Bug 1923405 (CVE-2021-20218)
| Summary: | CVE-2021-20218 fabric8-kubernetes-client: vulnerable to a path traversal leading to integrity and availability compromise | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Jonathan Christison <jochrist> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | abenaiss, aileenc, akoufoud, alazarot, almorale, anstephe, aos-bugs, avibelli, bgeorges, bibryam, bmontgom, chazlett, clement.escoffier, dandread, dkreling, dramseur, drieden, eparis, etirelli, ganandan, ggaughan, gmalinko, gsmet, hamadhan, hbraun, ibek, janstey, jburrell, jcantril, jhunter, jnethert, jochrist, jokerman, jpallich, jross, jstastny, jwon, kmitts, krathod, kverlaen, lthon, mgala, mjudeiki, mnovotny, mszynkie, nstielau, pantinor, pbhattac, pgallagh, pjindal, probinso, rgodfrey, rrajasek, rruss, rsvoboda, rsynek, sbiarozk, scorneli, sdaley, sdouglas, sponnaga, vbobade |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| See Also: |
https://issues.redhat.com/browse/ENTESB-15659 https://issues.redhat.com/browse/ENTESB-15660 https://issues.redhat.com/browse/ENTESB-15661 https://issues.redhat.com/browse/ENTMQMAAS-2663 https://issues.redhat.com/browse/QUARKUS-746 https://issues.redhat.com/browse/RHDM-1594 https://issues.redhat.com/browse/RHPAM-3443 |
||
| Whiteboard: | |||
| Fixed In Version: | kubernetes-client-4.13.2 kubernetes-client-5.0.2 kubernetes-client-4.11.2 kubernetes-client-4.7.2 | Doc Type: | If docs needed, set a value |
| Doc Text: |
A flaw was found in the fabric8 kubernetes-client in version 4.2.0 and after. This flaw allows a malicious pod/container to cause applications using the fabric8 kubernetes-client `copy` command to extract files outside the working path. The highest threat from this vulnerability is to integrity and system availability.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2021-03-25 11:35:13 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1924002, 1924003, 1924004, 1928233, 1928234, 1928658, 1928845, 1929117, 1929121 | ||
| Bug Blocks: | 1915901, 1923970 | ||
|
Description
Jonathan Christison
2021-02-01 16:46:25 UTC
Acknowledgments: Name: Ivan Bodrov, Marc Nuri (Red Hat) External References: https://github.com/fabric8io/kubernetes-client/issues/2715 Statement: In OpenShift Container Platform 4 (OCP) there are no plans to maintain the ose-logging-elasticsearch5 container, therefore it has been marked wontfix at this time and maybe fixed in a future update. Red Hat CodeReady WorkSpaces 2.7.0 does not ship fabric8-kubernetes-client and is therefore not affected by this flaw. Marking Red Hat AMQ Online has having a low impact, although a vulnerable fabric8-kubernetes-client version is distributed and used with AMQ Online, the vulnerable functionality (PodOperationsImpl/copy) it is never used by AMQ Online. This issue has been addressed in the following products: Red Hat AMQ Online 1.7.0 GA Via RHSA-2021:0986 https://access.redhat.com/errata/RHSA-2021:0986 This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2021-20218 A word on scoring, our scoring is currently 7.4/CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H and NVD of 9.1/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H will change to 7.4/CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H My take: Exploitability Metrics: Attack Vector Network (AV:N) - Agree here, the fabric8 kubernetes client is bound to the network stack and it is commonly carrying out operations over WANs Attack Complexity Low (AC:L) -> Attack Complexity High (AC:H): We disagree with the original scoring of a low attack complexity, a successful attack depends on conditions beyond the attacker's control, we believe those conditions are - *) The attacker must have a method to inject a malicious container, or alter the tar binary within a legitimate container within the openshift or kubernetes cluster that the fabric8 kubernetes client is connecting and invoking the `copy()` command upon, in other words there is a prerequisite for the attacker to overcome other security protections outside the scope of kubernetes client by preparing the target environment to improve exploit reliability. *) The vulnerability is only exploitable if the user invokes the copy() command on the aforementioned malicious container, this is an additional element outside the attackers control, user interaction being required might cover this in some circumstances but it is specific to the end application (the application using the fabirc8 kubernetes client library) and ultimately means an attacker must gather knowledge about the environment in which the vulnerable component exits. *) Upon successful exploitation of the flaw, the impact of the flaw will be dependent on the end application user permissions, this is addressed in the Integrity section but is also an element liable to change from system to system and another element which is outside the attackers control. Privileges Required None (PR:N) - Agree here, the attacker does not necessarily need to be a privileged user eg. no login required to exploit the base flaw. User Interaction None (UI:N) Mostly agree here, a user may not need to be coerced into performing any action for this flaw, an attacker can expect to be successful if the prerequisite set out in attack complexity section are true and the copy() command/method is invoked, invoking of the command could be by a user manually (invoked as part of a specific end application function) or automatically as a batch process in the end application. Scope Unchanged (S:U) Agree here, the attacker will not be able to escape the scope of the executing JVM solely due to this flaw Impact Metrics: Confidentiality None (C:N) Agree here, there is no loss of confidentiality within the impacted component, the attacker is unable to divulge any information with this attack alone Integrity High (I:H) We agree in principle here, in a successful attack a malicious file may be extracted to any location on the target (end user) machine to which the user under which fabric8 kubernetes client end application is running, these permissions would in most circumstances result in a low impact integrity, however in this case the files likely modifiable or overwritable present a direct and serious consequence e.g overwriting administrative tools used in the administration of the kubernetes or openshift cluster Availability High (A:H) We agree here, in a successful attack, files associated with fabric8 kubernetes client could be overwritten and its functionality could persistantly be inaccessible to a user until these files are recovered/replaced. ie. the user might be unable to connect to the openshift/kubernetes cluster This issue has been addressed in the following products: Red Hat build of Quarkus Via RHSA-2021:1004 https://access.redhat.com/errata/RHSA-2021:1004 This issue has been addressed in the following products: Red Hat Integration Via RHSA-2021:3205 https://access.redhat.com/errata/RHSA-2021:3205 This issue has been addressed in the following products: Red Hat Integration Via RHSA-2021:3207 https://access.redhat.com/errata/RHSA-2021:3207 This issue has been addressed in the following products: Red Hat Fuse 7.10 Via RHSA-2021:5134 https://access.redhat.com/errata/RHSA-2021:5134 This issue has been addressed in the following products: RHPAM 7.12.0 Via RHSA-2022:0296 https://access.redhat.com/errata/RHSA-2022:0296 This issue has been addressed in the following products: RHDM 7.12.0 Via RHSA-2022:0297 https://access.redhat.com/errata/RHSA-2022:0297 |