CVE-2021-25738: [Kubernetes Java Client] CVE-2021-25738: Code exec via yaml parsing

Tim Allclair

unread,

May 17, 2021, 7:39:45 PM5/17/21

to kubernetes-announce, Kubernetes developer/contributor discussion, kubernetes-sec…@googlegroups.com, kubernetes-security-discuss, distributo…@kubernetes.io, kubernetes+a…@discoursemail.com

Hello Kubernetes Community,

A security issue was discovered in the Kubernetes Java client library where loading specially-crafted yaml can lead to code execution.

This issue has been rated Medium (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H), and assigned CVE-2021-25738.

Am I vulnerable?

If you process untrusted inputs with the Kubernetes Java Client you may be vulnerable to this issue.

Affected Versions

• Kubernetes Java Client == v11.0.0

• Kubernetes Java Client <= v10.0.1

• Kubernetes Java Client <= v9.0.2

How do I mitigate this vulnerability?

Prior to upgrading, this vulnerability can be mitigated by validating inputs to the client.

Fixed Versions

• Kubernetes Java Client >= v12.0.0

• Kubernetes Java Client >= v11.0.1

Detection

If you find evidence that this vulnerability has been exploited, please contact secu…@kubernetes.io

Additional Details

See the GitHub issue for more details: https://github.com/kubernetes-client/java/issues/1698

Acknowledgements

This vulnerability was reported by Jordy Versmissen through our bug bounty.

Thank You,

Tim Allclair on behalf of the Kubernetes Product Security Committee