Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

kubevirt/cdi-importer: improper TLS certificate validation #678

Closed
aglitke opened this issue Feb 26, 2019 · 2 comments
Closed

kubevirt/cdi-importer: improper TLS certificate validation #678

aglitke opened this issue Feb 26, 2019 · 2 comments

Comments

@aglitke
Copy link
Member

aglitke commented Feb 26, 2019

A flaw was identified in the Containerized Data Importer. In Containerized Data Importer versions from 1.4.0 through 1.5.3, the import from registry feature disabled TLS certificate verification when communicating with container registries. An attacker could use this flaw to impersonate a trusted container registry. All users should upgrade to CDI version 1.5.4 or later.

Affected Components

  • CDI importer container image (kubevirt/cdi-importer)

Affected Versions

  • CDI v1.4.0-v1.4.2
  • CDI v1.5.0-v1.5.3

Users of Red Hat Container Native Virtualization are unaffected.

Vulnerability Impact

  • Unless explicitly disabled, communication with container registries is expected to be secured with SSL and TLS. In CDI versions affected by this flaw, TLS certificate verification is disabled for all connections to container registries. As a result, content may be imported into a PVC from an inauthentic server.

Mitigations

  • The vulnerability can only be triggered by an authenticated kubernetes user who is authorized to create PVCs. To mitigate, do not create PVCs with the "cdi.kubevirt.io/storage.import.source: "registry"" annotation and do not create DataVolumes that use the "registry" source.

Detection

To identify if your CDI deployment is affected perform the following steps:

  • Initiate an import from registry using either a DataVolume or a PVC without requesting an insecure connection
  • Locate the importer pod in the namespace where the PVC or DataVolume was created
  • Look for a message similar to the following in the logs:
    I0221 09:50:43.382518 1 prlimit.go:107] ExecWithLimits skopeo, [copy docker://<image> dir:/data/data_tmp --src-tls-verify=false]
  • The presence of the parameter --src-tls-verify=false indicates a vulnerable CDI deployment
@aglitke
Copy link
Member Author

aglitke commented Feb 26, 2019

Fixed by #661 and #662.

@aglitke aglitke closed this as completed Feb 26, 2019
@aglitke aglitke changed the title Registry imports disable TLS kubevirt/cdi-importer: improper TLS certificate validation Feb 26, 2019
@csirac2
Copy link

csirac2 commented Mar 1, 2019

Apologies for the delay, this vulnerability has been assigned CVE-2019-3841

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

2 participants