Overview was found in Kubernetes in which users may be able to create a container with subpath volume mounts to access files & directories outside of the volume, including on the host filesystem. The issue is affecting the Kubelet component of Kubernetes (Kubelet is the primary "node agent" that runs on each node. It registers the node with the apiserver and launches PODs on it). A new HIGH severity vulnerability The issue was first reported by Fabricio Voznika and Mark Wolters of Google and posted to Github on Sep 13, 2021 ( ). https://github.com/kubernetes/kubernetes/issues/104980 This vulnerability allows attackers to abuse subPath property of the volumeMounts and access the entire host file system without using the hostPath feature originally intended for this capability. Mitigation The best way to avoid being affected is to completely disable VolumeSubPath functionality using --feature-gates=”VolumeSubPath=false” parameter of the Kubelet and the apiserver. How to Know if Your Cluster is Affected Since PODs, which utilizing the subPath, can potentially exploit this vulnerability, checking whether you are running a vulnerable version of Kubelet and whether you have PODs in your cluster that are utilizing this functionality would be key to understanding if your K8s is exposed to this threat. To help K8s users understand if their K8s clusters are exposed to CVE-2021-25741, we have added a new feature to - an open-source tool built to identify potential security issues in Kubernetes configuration. It now checks if your K8s clusters are exposed to CVE-2021-25741 and verifies that there are no pods in the cluster that might attempt to use the subPath function. Kubescape Simply install Kubescape from - and run the default set of tests including a test for this specific vulnerability. github The results will appear in seconds - You can also see exactly which PODs are the ones that are contributing to the exposure in the tool output: You can also log in to the provided URL at the end of the scan and see all results in a full report with options for mitigations, managing alerts, and exposure over time:

Google

2022 - HackerNoon Contributor of the Year - Kubernetes

Dev to production kubernetes security 

Nominated for 2022 - HackerNoon Contributor of the Year - Kubernetes

Too Long; Didn't Read

In your car, at home, or at work — Bosch technology shapes many areas of life.

Kubernetes New High Severity Vulnerability CVE-2021-25741 – Are You Exposed?

Too Long; Didn't Read

Company Mentioned

ARMO

About Author

TOPICS

THIS ARTICLE WAS FEATURED IN...

Kubernetes New High Severity Vulnerability CVE-2021-25741 – Are You Exposed?

Too Long; Didn't Read

Company Mentioned

ARMO

About Author

TOPICS

THIS ARTICLE WAS FEATURED IN...

RELATED STORIES