CVE-2021-25749: runAsNonRoot logic bypass for Windows containers
#112192
Labels
area/kubelet
area/security
committee/security-response
Denotes an issue or PR intended to be handled by the product security committee.
kind/bug
Categorizes issue or PR as related to a bug.
needs-triage
Indicates an issue or PR lacks a `triage/foo` label and requires one.
official-cve-feed
Issues or PRs related to CVEs officially announced by Security Response Committee (SRC)
sig/node
Categorizes an issue or PR as relevant to SIG Node.
sig/windows
Categorizes an issue or PR as relevant to SIG Windows.
A security issue was discovered in Kubernetes that could allow Windows workloads to run as
ContainerAdministratoreven when those workloads set therunAsNonRootoption totrue.This issue has been rated low and assigned CVE-2021-25749
Am I vulnerable?
All Kubernetes clusters with following versions, running Windows workloads with
runAsNonRootare impactedAffected Versions
How do I mitigate this vulnerability?
There are no known mitigations to this vulnerability.
Fixed Versions
To upgrade, refer to this documentation For core Kubernetes: https://kubernetes.io/docs/tasks/administer-cluster/cluster-upgrade/
Detection
Kubernetes Audit logs may indicate if the user name was misspelled to bypass the restriction placed on which user is a pod allowed to run as.
If you find evidence that this vulnerability has been exploited, please contact security@kubernetes.io
Additional Details
See the GitHub issue for more details: #112192
Acknowledgements
This vulnerability was reported and fixed by Mark Rosetti (@marosset)
The text was updated successfully, but these errors were encountered: