Bug 2373839 (CVE-2025-4563)
| Summary: | CVE-2025-4563 kube-apiserver: NodeRestriction Admission Controller Dynamic Resource Allocation Bypass | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | OSIDB Bzimport <bzimport> |
| Component: | vulnerability | Assignee: | Product Security DevOps Team <prodsec-dev> |
| Status: | NEW --- | QA Contact: | |
| Severity: | low | Docs Contact: | |
| Priority: | low | ||
| Version: | unspecified | Keywords: | Security |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | --- | |
| Doc Text: |
A flaw was found in the Kubernetes NodeRestriction admission controller when the DynamicResourceAllocation feature is enabled. While this controller properly validates resource claims during pod status updates, it fails to apply the same validation during pod creation. This oversight allows a compromised node to create mirror pods that can access unauthorized dynamic resources, potentially leading to unauthorized data access and privilege escalation. Although kubelet sanity checks usually prevent such pods from running, the lack of authorization enforcement at creation time poses a real security policy failure.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | Type: | --- | |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 2373847, 2373848 | ||
| Bug Blocks: | |||
|
Description
OSIDB Bzimport
2025-06-19 08:55:57 UTC
|