Notice on the Vulnerability of Kubernetes subPath Symlink Exchange (CVE-2021-25741)
Description
A security issue was spotted in Kubernetes where a user may be able to create a container with a subPath volume mounted to access files and directories outside of the volume, including those on the host file system.
When a container uses subPath to mount some files or directories, attackers may use Symlink Exchange to access directories other than the mount directory or files on the host, causing unauthorized operations.
Type |
CVE-ID |
Severity |
Discovered |
---|---|---|---|
Resource management flaw |
Medium |
2021-09-15 |
Impact
This vulnerability affects the scenario where VolumeSubpath is enabled (enabled by default). It may have the following impacts:
- If a malicious user creates a container with a subPath volume mounted, the user can access files and directories outside the volume, including those on the host file system.
- Clusters for which the cluster administrator has restricted the ability to create hostPath mounts are most severely affected. An attacker can exploit this vulnerability to perform access similar to hostPath without using the hostPath function, thereby bypassing the restriction.
- In the default Kubernetes environment, vulnerability exploitation can be used to mask the abuse of granted privileges.
Identification Method
All clusters (except new clusters of version 1.19.10 or later) are affected by this vulnerability.
Log in to the node and run the following command to check BuildDate. If BuildDate is later than August 20, 2021, the vulnerability has been fixed and the system is not affected by the vulnerability.
Solution
You can disable VolumeSubpath feature gate on kubelet and delete any existing pods that use the subPath function.
- Log in to each CCE node as user root.
- Modify the kubelet configuration parameter to disable the VolumeSubpath feature.
vi /opt/cloud/cce/kubernetes/kubelet/kubelet_config.yaml
Add the VolumeSubpath: false field.
- Restart kubelet.
systemctl restart kubelet
- Ensure that the new kubelet process is started and VolumeSubpath is disabled.
vi /var/paas/sys/log/kubernetes/kubelet.log
Search for VolumeSubpath=false. If it can be found, the function is successfully disabled.
- Delete any pod that uses the subPath function.
Enabling or Rolling Back the VolumeSubpath Feature
- Modify the kubelet configuration file and delete the VolumeSubpath field.
vi /opt/cloud/cce/kubernetes/kubelet/kubelet_config.yaml
- Restart kubelet.
systemctl restart kubelet
- Check that the new kubelet process is started and the kubelet.log file does not contain VolumeSubpath=false.
Helpful Links
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot