Bug 1890538 (CVE-2020-3996)

Summary: CVE-2020-3996 velero: restored PersistentVolumes may be bound to wrong PersistentVolumeClaims
Product: [Other] Security Response Reporter: Guilherme de Almeida Suckevicz <gsuckevi>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: gghezzo, gparvin, jramanat, jweiser, stcannon, thee
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: velero 1.4.3, velero 1.5.2 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-10-28 05:03:59 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1890829    
Bug Blocks: 1890539    

Description Guilherme de Almeida Suckevicz 2020-10-22 13:35:29 UTC 
Velero restores PersistentVolumes from snapshots prior to creating their associated PersistentVolumeClaims.

Velero also cleared all PersistentVolume's claimRef data, which meant that on restore in busy clusters, it is possible that Kubernetes would match the PersistentVolume with a PersistentVolumeClaim other than the one that originally made it, thus leaking data to unauthorized users.

This does not impact volumes restored via the Velero restic support, which are recreated with completely new PersistentVolumes upon restore.

Reference:
https://github.com/vmware-tanzu/velero/security/advisories/GHSA-72xg-3mcq-52v4