Bug 1923405 (CVE-2021-20218) - CVE-2021-20218 fabric8-kubernetes-client: vulnerable to a path traversal leading to integrity and availability compromise
Summary: CVE-2021-20218 fabric8-kubernetes-client: vulnerable to a path traversal lead...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2021-20218
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1924002 1924003 1924004 1928233 1928234 1928658 1928845 1929117 1929121
Blocks: 1915901 1923970
TreeView+ depends on / blocked
 
Reported: 2021-02-01 16:46 UTC by Jonathan Christison
Modified: 2022-01-26 16:57 UTC (History)
62 users (show)

See Also:
Fixed In Version: kubernetes-client-4.13.2 kubernetes-client-5.0.2 kubernetes-client-4.11.2 kubernetes-client-4.7.2
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the fabric8 kubernetes-client in version 4.2.0 and after. This flaw allows a malicious pod/container to cause applications using the fabric8 kubernetes-client `copy` command to extract files outside the working path. The highest threat from this vulnerability is to integrity and system availability.
Clone Of:
Environment:
Last Closed: 2021-03-25 11:35:13 UTC


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2021:3205 0 None None None 2021-08-18 09:13:43 UTC
Red Hat Product Errata RHSA-2021:3207 0 None None None 2021-08-18 09:55:09 UTC
Red Hat Product Errata RHSA-2021:5134 0 None None None 2021-12-14 21:33:34 UTC
Red Hat Product Errata RHSA-2022:0296 0 None None None 2022-01-26 15:53:05 UTC
Red Hat Product Errata RHSA-2022:0297 0 None None None 2022-01-26 16:57:01 UTC

Description Jonathan Christison 2021-02-01 16:46:25 UTC
A flaw was found in the fabric8 kubernetes-client where a malicious pod/container may cause applications using the fabric8 kubernetes-client `copy` command to extract files outside the working path, the main impact of this flaw is to integrity and availability of the kubernetes-client host. 

Upstream report: https://github.com/fabric8io/kubernetes-client/issues/2715

Comment 1 Jonathan Christison 2021-02-01 16:46:30 UTC
Acknowledgments:

Name: Ivan Bodrov, Marc Nuri (Red Hat)

Comment 2 Jonathan Christison 2021-02-01 16:46:31 UTC
External References:

https://github.com/fabric8io/kubernetes-client/issues/2715

Comment 19 Todd Cullum 2021-03-20 00:58:03 UTC
Statement:

In OpenShift Container Platform 4 (OCP) there are no plans to maintain the ose-logging-elasticsearch5 container, therefore it has been marked wontfix at this time and maybe fixed in a future update.

Red Hat CodeReady WorkSpaces 2.7.0 does not ship fabric8-kubernetes-client and is therefore not affected by this flaw.

Comment 20 Jonathan Christison 2021-03-22 12:23:11 UTC
Marking Red Hat AMQ Online has having a low impact, although a vulnerable fabric8-kubernetes-client version is distributed and used with AMQ Online, the vulnerable functionality (PodOperationsImpl/copy) it is never used by AMQ Online.

Comment 21 errata-xmlrpc 2021-03-25 09:43:56 UTC
This issue has been addressed in the following products:

  Red Hat AMQ Online 1.7.0 GA

Via RHSA-2021:0986 https://access.redhat.com/errata/RHSA-2021:0986

Comment 22 Product Security DevOps Team 2021-03-25 11:35:13 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-20218

Comment 24 Jonathan Christison 2021-03-25 17:29:01 UTC
A word on scoring, our scoring is currently 7.4/CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H and NVD of 9.1/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H will change to 7.4/CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H

My take: 

Exploitability Metrics: 

Attack Vector Network (AV:N) -
Agree here, the fabric8 kubernetes client is bound to the network stack and it is commonly carrying out operations over WANs 

Attack Complexity Low (AC:L) -> Attack Complexity High (AC:H):

We disagree with the original scoring of a low attack complexity, a successful attack depends on conditions beyond the attacker's control, we believe those conditions are -

*) The attacker must have a method to inject a malicious container, or alter the tar binary within a legitimate container within the openshift or kubernetes cluster that the fabric8 kubernetes client is connecting and invoking the `copy()` command upon, in other words there is a prerequisite for the attacker to overcome other security protections outside the scope of kubernetes client by preparing the target environment to improve exploit reliability. 

