![]() ![]() The issues range from dependency upgrades to oversights in the code (files which aren’t closed during an operation, unhandled errors) to misleading documentation.ġ: Arbitrary command execution via command injection We appreciate the attention to detail by the team at ADA Logics. 1 high severity (that’s the above mentioned CVE), 3 medium severity, 13 low severity and 5 informational. The team at ADA Logics found 22 individual issues, some of which were results from the fuzzers. What is missing to date is an architectural overview and documentation which focuses on the security-related aspects of Flux. We provide lots of examples, which are helpful if you want Flux to behave the right way. ![]() One very important piece of feedback was that our documentation is mostly geared towards end users, who need very concrete advice on how to integrate Flux into their setups. Our documentation from an outside perspective Kubernetes, Envoy and Fluent-bit, and we’re excited to be a part of that. There are already numerous other CNCF projects integrated, e.g. ![]() Some of this work still needs to be integrated into all of the Flux controllers, but we are very pleased that a start has been made! OSS-Fuzz is a service for running fuzzers continuously on important open source projects, and the goal is to use sophisticated dynamic analysis to uncover security and reliability issues. We were pleasantly surprised to receive actual PRs by the team, who set down and helped us integrate with the OSS-Fuzz project. The team at ADA Logics didn’t stop at reviewing Flux code. Concrete issues discovered in the Flux code.If you take a look at it closely, you will see that we have fixed some of the most immediate issues already.īroadly speaking, the issues fall into three categories: To benefit from the analysis in all its detail, we created a project board in GitHub. We are thankful for the great attention to detail by the team at ADA Logics. Starting with v0.15, the kustomize-controller no longer executes shell commands on the container OS and the kubectl binary has been removed from the container image. ![]() This vulnerability was fixed in kustomize-controller v0.15.0 (included in Flux v0.18.0) released on. Multi-tenant environments where non-admin users have permissions to create Flux Kustomization objects are affected by this issue. This can be used to run kubectl commands under the Service Account of kustomize-controller, thus allowing an authenticated Kubernetes user to gain cluster admin privileges. Users that can create Kubernetes Secrets, Service Accounts and Flux Kustomization objects, could execute commands inside the kustomize-controller container by embedding a shell script in a Kubernetes Secret. The issue has been fixed and is assigned CVE 2021-41254, and the full disclosure advisory is available at the following link::ĬVE-2021-41254: Privilege escalation to cluster admin on multi-tenant Flux. The engagement uncovered a privilege escalation vulnerability in Flux that could enable users to gain cluster admin privileges. Let’s start with what will likely interest you as a Flux user. The Flux maintainers and community are very grateful for the work put into this by everyone and the opportunity to grow and improve as a project. ADA Logics was quickly brought into the picture, and spent a month on the audit. The audit was commissioned by the CNCF, and facilitated by OSTIF (the Open Source Technology Improvement Fund). The primary aim was to assess Flux’s fundamental security posture and to identify next steps in its security story. Project post cross-posted from the Flux blogĪs Flux is an Incubation project within the Cloud Native Computing Foundation, we were graciously granted a sponsored audit. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |