[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[oss-security] Security release of kubernetes-csi sidecars - CVE-2019-11255



Hello Kubernetes Community,



A security issue has been found in the kubernetes-csi external-provisioner
<https://github.com/kubernetes-csi/external-provisioner>,
external-snapshotter
<https://github.com/kubernetes-csi/external-snapshotter>, and
external-resizer <https://github.com/kubernetes-csi/external-resizer>
sidecars that impacts most versions of the sidecars bundled in Container
Storage Interface (CSI) drivers. The vulnerabilities are medium severity
and can result in unauthorized volume data access or mutation when using
CSI volume snapshot, cloning or resizing features in Kubernetes. Upgrading
your CSI drivers to the fixed sidecars is recommended. Details are below
and at https://issue.k8s.io/85233


The following versions of the CSI sidecars have been fixed:

external-provisioner:

   -

   v0.4.3
   -

   v1.0.2
   -

   v1.2.2
   -

   v1.3.1
   -

   v1.4.0


external-snapshotter:

   -

   v0.4.2
   -

   v1.0.2
   -

   v1.2.2


external-resizer

   -

   v0.3.0


No fixes in kubernetes/kubernetes are required.


Affected Components and Versions

The following Kubernetes versions are affected with default feature gates:

   -

   v1.16.0+


The following Kubernetes versions are affected with non-default alpha
VolumeSnapshotDataSource,
ExpandCSIVolumes, and VolumePVCDataSource feature gates enabled:

   -

   v1.12.0+


CSI drivers installed with these kubernetes-csi sidecars versions are
affected:

external-provisioner: v0.4.1-0.4.2, v1.0.0-1.0.1, v1.1.0-1.2.1, v1.3.0

external-snapshotter: v0.4.0-0.4.1, v1.0.0-1.0.1, v1.1.0-v1.2.1

external-resizer: v0.1.0-0.2.0



How do I mitigate the vulnerability?


As a short term mitigation, disable the VolumeSnapshotDataSource,
ExpandCSIVolumes, and VolumePVCDataSource Kubernetes feature gates in
kube-apiserver and kube-controller-manager. This will cause new
PersistentVolumeClaims to be provisioned ignoring the DataSource and
resizing requests will also be ignored. Note that this will cause new PVCs
that are intended to be provisioned from a snapshot or clone to instead
provision a blank disk.


Also, to disable taking volume snapshots, either remove the
external-snapshotter sidecar from any CSI drivers or revoke the CSI
driver’s RBAC permissions on the snapshot.storage.k8s.io API group.


Longer term, upgrade your CSI driver with patched versions of the affected
sidecars.


Acknowledgements


Thanks to Xiangqian Yu from Google for discovering this issue.


Thanks to Michelle Au, Jan Šafránek, Hemant Kumar, and Xing Yang for
coordinating the fixes and release.


Thank You,


Tim Allclair on behalf of the Kubernetes Product Security Committee