-
Notifications
You must be signed in to change notification settings - Fork 39k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
CVE-2023-2431: Bypass of seccomp profile enforcement #118690
Comments
|
This issue is currently awaiting triage. If a SIG or subproject determines this is a relevant issue, they will accept it by applying the The Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
/area security |
Fixes a security issue in versions < 1.26.5: kubernetes/kubernetes#118690 Signed-off-by: Tzvetomir Stoyanov (VMware) <tz.stoyanov@gmail.com>
Fixes a security issue in versions < 1.26.5: kubernetes/kubernetes#118690 Signed-off-by: Tzvetomir Stoyanov (VMware) <tz.stoyanov@gmail.com>
…st profile defined Description: * "Returns an error when a Pod or Container's SecurityContext has a localhost seccomp type but an empty localhostProfile field" (PR description) Upstream PR, Issue, KEP, etc. links: * PR: kubernetes#117118 * Commit: 73174f8 * Issue: kubernetes#118690 If this patch is based on an upstream commit, how (if at all) do this patch and the upstream source differ? * The cherry-pick is from 1.24, so there could be some minor differences. If this patch's changes have not been added by upstream, why not? * N/A Other patches related to this patch: * None Changes made to this patch after its initial creation and reasons for these changes: * None Kubernetes version this patch can be dropped: * This patch is not needed in >= 1.24, as it has been added by upstream.
|
Hello @SaranBalaji90, Does this bug affect k8s.io/kubernetes or k8s.io/kubelet? I see the description in this issue explicitly states kubelet is affected, but the remedy provided looks like Kubernetes versioning. Is upgrading k8s.io/kubernetes sufficient to remedy this? |
|
Hello @SaranBalaji90 , if an application does not use kubernetes but uses kubelet, is remediation required? i.e. The remediation version seems to be for k8s.io/kubernetes, is any upgrade required in k8s.io/kubelet? |
|
Hello @SaranBalaji90, would like to confirm if Kubernetes 1.23 is impacted by this CVE or not? |
What happened?
A security issue was discovered in Kubelet that allows pods to bypass the seccomp profile enforcement. This issue has been rated LOW (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N) (score: 3.4).
If you have pods in your cluster that use localhost type for seccomp profile but specify an empty profile field, then you are affected by this issue. In this scenario, this vulnerability allows the pod to run in “unconfined” (seccomp disabled) mode. This bug affects Kubelet.
How can we reproduce it (as minimally and precisely as possible)?
This can be reproduced by creating a pod with following sample seccomp Localhost profile -
https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#seccompprofile-v1-core
Kubernetes version
Affected Versions
v1.27.0 - v1.27.1
v1.26.0 - v1.26.4
v1.25.0 - v1.25.9
<= v1.24.13
Fixed Versions
v1.27.2
v1.26.5
v1.25.10
V1.24.14
Anything else we need to know?
How do I remediate this vulnerability?
To remediate this vulnerability you should upgrade your Kubelet to one of the below mentioned versions.
Acknowledgements
This vulnerability was reported by Tim Allclair, and fixed by Craig Ingram.
The text was updated successfully, but these errors were encountered: