A flaw was identified in the Containerized Data Importer. In Containerized Data Importer versions from 1.4.0 through 1.5.3, the import from registry feature disabled TLS certificate verification when communicating with container registries. An attacker could use this flaw to impersonate a trusted container registry. All users should upgrade to CDI version 1.5.4 or later.
Users of Red Hat Container Native Virtualization are unaffected.
Vulnerability Impact
Unless explicitly disabled, communication with container registries is expected to be secured with SSL and TLS. In CDI versions affected by this flaw, TLS certificate verification is disabled for all connections to container registries. As a result, content may be imported into a PVC from an inauthentic server.
Mitigations
The vulnerability can only be triggered by an authenticated kubernetes user who is authorized to create PVCs. To mitigate, do not create PVCs with the "cdi.kubevirt.io/storage.import.source: "registry"" annotation and do not create DataVolumes that use the "registry" source.
Detection
To identify if your CDI deployment is affected perform the following steps:
Initiate an import from registry using either a DataVolume or a PVC without requesting an insecure connection
Locate the importer pod in the namespace where the PVC or DataVolume was created
Look for a message similar to the following in the logs: I0221 09:50:43.382518 1 prlimit.go:107] ExecWithLimits skopeo, [copy docker://<image> dir:/data/data_tmp --src-tls-verify=false]
The presence of the parameter --src-tls-verify=false indicates a vulnerable CDI deployment
The text was updated successfully, but these errors were encountered:
A flaw was identified in the Containerized Data Importer. In Containerized Data Importer versions from 1.4.0 through 1.5.3, the import from registry feature disabled TLS certificate verification when communicating with container registries. An attacker could use this flaw to impersonate a trusted container registry. All users should upgrade to CDI version 1.5.4 or later.
Affected Components
Affected Versions
Users of Red Hat Container Native Virtualization are unaffected.
Vulnerability Impact
Mitigations
Detection
To identify if your CDI deployment is affected perform the following steps:
I0221 09:50:43.382518 1 prlimit.go:107] ExecWithLimits skopeo, [copy docker://<image> dir:/data/data_tmp --src-tls-verify=false]--src-tls-verify=falseindicates a vulnerable CDI deploymentThe text was updated successfully, but these errors were encountered: