1890538 – (CVE-2020-3996) CVE-2020-3996 velero: restored PersistentVolumes may be bound to wrong PersistentVolumeClaims

Bug 1890538 (CVE-2020-3996) - CVE-2020-3996 velero: restored PersistentVolumes may be bound to wrong PersistentVolumeClaims

Summary: CVE-2020-3996 velero: restored PersistentVolumes may be bound to wrong Persis...

Keywords:
Status:	CLOSED NOTABUG
Alias:	CVE-2020-3996
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	1890829
Blocks:	1890539
TreeView+	depends on / blocked

Reported:	2020-10-22 13:35 UTC by Guilherme de Almeida Suckevicz
Modified:	2021-10-28 05:03 UTC (History)
CC List:	6 users (show)
Fixed In Version:	velero 1.4.3, velero 1.5.2
Clone Of:
Environment:
Last Closed:	2021-10-28 05:03:59 UTC
Embargoed:

Attachments	(Terms of Use)

Description Guilherme de Almeida Suckevicz 2020-10-22 13:35:29 UTC

Velero restores PersistentVolumes from snapshots prior to creating their associated PersistentVolumeClaims.

Velero also cleared all PersistentVolume's claimRef data, which meant that on restore in busy clusters, it is possible that Kubernetes would match the PersistentVolume with a PersistentVolumeClaim other than the one that originally made it, thus leaking data to unauthorized users.

This does not impact volumes restored via the Velero restic support, which are recreated with completely new PersistentVolumes upon restore.

Reference:
https://github.com/vmware-tanzu/velero/security/advisories/GHSA-72xg-3mcq-52v4

Note You need to log in before you can comment on or make changes to this bug.