Help Center> Cloud Container Engine> Product Bulletin> Vulnerability Notices> Notice on the Vulnerability of Kubernetes subPath Symlink Exchange (CVE-2021-25741)
Updated on 2023-08-02 GMT+08:00

Notice on the Vulnerability of Kubernetes subPath Symlink Exchange (CVE-2021-25741)

Description

A security issue was spotted in Kubernetes where a user may be able to create a container with a subPath volume mounted to access files and directories outside of the volume, including those on the host file system.

When a container uses subPath to mount some files or directories, attackers may use Symlink Exchange to access directories other than the mount directory or files on the host, causing unauthorized operations.

Table 1 Vulnerability information

Type

CVE-ID

Severity

Discovered

Resource management flaw

CVE-2021-25741

Medium

2021-09-15

Impact

This vulnerability affects the scenario where VolumeSubpath is enabled (enabled by default). It may have the following impacts:

  • If a malicious user creates a container with a subPath volume mounted, the user can access files and directories outside the volume, including those on the host file system.
  • Clusters for which the cluster administrator has restricted the ability to create hostPath mounts are most severely affected. An attacker can exploit this vulnerability to perform access similar to hostPath without using the hostPath function, thereby bypassing the restriction.
  • In the default Kubernetes environment, vulnerability exploitation can be used to mask the abuse of granted privileges.

Identification Method

All clusters (except new clusters of version 1.19.10 or later) are affected by this vulnerability.

Log in to the node and run the following command to check BuildDate. If BuildDate is later than August 20, 2021, the vulnerability has been fixed and the system is not affected by the vulnerability.

Solution

You can disable VolumeSubpath feature gate on kubelet and delete any existing pods that use the subPath function.

  1. Log in to each CCE node as user root.
  2. Modify the kubelet configuration parameter to disable the VolumeSubpath feature.

    vi /opt/cloud/cce/kubernetes/kubelet/kubelet_config.yaml

    Add the VolumeSubpath: false field.

  3. Restart kubelet.

    systemctl restart kubelet

  4. Ensure that the new kubelet process is started and VolumeSubpath is disabled.

    vi /var/paas/sys/log/kubernetes/kubelet.log

    Search for VolumeSubpath=false. If it can be found, the function is successfully disabled.

  5. Delete any pod that uses the subPath function.

Enabling or Rolling Back the VolumeSubpath Feature

  1. Modify the kubelet configuration file and delete the VolumeSubpath field.

    vi /opt/cloud/cce/kubernetes/kubelet/kubelet_config.yaml

  2. Restart kubelet.

    systemctl restart kubelet

  3. Check that the new kubelet process is started and the kubelet.log file does not contain VolumeSubpath=false.