Headline
CVE-2021-25749: [Security Advisory] CVE-2021-25749: runAsNonRoot logic bypass for Windows containers
Windows workloads can run as ContainerAdministrator even when those workloads set the runAsNonRoot option to true.
Hello Kubernetes Community,
A security issue was discovered in Kubernetes that could allow Windows workloads to run as ContainerAdministrator even when those workloads set the runAsNonRoot option to true .
This issue has been rated low and assigned CVE-2021-25749
Am I vulnerable?
All Kubernetes clusters with following versions, running Windows workloads with runAsNonRoot are impacted.
Affected Versions
- kubelet v1.20 - v1.21
- kubelet v1.22.0 - v1.22.13
- kubelet v1.23.0 - v1.23.10
- kubelet v1.24.0 - v1.24.4
How do I mitigate this vulnerability?
There are no known mitigations to this vulnerability.
Fixed Versions
- kubelet v1.22.14
- kubelet v1.23.11
- kubelet v1.23.5
- kubelet v1.25.0
To upgrade, refer to this documentation. For core Kubernetes: https://kubernetes.io/docs/tasks/administer-cluster/cluster-management/#upgrading-a-cluster
Detection
Kubernetes Audit logs may indicate if the user name was misspelled to bypass the restriction placed on which user is a pod allowed to run as.
If you find evidence that this vulnerability has been exploited, please contact secu…@kubernetes.io
Additional Details
See the GitHub issue for more details: https://github.com/kubernetes/kubernetes/issues/112192
Acknowledgements
This vulnerability was reported and fixed by Mark Rosetti (@marosset)
Thank You,
Pushkar Joglekar on behalf of the Kubernetes Security Response Committee
Related news
Red Hat Security Advisory 2022-9096-01 - Red Hat OpenShift support for Windows Containers allows you to deploy Windows container workloads running on Windows Server containers. Issues addressed include bypass and denial of service vulnerabilities.
The components for Red Hat OpenShift support for Windows Container 7.0.0 are now available. This product release includes bug fixes and a moderate security update for the following packages: windows-machine-config-operator and windows-machine-config-operator-bundle. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-25749: kubelet: runAsNonRoot logic bypass for Windows containers * CVE-2022-21698: prometheus/client_golang: Denial of service using InstrumentHandlerCounter *...