CVE-2020-8566: Ceph RBD adminSecrets exposed in logs when loglevel >= 4 #95624
Labels
area/security
committee/security-response
Denotes an issue or PR intended to be handled by the product security committee.
kind/bug
Categorizes issue or PR as related to a bug.
needs-triage
Indicates an issue or PR lacks a `triage/foo` label and requires one.
official-cve-feed
Issues or PRs related to CVEs officially announced by Security Response Committee (SRC)
CVSS Rating: 4.7 CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N (Medium)
In Kubernetes clusters using Ceph RBD as a storage provisioner, with logging level of at least 4, Ceph RBD admin secrets can be written to logs. This occurs in kube-controller-manager's logs during provisioning of Ceph RBD persistent claims.
Am I vulnerable?
If Ceph RBD volumes are in use and kube-controller-manager is using a log level of at least 4.
Affected Versions
kubernetes v1.19.0 - v1.19.2
kubernetes v1.18.0 - v1.18.9
kubernetes v1.17.0 - v1.17.12
How do I mitigate this vulnerability?
Do not enable verbose logging in production, limit access to logs.
Fixed Versions
v1.19.3
v1.18.10
v1.17.13
To upgrade, refer to the documentation: https://kubernetes.io/docs/tasks/administer-cluster/cluster-management/#upgrading-a-cluster
Acknowledgements
This vulnerability was reported by: Kaizhe Huang (derek0405)
/area security
/kind bug
/committee product-security
The text was updated successfully, but these errors were encountered: