Bug 1937562 (CVE-2021-25735)

Summary: CVE-2021-25735 kubernetes: Validating Admission Webhook does not observe some previous fields
Product: [Other] Security Response Reporter: Sam Fowler <sfowler>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: admiller, alderr, bmontgom, deads, eparis, jburrell, jcajka, joelsmith, jokerman, lhinds, nstielau, rtheis, security-response-team, sfowler, sponnaga, sttts
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: kubernetes 1.21.0, kubernetes 1.20.6, kubernetes 1.19.10, kubernetes 1.18.18 Doc Type: If docs needed, set a value
Doc Text:
A vulnerability was found in Kubernetes' kube-apiserver that could allow Node updates to bypass a Validating Admission Webhook. An authenticated user could exploit this by modifying Node properties to values that should have been prevented by registered admission webhooks.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2021-07-28 01:06:55 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1937677, 1937678, 1937679, 1937680, 1937681, 1938136, 1938137, 1938138, 1949608    
Bug Blocks: 1937563    

Description Sam Fowler 2021-03-11 01:16:29 UTC 
A security issue was discovered in kube-apiserver that could allow node updates to bypass a Validating Admission Webhook. You are only affected by this vulnerability if you run a Validating Admission Webhook for Nodes that denies admission based at least partially on the old state of the Node object.

Note: This only impacts validating admission plugins that rely on old values in certain fields, and does not impact calls from kubelets that go through the built-in NodeRestriction admission plugin.


Upstream placeholder issue:

https://github.com/kubernetes/kubernetes/issues/100096


Upstream PR:

https://github.com/kubernetes/kubernetes/pull/99946
Comment 9 Przemyslaw Roguski 2021-04-14 16:21:04 UTC 
Acknowledgments:

Name: the Kubernetes Product Security Committee
Upstream: Rogerio Bastos (Red Hat), Ari Lima (Red Hat)
Comment 10 Przemyslaw Roguski 2021-04-14 16:21:44 UTC 
Created origin tracking bugs for this issue:

Affects: fedora-all [bug 1949608]
Comment 11 Sam Fowler 2021-05-10 06:10:21 UTC 
External References:

https://groups.google.com/g/kubernetes-security-announce/c/FKAGqT4jx9Y
Comment 13 errata-xmlrpc 2021-07-27 22:07:27 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.8

Via RHSA-2021:2437 https://access.redhat.com/errata/RHSA-2021:2437
Comment 14 Product Security DevOps Team 2021-07-28 01:06:55 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-25735
Comment 15 Richard Theis 2021-08-21 10:55:36 UTC 
https://access.redhat.com/security/cve/CVE-2021-25735 only references OpenShift version 4.8 as being fixed.  There are no details on earlier OpenShift version 4.x releases.  Are these releases not impacted, still vulnerable or fixed?
Comment 16 Sam Fowler 2021-08-23 00:15:41 UTC 
(In reply to Richard Theis from comment #15)
> https://access.redhat.com/security/cve/CVE-2021-25735 only references
> OpenShift version 4.8 as being fixed.  There are no details on earlier
> OpenShift version 4.x releases.  Are these releases not impacted, still
> vulnerable or fixed?

OpenShift 4.8.2 is the first released version of OpenShift 4 that has been fixed. Earlier released versions of OpenShift 4 are affected.
Comment 17 Rachel A 2021-10-20 10:16:10 UTC 
Can anyone tell me whether CVE-2021-25735 has been fixed in for OpenShift 4.7 and 4.6, and if so which security errata its documented in? I can't see any updated details on https://access.redhat.com/security/cve/CVE-2021-25735, only that OpenShift v4 is still affected.

Or is this a similar case to https://bugzilla.redhat.com/show_bug.cgi?id=1963232#c26 (CVE-2021-33194) where this vulnerability won't be addressed in OpenShift (OCP) 4.7 and 4.6 as both these releases are already in the maintenance support phase?
Comment 18 Sam Fowler 2021-10-21 04:33:47 UTC 
In reply to comment #17:
> Can anyone tell me whether CVE-2021-25735 has been fixed in for OpenShift
> 4.7 and 4.6, and if so which security errata its documented in? I can't see
> any updated details on
> https://access.redhat.com/security/cve/CVE-2021-25735, only that OpenShift
> v4 is still affected.

OpenShift 4.8.2 is the first released version of OpenShift 4 that has been fixed. Earlier released versions of OpenShift 4 are affected.
 
> Or is this a similar case to
> https://bugzilla.redhat.com/show_bug.cgi?id=1963232#c26 (CVE-2021-33194)
> where this vulnerability won't be addressed in OpenShift (OCP) 4.7 and 4.6
> as both these releases are already in the maintenance support phase?

Even in Full Support phase, only Important and Critical rated vulnerabilities are covered under our support policy:

https://access.redhat.com/support/policy/updates/openshift

That said, Low and Moderate rated CVEs do sometimes get fixed, but this is dependent on many factors. If you would like to request a fix for this CVE in earlier versions of OpenShift, please raise a support ticket.
Comment 19 Richard Theis 2021-10-29 13:05:59 UTC 
Thank you.  Is a support ticket separate from a bugzilla?  If so, should we open both a support ticket and an associated bugzilla?
Comment 20 Sam Fowler 2021-11-02 03:31:29 UTC 
(In reply to Richard Theis from comment #19)
> Thank you.  Is a support ticket separate from a bugzilla?  If so, should we
> open both a support ticket and an associated bugzilla?

A support ticket is separate from bugzilla. On this page, please use the "Open a Support Case" link:

https://access.redhat.com/
Comment 21 Richard Theis 2021-11-03 20:47:18 UTC 
Done.  Thank you.