CVE-2021-25735

Description

A security issue was discovered in kube-apiserver that could allow node updates to bypass a Validating Admission Webhook. Clusters are only affected by this vulnerability if they run a Validating Admission Webhook for Nodes that denies admission based at least partially on the old state of the Node object. Validating Admission Webhook does not observe some previous fields.

CVSS Metrics

• v3.1•MEDIUM•Score: 6.5CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H
• v2.0•MEDIUM•Score: 5.5AV:N/AC:L/Au:S/C:N/I:P/A:P

EPSS Trends

Current EPSS score: 16.30%• Percentile: 95%

Techniques & Countermeasures

• CWE-372•Incomplete Internal State Distinction

  The product does not properly determine which state it is in, causing it to assume it is in state X when in fact it is in state Y, causing it to perform incorrect operations in a security-relevant manner.

Affected Systems

• k8s.io•kubernetes

  ≥ 1.19.0, < 1.19.10 | < 1.18.18 | ≥ 1.20.0, < 1.20.6

• kubernetes•kubernetes

  < 1.18.18 | ≥ 1.19.0, < 1.19.10 | ≥ 1.20.0, < 1.20.6 | ≥ unspecified, ≤ 1.18.17 | ≥ unspecified, ≤ 1.19.9 | ≥ unspecified, ≤ 1.20.5

References (10)

• https://groups.google.com/g/kubernetes-security-announce/c/FKAGqT4jx9Y
• https://github.com/kubernetes/kubernetes/issues/100096
• https://nvd.nist.gov/vuln/detail/CVE-2021-25735
• https://github.com/kubernetes/kubernetes/pull/99946
• https://github.com/kubernetes/kubernetes/commit/00e81db174ef7aca497be5f42d87e46d14df2a90
• https://bugzilla.redhat.com/show_bug.cgi?id=1937562
• https://github.com/kubernetes/kubernetes
• https://pkg.go.dev/k8s.io/kubernetes@v1.23.5/cmd/kube-apiserver
• https://sysdig.com/blog/cve-2021-25735-kubernetes-admission-bypass
• https://github.com/advisories/GHSA-g42g-737j-qx6j