Hello Kubernetes Community,
The Go team has released a fix in Go versions 1.21.11 and 1.22.4 addressing a symlink race condition when using os.RemoveAll. The Kubernetes Security Response Committee received a report that this issue could be abused in Kubernetes to delete arbitrary directories on a Node with root permissions by a local non-root user with the same UID as the user in a Pod.
The Go team has not issued a CVE for this, as it is considered a hardening issue, and the SRC is following that decision as well.
Am I affected?
Kubernetes built with Go versions prior to 1.21.11 or 1.22.4 are affected.
Affected Versions
-
<1.30.2
-
<1.29.6
-
<1.28.11
-
<1.27.15
How do I mitigate this issue?
Upgrade to a fixed (or newer) version of Kubernetes.
Fixed Versions
-
1.30.2+
-
1.29.6+
-
1.28.11+
-
1.27.15+
To upgrade, refer to the documentation: Upgrade A Cluster | Kubernetes
Detection
This issue could be detected by looking for unexpected file deletions on a Node.
If you find evidence that this vulnerability has been exploited, please contact security@kubernetes.io
Additional Details
See the GitHub issue for more details: https://github.com/kubernetes/kubernetes/issues/132267
Acknowledgements
This issue was reported by Addison Crump
Thank You,
Craig Ingram on behalf of the Kubernetes Security Response Committee