*) The vulnerability is only exploitable if the user invokes the copy() command on the aforementioned malicious container, this is an additional element outside the attackers control, user interaction being required might cover this in some circumstances but it is specific to the end application (the application using the fabirc8 kubernetes client library) and ultimately means an attacker must gather knowledge about the environment in which the vulnerable component exits.

*) Upon successful exploitation of the flaw, the impact of the flaw will be dependent on the end application user permissions, this is addressed in the Integrity section but is also an element liable to change from system to system and another element which is outside the attackers control.  

Privileges Required None (PR:N) -
Agree here, the attacker does not necessarily need to be a privileged user eg. no login required to exploit the base flaw.

User Interaction None (UI:N)
Mostly agree here, a user may not need to be coerced into performing any action for this flaw, an attacker can expect to be successful if the prerequisite set out in attack complexity section are true and the copy() command/method is invoked, invoking of the command could be by a user manually (invoked as part of a specific end application function) or automatically as a batch process in the end application. 

Scope Unchanged (S:U)
Agree here, the attacker will not be able to escape the scope of the executing JVM solely due to this flaw
 
Impact Metrics:

Confidentiality None (C:N)
Agree here, there is no loss of confidentiality within the impacted component, the attacker is unable to divulge any information with this attack alone

Integrity High (I:H) 
We agree in principle here, in a successful attack a malicious file may be extracted to any location on the target (end user) machine to which the user under which fabric8 kubernetes client end application is running, these permissions would in most circumstances result in a low impact integrity, however in this case the files likely modifiable or overwritable present a direct and serious consequence e.g overwriting administrative tools used in the administration of the kubernetes or openshift cluster 

Availability High (A:H)
We agree here, in a successful attack, files associated with fabric8 kubernetes client could be overwritten and its functionality could persistantly be inaccessible to a user until these files are recovered/replaced. ie. the user might be unable to connect to the openshift/kubernetes cluster

Comment 25 errata-xmlrpc 2021-03-29 11:13:03 UTC
This issue has been addressed in the following products:

  Red Hat build of Quarkus

Via RHSA-2021:1004 https://access.redhat.com/errata/RHSA-2021:1004

Comment 28 errata-xmlrpc 2021-08-18 09:13:38 UTC
This issue has been addressed in the following products:

  Red Hat Integration

Via RHSA-2021:3205 https://access.redhat.com/errata/RHSA-2021:3205

Comment 29 errata-xmlrpc 2021-08-18 09:55:05 UTC
This issue has been addressed in the following products:

  Red Hat Integration

Via RHSA-2021:3207 https://access.redhat.com/errata/RHSA-2021:3207

Comment 30 errata-xmlrpc 2021-12-14 21:33:30 UTC
This issue has been addressed in the following products:

  Red Hat Fuse 7.10

Via RHSA-2021:5134 https://access.redhat.com/errata/RHSA-2021:5134

Comment 31 errata-xmlrpc 2022-01-26 15:53:01 UTC
This issue has been addressed in the following products:

  RHPAM 7.12.0

Via RHSA-2022:0296 https://access.redhat.com/errata/RHSA-2022:0296

Comment 32 errata-xmlrpc 2022-01-26 16:56:58 UTC
This issue has been addressed in the following products:

  RHDM 7.12.0

Via RHSA-2022:0297 https://access.redhat.com/errata/RHSA-2022:0297


Note You need to log in before you can comment on or make changes to this bug.