetes-admission-bypass/
Is this actually bypassing the authorization, or still need to have some privileged access?

@xuezhaojun xuezhaojun mentioned this issue Sep 22, 2021
Closed
@MaxFedotov MaxFedotov mentioned this issue Oct 28, 2021
Merged
@PushkarJ
Copy link
Member

PushkarJ commented Dec 2, 2021

/label official-cve-feed

(Related to kubernetes/sig-security#1)

@k8s-ci-robot k8s-ci-robot added the official-cve-feed Issues or PRs related to CVEs officially announced by Security Response Committee (SRC) label Dec 2, 2021
@k8s-sec-alert k8s-sec-alert mentioned this issue Sep 18, 2022
Open
@chen-keinan chen-keinan mentioned this issue Oct 3, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area/security committee/security-response Denotes an issue or PR intended to be handled by the product security committee. kind/bug Categorizes issue or PR as related to a bug. official-cve-feed Issues or PRs related to CVEs officially announced by Security Response Committee (SRC) sig/api-machinery Categorizes an issue or PR as relevant to SIG API Machinery. triage/accepted Indicates an issue or PR is ready to be actively worked on.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@PushkarJ @acyberrain @cjcullen @denisse-dev @k8s-ci-robot @tallclair