Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Security issue in kubernetes-client #3653

Closed
jordyv opened this issue Dec 16, 2021 · 5 comments · Fixed by #3720
Closed

Security issue in kubernetes-client #3653

jordyv opened this issue Dec 16, 2021 · 5 comments · Fixed by #3720
Assignees
@manusa
Labels
security Pull requests that address a security vulnerability
Milestone
5.12.0

Comments

@jordyv
Copy link

jordyv commented Dec 16, 2021

Describe the bug

Hi team,

I think I found a security issue in the kubernetes-client library which can cause code execution depending on where the input is coming from. If a malicious config string or Kubernetes resource string is passed to a specific function in the library, this will execute arbitrary Java code on the machine which parses the resources.

I didn't found a proper way to report this instead of creating a GitHub issue. Should I add more details to this public issue or is there a way to report this privately?

Thanks in advance for your response.

Regards,
Jordy

Fabric8 Kubernetes Client version

5.10.1@latest

Steps to reproduce

N/A

Expected behavior

N/A

Runtime

Kubernetes (vanilla)

Kubernetes API Server version

1.22.3@latest

Environment

Windows, Linux, macOS

Fabric8 Kubernetes Client Logs

No response

Additional context

No response
@manusa
Copy link
Member

manusa commented Dec 16, 2021

Hi @jordyv
Please report to secalert@redhat.com

@manusa manusa added the security Pull requests that address a security vulnerability label Dec 16, 2021
@manusa manusa added this to the 5.12.0 milestone Dec 21, 2021
@manusa manusa self-assigned this Jan 4, 2022
This was referenced Jan 5, 2022
Merged
Merged
Merged
manusa added a commit to manusa/kubernetes-client that referenced this issue Jan 7, 2022
@manusa
test: Verification for Security issue in kubernetes-client fabric8i…
e494bae 
…o#3653 fix

Signed-off-by: Marc Nuri <marc@marcnuri.com>
@manusa manusa mentioned this issue Jan 7, 2022
Merged
11 tasks
manusa added a commit that referenced this issue Jan 7, 2022
@manusa
test: Verification for Security issue in kubernetes-client #3653 fix
502d514 
Signed-off-by: Marc Nuri <marc@marcnuri.com>
@manderson23
Copy link

@manusa was there a specific reason that there wasn't a 5.9.1 release with this fix?

@manusa
Copy link
Member

manusa commented Feb 9, 2022

It's a moderate issue https://access.redhat.com/security/cve/cve-2021-4178

We cut a release for those versions that might be a little bit more challenging to update to the next minor. Moving to 5.10.2 should be really smooth.

If possible, I'd recommend to bump your project to 5.12.1 (or latest 5.x release)

@mareknovotny
Copy link

not sure if this affects also 4.x versions? Can you confirm?

@manusa
Copy link
Member

manusa commented Mar 3, 2022

No, it only affects 5.x versions db1923b

@ryanjbaxter ryanjbaxter mentioned this issue Sep 26, 2022
Closed
This issue was closed.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@manusa manusa

Labels
security Pull requests that address a security vulnerability
Projects
None yet
Milestone
5.12.0
Development

Successfully merging a pull request may close this issue.

test: Verification for Security issue in kubernetes-client #3653 fix manusa/kubernetes-client
4 participants
@mareknovotny @manusa @manderson23 @jordyv