Skip to content

Commit

Permalink
CHANGELOG and README about Config verify_ssl vulnerability
Browse files Browse the repository at this point in the history
  • Loading branch information
@cben
cben committed Mar 23, 2022
1 parent aa36e89 commit e4cb727
Show file tree
Hide file tree
Showing 2 changed files with 32 additions and 1 deletion.
26 changes: 25 additions & 1 deletion CHANGELOG.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,10 +4,31 @@ Notable changes to this project will be documented in this file.
The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/).
Kubeclient release versioning follows [SemVer](https://semver.org/).

## Unreleased 4.9.z
## 4.9.3 — 2021-03-23

### Fixed

- VULNERABILITY FIX: Previously, whenever kubeconfig did not define custom CA
(normal situation for production clusters with public domain and certificate!),
`Config` was returning ssl_options[:verify_ssl] hard-coded to `VERIFY_NONE` :-(

Assuming you passed those ssl_options to Kubeclient::Client, this means that
instead of checking server's certificate against your system CA store,
it would accept ANY certificate, allowing easy man-in-the middle attacks.

This is especially dangerous with user/password or token credentials
because MITM attacker could simply steal those credentials to the cluster
and do anything you could do on the cluster.

This was broken IN ALL RELEASES MADE BEFORE 2022, ever since
[`Kubeclient::Config` was created](https://github.com/ManageIQ/kubeclient/pull/127/files#diff-32e70f2f6781a9e9c7b83ae5e7eaf5ffd068a05649077fa38f6789e72f3de837R41-R48).

- Bug fix: kubeconfig `insecure-skip-tls-verify` field was ignored.
When kubeconfig did define custom CA, `Config` was returning hard-coded `VERIFY_PEER`.

Now we honor it, return `VERIFY_NONE` iff kubeconfig has explicit
`insecure-skip-tls-verify: true`, otherwise `VERIFY_PEER`.

- `Config`: fixed parsing of `certificate-authority` file containing concatenation of
several certificates. Previously, server's cert was checked against only first CA cert,
resulting in possible "certificate verify failed" errors.
Expand All @@ -19,6 +40,9 @@ Kubeclient release versioning follows [SemVer](https://semver.org/).
- Still broken (#460): inline `certificate-authority-data` is still parsed using `add_cert`
method that handles only one cert.

These don't affect code that supplies `Client` parameters directly,
only code that uses `Config`.

## 4.9.2 — 2021-05-30

### Added
Expand Down
7 changes: 7 additions & 0 deletions README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,13 @@ The client supports GET, POST, PUT, DELETE on all the entities available in kube
The client currently supports Kubernetes REST api version v1.
To learn more about groups and versions in kubernetes refer to [k8s docs](https://kubernetes.io/docs/api/)

## VULNERABILITY❗

If you use `Kubeclient::Config`, all gem versions released before 2022 could return incorrect `ssl_options[:verify_ssl]`,
endangering your connection and cluster credentials.
See [latest CHANGELOG.md](https://github.com/ManageIQ/kubeclient/blob/master/CHANGELOG.md) for details and which versions got a fix.
Open an issue if you want a backport to another version.

## Installation

Add this line to your application's Gemfile:
Expand Down

0 comments on commit e4cb727

Please sign in to comment.