Описание
A vulnerability exists in the NodeRestriction admission controller in Kubernetes clusters where node users can delete their corresponding node object by patching themselves with an OwnerReference to a cluster-scoped resource. If the OwnerReference resource does not exist or is subsequently deleted, the given node object will be deleted via garbage collection.
A vulnerability was found in the kube-apiserver's NodeRestriction admission controller, where node users can delete their corresponding node object by setting their own OwnerReference to a cluster-scoped resource. This flaw allows an attacker to delete and recreate its node object, leading to the node being recreated with modified taints or labels, which should not be allowed in this context. This may let the attacker control which pods are running on the compromised node.
Отчет
This vulnerability is rated as having a Moderate severity. For a successful attack to take place, the attacker needs to have a high privileged account with enough privileges to create the nodes.
Меры по смягчению последствий
This vulnerability can be mitigated by enabling the OwnerReferencesPermissionEnforcement admission controller, which will prevent any user without delete permissions on an object from modifying the OwnerReferences on that object. Note that this admission controller will apply to all users and object types.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat OpenShift Container Platform 4 | openshift | Fix deferred | ||
| Red Hat OpenShift Container Platform 4 | openshift4/ose-hyperkube-rhel9 | Fix deferred | ||
| Red Hat OpenShift Container Platform 4 | openshift4/ose-kube-proxy | Fix deferred | ||
| Red Hat OpenShift Container Platform 4 | ose-installer-kube-apiserver-artifacts-container | Fix deferred |
Показывать по
Дополнительная информация
Статус:
EPSS
6.7 Medium
CVSS3
Связанные уязвимости
A vulnerability exists in the NodeRestriction admission controller in Kubernetes clusters where node users can delete their corresponding node object by patching themselves with an OwnerReference to a cluster-scoped resource. If the OwnerReference resource does not exist or is subsequently deleted, the given node object will be deleted via garbage collection.
A vulnerability exists in the NodeRestriction admission controller in Kubernetes clusters where node users can delete their corresponding node object by patching themselves with an OwnerReference to a cluster-scoped resource. If the OwnerReference resource does not exist or is subsequently deleted, the given node object will be deleted via garbage collection.
A vulnerability exists in the NodeRestriction admission controller in ...
Kubernetes Nodes can delete themselves by adding an OwnerReference
EPSS
6.7 Medium
CVSS3