[ANNOUNCE] Security release of kubernetes-csi sidecars - CVE-2019-11255

Hello Kubernetes Community,

A security issue has been found in the kubernetes-csi external-provisioner, external-snapshotter, and external-resizer sidecars that impacts most versions of the sidecars bundled in Container Storage Interface (CSI) drivers. The vulnerabilities are medium severity and can result in unauthorized volume data access or mutation when using CSI volume snapshot, cloning or resizing features in Kubernetes. Upgrading your CSI drivers to the fixed sidecars is recommended. Details are below and at https://issue.k8s.io/85233

The following versions of the CSI sidecars have been fixed:

external-provisioner:

  • v0.4.3
  • v1.0.2
  • v1.2.2
  • v1.3.1
  • v1.4.0

external-snapshotter:

  • v0.4.2
  • v1.0.2
  • v1.2.2

external-resizer

  • v0.3.0

No fixes in kubernetes/kubernetes are required.

Affected Components and Versions

The following Kubernetes versions are affected with default feature gates:

  • v1.16.0+

The following Kubernetes versions are affected with non-default alpha VolumeSnapshotDataSource, ExpandCSIVolumes, and VolumePVCDataSource feature gates enabled:

  • v1.12.0+

CSI drivers installed with these kubernetes-csi sidecars versions are affected:

external-provisioner: v0.4.1-0.4.2, v1.0.0-1.0.1, v1.1.0-1.2.1, v1.3.0

external-snapshotter: v0.4.0-0.4.1, v1.0.0-1.0.1, v1.1.0-v1.2.1

external-resizer: v0.1.0-0.2.0

How do I mitigate the vulnerability?

As a short term mitigation, disable the VolumeSnapshotDataSource, ExpandCSIVolumes, and VolumePVCDataSource Kubernetes feature gates in kube-apiserver and kube-controller-manager. This will cause new PersistentVolumeClaims to be provisioned ignoring the DataSource and resizing requests will also be ignored. Note that this will cause new PVCs that are intended to be provisioned from a snapshot or clone to instead provision a blank disk.

Also, to disable taking volume snapshots, either remove the external-snapshotter sidecar from any CSI drivers or revoke the CSI driver’s RBAC permissions on the snapshot.storage.k8s.io API group.

Longer term, upgrade your CSI driver with patched versions of the affected sidecars.

Acknowledgements

Thanks to Xiangqian Yu from Google for discovering this issue.

Thanks to Michelle Au, Jan Šafránek, Hemant Kumar, and Xing Yang for coordinating the fixes and release.

Thank You,

Tim Allclair on behalf of the Kubernetes Product Security Committee