CVE-2020-8555: Half-Blind SSRF in kube-controller-manager #91542
Labels
area/controller-manager
area/security
committee/security-response
Denotes an issue or PR intended to be handled by the product security committee.
kind/bug
Categorizes issue or PR as related to a bug.
official-cve-feed
Issues or PRs related to CVEs officially announced by Security Response Committee (SRC)
sig/storage
Categorizes an issue or PR as relevant to SIG Storage.
CVSS Rating: CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N
There exists a Server Side Request Forgery (SSRF) vulnerability in kube-controller-manager that allows certain authorized users to leak up to 500 bytes of arbitrary information from unprotected endpoints within the master's host network (such as link-local or loopback services).
An attacker with permissions to create a pod with certain built-in Volume types (GlusterFS, Quobyte, StorageOS, ScaleIO) or permissions to create a StorageClass can cause kube-controller-manager to make GET requests or POST requests without an attacker controlled request body from the master's host network.
Am I vulnerable?
You may be vulnerable if:
Affected Versions
The affected volume types are: GlusterFS, Quobyte, StorageOS, ScaleIO
How do I mitigate this vulnerability?
Prior to upgrading, this vulnerability can be mitigated by adding endpoint protections on the master or restricting usage of the vulnerable volume types (for example by constraining usage with a PodSecurityPolicy or third-party admission controller such as Gatekeeper) and restricting StorageClass write permissions through RBAC.
Fixed Versions
The information leak was patched in the following versions:
To upgrade, refer to the documentation: https://kubernetes.io/docs/tasks/administer-cluster/cluster-management/#upgrading-a-cluster
Additional Details
Exploitation of this vulnerability causes the kube-controller-manager to make a request to a user-supplied, unvalidated URL. The request does not include any kube-controller-manager client credentials.
Acknowledgements
This vulnerability was reported by Brice Augras from Groupe-Asten and Christophe Hauquiert from Nokia.
/area security
/kind bug
/committee product-security
/sig storage
/area controller-manager
The text was updated successfully, but these errors were encountered: