Bug 1897314 (CVE-2020-8569) - CVE-2020-8569 kubernetes-csi: NULL pointer dereference in snapshot-controller when processing a VolumeSnapshot custom resource
Summary: CVE-2020-8569 kubernetes-csi: NULL pointer dereference in snapshot-controller...
Keywords:
Status: CLOSED NOTABUG
Alias: CVE-2020-8569
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks: 1897316
TreeView+ depends on / blocked
 
Reported: 2020-11-12 18:44 UTC by Guilherme de Almeida Suckevicz
Modified: 2021-06-08 15:10 UTC (History)
15 users (show)

Fixed In Version: snapshot-controller 3.0.2, snapshot-controller 2.1.3
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the Kubernetes snapshot-controller, where it is vulnerable to a denial of service attack via authorized API requests. The snapshot-controller can dereference a NULL pointer when processing a VolumeSnapshot custom resource via an authorized API request with invalid references to PersistentVolumeClaims and VolumeSnapshotClasses. The result causes the snapshot-controller to enter an endless crash loop. The highest threat from this vulnerability is to system availability.
Clone Of:
Environment:
Last Closed: 2020-12-01 17:33:53 UTC
Embargoed:

Attachments (Terms of Use)

Description Guilherme de Almeida Suckevicz 2020-11-12 18:44:05 UTC 
The snapshot-controller could dereference a NULL pointer when processing a VolumeSnapshot custom resource when:

The VolumeSnapshot referenced a non-existing PersistentVolumeClaim;
And the VolumeSnapshot did not reference any VolumeSnapshotClass.

The snapshot-controller crashes and it is automatically restarted by Kubernetes, however, it processes the same VolumeSnapshot custom resource after the restart and crashes again, entering an endless crashloop.

Only the volume snapshot feature is affected by this vulnerability. When exploited, users can’t take snapshots of their volumes or delete the snapshots. All other Kubernetes functionality is not affected.

Reference:
https://github.com/kubernetes-csi/external-snapshotter/issues/421
Comment 1 Sam Fowler 2020-11-16 00:47:42 UTC 
Upstream Fix:

https://github.com/kubernetes-csi/external-snapshotter/pull/381
Comment 3 Sam Fowler 2020-11-16 04:47:15 UTC 
Fixed before GA of OCP 4.6.0:

https://github.com/openshift/csi-external-snapshotter/commit/6fd6683f423f7ae1ae154786f1988e4e479a417b
Comment 5 Sam Fowler 2020-11-16 04:50:48 UTC 
Both 'snapshot-controller' and 'external-snapshotter' are the short names for two container images produced by the upstream github.com/kubernetes-csi/
external-snapshotter repo. This repo is forked into github.com/openshift/csi-external-snapshotter, which produces the same container images with the (internal) names of:

ose-csi-snapshot-controller-container
ose-csi-external-snapshotter-container 

No released version of OCP includes a version of these containers that is affected by this CVE.
Comment 7 Sam Fowler 2020-11-18 00:20:26 UTC 
External References:

https://groups.google.com/g/kubernetes-security-announce/c/1EzCr1qUxxU
https://github.com/kubernetes-csi/external-snapshotter/issues/421
Comment 8 Jan Safranek 2020-11-18 08:11:53 UTC 
I agree, our snapshot-controller is already fixed in both 4.6.0 and 4.7 by https://bugzilla.redhat.com/show_bug.cgi?id=1883421. The bug is not present in 4.5 and earlier releases.
Comment 9 Stoyan Nikolov 2020-11-19 09:47:43 UTC 
Statement:

This vulnerability only affects versions v3.0.0 - v3.0.1 of the upstream snapshot-controller. No released component of OpenShift Container Platform (OCP) includes a vulnerable version. The first release of OCP 4.6 included v3 of snapshot-controller with this fix, earlier versions of OCP include v2 which is not affected by this vulnerability. Similarly, no components of OpenShift Virtualization include a vulnerable version.
Comment 10 Product Security DevOps Team 2020-12-01 17:33:53 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-8569
Note You need to log in before you can comment on or make changes to this bug.