Kubernetes
Kubernetes (kube, k8s), initially developed by Google before being launched as open-source in 2014, is “a portable, extensible, open-source platform for managing containerized workloads and services, that facilitates both declarative configuration and automation.” It is one of the preferred software building tools that utilize containers and container management which is highly beneficial to developers as an optimized, scalable framework for application building.
The Kubernetes Software Vulnerability
On September 21st, 2021 a critical software vulnerability was disclosed on GitHub repository. The weakness, known as CVE ID code CVE-2021-25741, affects virtualization software Kubernetes. The vulnerability type has been disclosed as a Kubernetes Subpath Volume Mount Input Validation vulnerability.
Technical Details
A vulnerability classified as critical was found in Kubernetes ‘kubelet’. GitHub has noted that ‘Symlink Exchange Can Allow Host Filesystem Access.’ This vulnerability displays unknown processing of the component Subpath Volume Mount Handler. The manipulation with an unknown input is confirmed as leading to a privilege escalation vulnerability (misuse of privileges.) In terms of its impact, it is known to affect confidentiality, integrity, and availability and the exploitation appears to be easy. The attack can also be launched remotely. For exploitation, a single authentication is sufficient. The exact technical details are unknown and an exploit is not publicly available yet.
Vulnerable Software Versions
The affected software versions are as follows; v1.22.0 – v1.22.1, v1.21.0 – v1.21.4. v1.20.0 – v1.20.10,
Important User Information
This vulnerability allows for a remote attacker to “access files & directories outside of the volume, including on the host filesystem.” Users need to know that fixes have been released. The fixes have been applied to the following versions; v1.22.2, v1.21.5, v1.20.11, v1.19.15. GitHub has also mentioned that, if users do not wish to update ‘kubelet’, they can “disable the VolumeSubpath feature gate on kubelet and kube-apiserver, and remove any existing Pods making use of the feature” as well as “use admission control to prevent less-trusted users from running containers as root to reduce the impact of successful exploitation.” More information on how to upgrade clusters, nodes, and kubelets can be found on this page.
