CVE-2019-11255: CSI volume snapshot, cloning and resizing features can result in unauthorized volume data access or mutation #85233
Am I vulnerable?
CSI snapshot, cloning and resizing features are affected. Prior to Kubernetes 1.16, these features were all alpha and disabled by default. Starting in Kubernetes 1.16, CSI cloning and resizing features are beta and enabled by default.
These features also require CSI drivers to be installed in a Kubernetes cluster and the CSI driver also has to support those features. An unofficial list of CSI drivers and their supported features is available here, however it is best to check with the CSI driver vendor for the latest information.
Check if you have the following Kubernetes feature gates enabled:
Check if you are using CSI drivers in your cluster. If so, the following command’s output will be non-empty:
Then, check the CSI driver’s pod specifications to see if they are using the following vulnerable versions of sidecars:
An example query:
Note that the exact container image name may vary across CSI driver vendors. It is recommended to inspect the Pod specifications directly.
How do I mitigate the vulnerability?
As a short term mitigation, disable the
Also, to disable taking volume snapshots, either remove the external-snapshotter sidecar from any CSI drivers or revoke the CSI driver’s RBAC permissions on the
Longer term, upgrade your CSI driver with patched versions of the affected sidecars. Fixes are available in the following sidecar versions:
How do I upgrade?
Check with your CSI driver vendor for upgrade instructions. No Kubernetes control plane or node upgrades are required unless the CSI driver is bundled into the Kubernetes distribution.
There are two different vulnerabilities impacting the same features.
When PersistentVolumeClaim and PersistentVolume objects are bound, they have bidirectional references to each other. When dereferencing a PersistentVolumeClaim to get a PersistentVolume, the impacted sidecar controllers were not validating that the PersistentVolume referenced back to the same PersistentVolumeClaim, potentially operating on unauthorized PersistentVolumes for snapshot, cloning and resizing operations.
A similar issue exists for VolumeSnapshot and VolumeSnapshotContent objects when creating a new PersistentVolumeClaim from a snapshot.
The second issue is related to the property that CSI volume and snapshot ids are only required to be unique within a single CSI driver. Impacted sidecar controllers were not validating that the requested source VolumeSnapshot or PersistentVolumeClaim specified were from the same driver processing the request, potentially operating on unauthorized volumes during snapshot, restore from snapshot, or cloning operations.
The text was updated successfully, but these errors were encountered:
Changes: - Update container image versions that have resolve the CVE according to [kubernetes/kubernetes/issues/85233](kubernetes/kubernetes#85233) - Update snapshotter RBAC policy - Update resizer RBAC policy - Updates external-provisioner RBAC policy for v1.3.1 image - Update helm charts with updated RBAC policy ref: kubernetes-sigs#411