Bug 1189416 - (CVE-2021-25741) VUL-0: CVE-2021-25741: kubernetes: Symlink Exchange Can Allow Host Filesystem Access
(CVE-2021-25741)
VUL-0: CVE-2021-25741: kubernetes: Symlink Exchange Can Allow Host Filesystem...
Status: IN_PROGRESS
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Containers Team
Security Team bot
https://smash.suse.de/issue/307239/
CVSSv3.1:SUSE:CVE-2021-25741:8.8:(AV:...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2021-08-13 06:19 UTC by Robert Frohl
Modified: 2021-10-08 13:16 UTC (History)
13 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Comment 12 Swamp Workflow Management 2021-09-16 04:16:47 UTC
# maintenance_jira_update_notice
SUSE-SU-2021:3049-1: An update that fixes two vulnerabilities is now available.

Category: security (important)
Bug References: 1182185,1189416
CVE References: CVE-2021-25741,CVE-2021-3121
JIRA References: 
Sources used:
SUSE CaaS Platform 4.5 (src):    caasp-release-4.5.5-1.19.3, kubernetes-1.18-1.18.20-4.11.3, release-notes-caasp-4.5.20210907-3.22.3, skuba-2.1.15-3.15.13.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 13 Gianluca Gabrielli 2021-09-16 06:55:18 UTC
This is now public.
-------------------

Hello Kubernetes Community,

A security issue was discovered in Kubernetes where a user may be able to create a container with subpath volume mounts to access files & directories outside of the volume, including on the host filesystem.

This issue has been rated High (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), and assigned CVE-2021-25741.
Affected Components and Configurations

This bug affects kubelet.

Environments where cluster administrators have restricted the ability to create hostPath mounts are the most seriously affected. Exploitation allows hostPath-like access without use of the hostPath feature, thus bypassing the restriction. 

In a default Kubernetes environment, exploitation could be used to obscure misuse of already-granted privileges.
Affected Versions

    v1.22.0 - v1.22.1

    v1.21.0 - v1.21.4

    v1.20.0 - v1.20.10

    <= v1.19.14

Fixed Versions

This issue is fixed in the following versions:

    v1.22.2

    v1.21.5

    v1.20.11

    v1.19.15

Mitigation

To mitigate this vulnerability without upgrading kubelet, you can disable the VolumeSubpath feature gate on kubelet and kube-apiserver, and remove any existing Pods making use of the feature.

You can also use admission control to prevent less-trusted users from running containers as root to reduce the impact of successful exploitation.
Detection

If you find evidence that this vulnerability has been exploited, please contact security@kubernetes.io
Additional Details

See Kubernetes Issue #104980 for more details.
Acknowledgements

This vulnerability was reported by Fabricio Voznika and Mark Wolters of Google.

Thanks as well to Ian Coldwater, Duffie Cooley, Brad Geesaman, and Rory McCune for the thorough security research that led to the discovery of this vulnerability.

Thank You,

CJ Cullen on behalf of the Kubernetes Security Response Committee
Comment 14 Richard Brown 2021-09-16 11:42:14 UTC
Fixes otw to Factory kubernetes1.22, 1.21, 1.20, and 1.19 and the overarching kubernetes metapackage. in the following SR's

919507
919508
919509
919510
919511
Comment 17 Swamp Workflow Management 2021-10-08 13:16:09 UTC
SUSE-SU-2021:3323-1: An update that fixes one vulnerability is now available.

Category: security (low)
Bug References: 1189416
CVE References: CVE-2021-25741
JIRA References: 
Sources used:
SUSE CaaS Platform 4.0 (src):    caasp-release-4.2.6-24.43.2, kubernetes-1.17.17-4.25.2, release-notes-caasp-4.2.20210929-4.71.2, skuba-1.4.13-3.56.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.