Bug 2247163 (CVE-2023-5528)

Summary: CVE-2023-5528 kubernetes: Insufficient input sanitization in in-tree storage plugin leads to privilege escalation on Windows nodes
Product: [Other] Security Response Reporter: Avinash Hanwate <ahanwate>
Component: vulnerabilityAssignee: Product Security <prodsec-ir-bot>
Status: NEW --- QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: dfreiber, drow, jburrell, mcascell, rteague, security-response-team, ssoto, vkumar
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: kubernetes 1.25.16, kubernetes 1.26.11, kubernetes 1.27.8, kubernetes 1.28.4 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in Kubernetes, where a user who can create pods and persistent volumes on Windows nodes may be able to escalate to admin privileges on those nodes. Kubernetes clusters are only affected if they are using an in-tree storage plugin for Windows nodes.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2247165    

Description Avinash Hanwate 2023-10-31 03:36:39 UTC 
A security issue was discovered in Kubernetes where a user that can create pods and persistent volumes on Windows nodes may be able to escalate to 
admin privileges on those nodes. Kubernetes clusters are only affected if they are using an in-tree storage plugin for Windows nodes.
Comment 5 Mauro Matteo Cascella 2023-11-15 15:48:18 UTC 
Upstream issue:
https://github.com/kubernetes/kubernetes/issues/121879
Comment 7 errata-xmlrpc 2023-12-06 00:20:59 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.11

Via RHSA-2023:7662 https://access.redhat.com/errata/RHSA-2023:7662
Comment 9 errata-xmlrpc 2023-12-11 00:22:00 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.12

Via RHSA-2023:7710 https://access.redhat.com/errata/RHSA-2023:7710
Comment 10 errata-xmlrpc 2023-12-11 00:22:15 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.13

Via RHSA-2023:7709 https://access.redhat.com/errata/RHSA-2023:7709
Comment 12 errata-xmlrpc 2024-02-27 15:16:45 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.15

Via RHSA-2024:0954 https://access.redhat.com/errata/RHSA-2024:0954
Comment 14 errata-xmlrpc 2024-03-07 06:39:19 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.14

Via RHSA-2024:1203 https://access.redhat.com/errata/RHSA-2024:1203