Описание
Security update for kubevirt, virt-api-container, virt-controller-container, virt-handler-container, virt-launcher-container, virt-libguestfs-tools-container, virt-operator-container
This update for kubevirt, virt-api-container, virt-controller-container, virt-handler-container, virt-launcher-container, virt-libguestfs-tools-container, virt-operator-container fixes the following issues:
- CVE-2023-26484: Limit operator secrets permission. (bsc#1209359)
kubevirt is also rebuilt with a supported GO compiler (bsc#1208916)
Список пакетов
SUSE Linux Enterprise Micro 5.3
SUSE Linux Enterprise Micro 5.4
SUSE Linux Enterprise Module for Containers 15 SP4
openSUSE Leap 15.4
openSUSE Leap Micro 5.3
Ссылки
- Link for SUSE-SU-2023:1967-1
- E-Mail link for SUSE-SU-2023:1967-1
- SUSE Security Ratings
- SUSE Bug 1208916
- SUSE Bug 1209359
- SUSE CVE CVE-2023-26484 page
Описание
KubeVirt is a virtual machine management add-on for Kubernetes. In versions 0.59.0 and prior, if a malicious user has taken over a Kubernetes node where virt-handler (the KubeVirt node-daemon) is running, the virt-handler service account can be used to modify all node specs. This can be misused to lure-in system-level-privileged components which can, for instance, read all secrets on the cluster, or can exec into pods on other nodes. This way, a compromised node can be used to elevate privileges beyond the node until potentially having full privileged access to the whole cluster. The simplest way to exploit this, once a user could compromise a specific node, is to set with the virt-handler service account all other nodes to unschedulable and simply wait until system-critical components with high privileges appear on its node. No patches are available as of time of publication. As a workaround, gatekeeper users can add a webhook which will block the `virt-handler` service account to modify the spec of a node.
Затронутые продукты
Ссылки
- CVE-2023-26484
- SUSE Bug 1209359