The snapshot-controller could dereference a NULL pointer when processing a VolumeSnapshot custom resource when: The VolumeSnapshot referenced a non-existing PersistentVolumeClaim; And the VolumeSnapshot did not reference any VolumeSnapshotClass. The snapshot-controller crashes and it is automatically restarted by Kubernetes, however, it processes the same VolumeSnapshot custom resource after the restart and crashes again, entering an endless crashloop. Only the volume snapshot feature is affected by this vulnerability. When exploited, users can’t take snapshots of their volumes or delete the snapshots. All other Kubernetes functionality is not affected. Reference: https://github.com/kubernetes-csi/external-snapshotter/issues/421
Upstream Fix: https://github.com/kubernetes-csi/external-snapshotter/pull/381
Fixed before GA of OCP 4.6.0: https://github.com/openshift/csi-external-snapshotter/commit/6fd6683f423f7ae1ae154786f1988e4e479a417b
Both 'snapshot-controller' and 'external-snapshotter' are the short names for two container images produced by the upstream github.com/kubernetes-csi/ external-snapshotter repo. This repo is forked into github.com/openshift/csi-external-snapshotter, which produces the same container images with the (internal) names of: ose-csi-snapshot-controller-container ose-csi-external-snapshotter-container No released version of OCP includes a version of these containers that is affected by this CVE.
External References: https://groups.google.com/g/kubernetes-security-announce/c/1EzCr1qUxxU https://github.com/kubernetes-csi/external-snapshotter/issues/421
I agree, our snapshot-controller is already fixed in both 4.6.0 and 4.7 by https://bugzilla.redhat.com/show_bug.cgi?id=1883421. The bug is not present in 4.5 and earlier releases.
Statement: This vulnerability only affects versions v3.0.0 - v3.0.1 of the upstream snapshot-controller. No released component of OpenShift Container Platform (OCP) includes a vulnerable version. The first release of OCP 4.6 included v3 of snapshot-controller with this fix, earlier versions of OCP include v2 which is not affected by this vulnerability. Similarly, no components of OpenShift Virtualization include a vulnerable version.
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-8569