Bug 1191818 - (CVE-2021-36779) VUL-0: CVE-2021-36779: Host operations allowed in privileged Longhorn managed pods
(CVE-2021-36779)
VUL-0: CVE-2021-36779: Host operations allowed in privileged Longhorn managed...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P5 - None : Critical
: ---
Assigned To: Security Team bot
Security Team bot
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2021-10-19 09:45 UTC by David Ko
Modified: 2021-12-17 07:06 UTC (History)
2 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Comment 2 David Ko 2021-10-19 12:37:48 UTC
(In reply to Johannes Segitz from comment #1)
> can you please provide the information about the issue here or link to the
> github issue so we can evaluate before we assign? Thanks

https://github.com/longhorn/security/issues/1 (this is a private issue you can't access, but you can the info below)

"""
The pods managed by Longhorn Manager are run with a privileged context on every node in the cluster. The pod’s container runs as root and exposes a gRPC service on TCP port 8500. This service is accessible to any workload in the cluster and requires no authentication. A malicious workload can take advantage of this service to execute any binary present in the image, which includes curl and apt.

I was able to take advantage of this vulnerability from an unprivileged workload in a test cluster to install and run arbitrary applications in the container and access/modify the host (node) filesystem as root.
"""
Comment 4 Marcus Meissner 2021-11-02 09:09:23 UTC
Use CVE-2021-36779
Comment 5 David Ko 2021-12-17 05:26:44 UTC
https://github.com/longhorn/longhorn/security/advisories/GHSA-g358-m2wp-mhhx published. 

Please help publish to Mitre. Thank you!
Comment 6 Johannes Segitz 2021-12-17 07:06:44 UTC
public and fix is released