Bug 1937562 (CVE-2021-25735) - CVE-2021-25735 kubernetes: Validating Admission Webhook does not observe some previous fields
Summary: CVE-2021-25735 kubernetes: Validating Admission Webhook does not observe some...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2021-25735
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1937678 1937679 1937681 1938136 1938137 1938138 1937677 1937680 1949608
Blocks: 1937563
TreeView+ depends on / blocked
 
Reported: 2021-03-11 01:16 UTC by Sam Fowler
Modified: 2021-11-03 20:47 UTC (History)
16 users (show)

Fixed In Version: kubernetes 1.21.0, kubernetes 1.20.6, kubernetes 1.19.10, kubernetes 1.18.18
Doc Type: If docs needed, set a value
Doc Text:
A vulnerability was found in Kubernetes' kube-apiserver that could allow Node updates to bypass a Validating Admission Webhook. An authenticated user could exploit this by modifying Node properties to values that should have been prevented by registered admission webhooks.
Clone Of:
Environment:
Last Closed: 2021-07-28 01:06:55 UTC


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2021:2437 0 None None None 2021-07-27 22:07:25 UTC

Description Sam Fowler 2021-03-11 01:16:29 UTC
A security issue was discovered in kube-apiserver that could allow node updates to bypass a Validating Admission Webhook. You are only affected by this vulnerability if you run a Validating Admission Webhook for Nodes that denies admission based at least partially on the old state of the Node object.

Note: This only impacts validating admission plugins that rely on old values in certain fields, and does not impact calls from kubelets that go through the built-in NodeRestriction admission plugin.


Upstream placeholder issue:

https://github.com/kubernetes/kubernetes/issues/100096


Upstream PR:

https://github.com/kubernetes/kubernetes/pull/99946

Comment 9 Przemyslaw Roguski 2021-04-14 16:21:04 UTC
Acknowledgments:

Name: the Kubernetes Product Security Committee
Upstream: Rogerio Bastos (Red Hat), Ari Lima (Red Hat)

Comment 10 Przemyslaw Roguski 2021-04-14 16:21:44 UTC
Created origin tracking bugs for this issue:

Affects: fedora-all [bug 1949608]

Comment 11 Sam Fowler 2021-05-10 06:10:21 UTC
External References:

https://groups.google.com/g/kubernetes-security-announce/c/FKAGqT4jx9Y

Comment 13 errata-xmlrpc 2021-07-27 22:07:27 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.8

Via RHSA-2021:2437 https://access.redhat.com/errata/RHSA-2021:2437

Comment 14 Product Security DevOps Team 2021-07-28 01:06:55 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-25735

Comment 15 Richard Theis 2021-08-21 10:55:36 UTC
https://access.redhat.com/security/cve/CVE-2021-25735 only references OpenShift version 4.8 as being fixed.  There are no details on earlier OpenShift version 4.x releases.  Are these releases not impacted, still vulnerable or fixed?

Comment 16 Sam Fowler 2021-08-23 00:15:41 UTC
(In reply to Richard Theis from comment #15)
> https://access.redhat.com/security/cve/CVE-2021-25735 only references
> OpenShift version 4.8 as being fixed.  There are no details on earlier
> OpenShift version 4.x releases.  Are these releases not impacted, still
> vulnerable or fixed?

OpenShift 4.8.2 is the first released version of OpenShift 4 that has been fixed. Earlier released versions of OpenShift 4 are affected.

Comment 17 Rachel A 2021-10-20 10:16:10 UTC
Can anyone tell me whether CVE-2021-25735 has been fixed in for OpenShift 4.7 and 4.6, and if so which security errata its documented in? I can't see any updated details on https://access.redhat.com/security/cve/CVE-2021-25735, only that OpenShift v4 is still affected.

Or is this a similar case to https://bugzilla.redhat.com/show_bug.cgi?id=1963232#c26 (CVE-2021-33194) where this vulnerability won't be addressed in OpenShift (OCP) 4.7 and 4.6 as both these releases are already in the maintenance support phase?

Comment 18 Sam Fowler 2021-10-21 04:33:47 UTC
In reply to comment #17:
> Can anyone tell me whether CVE-2021-25735 has been fixed in for OpenShift
> 4.7 and 4.6, and if so which security errata its documented in? I can't see
> any updated details on
> https://access.redhat.com/security/cve/CVE-2021-25735, only that OpenShift
> v4 is still affected.

OpenShift 4.8.2 is the first released version of OpenShift 4 that has been fixed. Earlier released versions of OpenShift 4 are affected.
 
> Or is this a similar case to
> https://bugzilla.redhat.com/show_bug.cgi?id=1963232#c26 (CVE-2021-33194)
> where this vulnerability won't be addressed in OpenShift (OCP) 4.7 and 4.6
> as both these releases are already in the maintenance support phase?

Even in Full Support phase, only Important and Critical rated vulnerabilities are covered under our support policy:

https://access.redhat.com/support/policy/updates/openshift

That said, Low and Moderate rated CVEs do sometimes get fixed, but this is dependent on many factors. If you would like to request a fix for this CVE in earlier versions of OpenShift, please raise a support ticket.

Comment 19 Richard Theis 2021-10-29 13:05:59 UTC
Thank you.  Is a support ticket separate from a bugzilla?  If so, should we open both a support ticket and an associated bugzilla?

Comment 20 Sam Fowler 2021-11-02 03:31:29 UTC
(In reply to Richard Theis from comment #19)
> Thank you.  Is a support ticket separate from a bugzilla?  If so, should we
> open both a support ticket and an associated bugzilla?

A support ticket is separate from bugzilla. On this page, please use the "Open a Support Case" link:

https://access.redhat.com/

Comment 21 Richard Theis 2021-11-03 20:47:18 UTC
Done.  Thank you.


Note You need to log in before you can comment on or make changes to this bug.