logo

Advisories

Weaknesses

Fixes

Requirements

Compliance

CVE-2022-24817 github.com/fluxcd/helm-controller

Package

Manager: go
Name: github.com/fluxcd/helm-controller
Vulnerable Version: >=0.2.0 <0.19.0

Severity

Level: Critical

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

EPSS: 0.00359 pctl0.57369

Details

Improper kubeconfig validation allows arbitrary code execution Flux2 can reconcile the state of a remote cluster when provided with a [kubeconfig](https://kubernetes.io/docs/concepts/configuration/organize-cluster-access-kubeconfig/#file-references) with the correct access rights. `Kubeconfig` files can define [commands](https://kubernetes.io/docs/reference/access-authn-authz/authentication/#client-go-credential-plugins) to be executed to generate on-demand authentication tokens. A malicious user with write access to a Flux source or direct access to the target cluster, could craft a `kubeconfig` to execute arbitrary code inside the controller’s container. In multi-tenancy deployments this can also lead to privilege escalation if the controller's service account has elevated permissions. ### Impact Within the affected versions range, one of the permissions set below would be required for the vulnerability to be exploited: - Direct access to the cluster to create Flux `Kustomization` or `HelmRelease` objects and Kubernetes Secrets. - Direct access to the cluster to modify existing Kubernetes secrets being used as `kubeconfig` in existing Flux `Kustomization` or `HelmRelease` objects. - Direct access to the cluster to modify existing Flux `Kustomization` or `HelmRelease` objects and access to create or modify existing Kubernetes secrets. - Access rights to make changes to a configured Flux Source (i.e. Git repository). ### Patches This vulnerability was fixed in kustomize-controller [v0.23.0](https://github.com/fluxcd/kustomize-controller/releases/tag/v0.23.0) and helm-controller [v0.19.0](https://github.com/fluxcd/helm-controller/releases/tag/v0.19.0), both included in flux2 [v0.29.0](https://github.com/fluxcd/flux2/releases/tag/v0.29.0). Starting from the fixed versions, both controllers disable the use of command execution from `kubeconfig` files by default, users have to opt-in by adding the flag `--insecure-kubeconfig-exec` to the controller’s command arguments. Users are no longer allowed to refer to files in the controller’s filesystem in the `kubeconfig` files provided for the remote apply feature. ### Workarounds - The functionality can be disabled via Validating Admission webhooks (e.g. OPA Gatekeeper, Kyverno) by restricting users from being able to set the `spec.kubeConfig` field in Flux `Kustomization` and `HelmRelease` objects. - Applying restrictive AppArmor and SELinux profiles on the controller’s pod to limit what binaries can be executed. ### Credits The Flux engineering team found and patched this vulnerability. ### For more information If you have any questions or comments about this advisory please open an issue in the [flux2 repository](http://github.com/fluxcd/flux2).

Metadata

Created: 2022-05-16T18:13:51Z
Modified: 2022-05-26T20:07:54Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-vvmq-fwmg-2gjc/GHSA-vvmq-fwmg-2gjc.json
CWE IDs: ["CWE-94"]
Alternative ID: GHSA-vvmq-fwmg-2gjc
Finding: F422
Auto approve: 1