CVE-2021-4034: polkit vulnerability

[miwithro]

https://ubuntu.com/security/CVE-2021-4034

Local Privilege Escalation in polkit’s pkexec

AKS Information:

Update your node image to 2022.02.01 to remediate this vulnerability.

AKS -- | --

[iggyemu]

Hey AKS Team. Any update on this patch?

[miwithro]

Yes this will be patched as part of the next release next week.

[therockvalley]

Yes this will be patched as part of the next release next week.

To confirm, does next week = the upcoming week (i.e. starting Jan 31)?

[iggyemu]

AKS Team, today's AKS Release does not have the latest Polkit to remediate this CVE. It still reflects the vulnerable Polkit version of 18.04.5

It needs to be 18.04.6 according Ubuntu's recommendation: https://ubuntu.com/security/notices/USN-5252-1

When can we expect an update?

[miwithro]

@iggyemu this issue is remediated in the release we just cut this week that will be released next week. 2022-02-01

[ChrisHolman]

Any update on this patch?

[miwithro]

@ChrisHolman this issue is remediated in the release we just cut this week that will be released next week. 2022-02-01

[rouke-broersma]

@miwithro it already is next week per your previous exact same comment. Are you saying the release has been moved to next week or are you saying it will be released this week.

[miwithro]

@rouke-broersma The VHD with the CVE fix will be rolled out to all regions by 2.16.

https://github.com/Azure/AKS/releases/tag/2022-02-06

[ghost]

This issue has been automatically marked as stale because it has not had any activity for 60 days. It will be closed if no further activity occurs within 15 days of this comment.

[ghost]

This issue will now be closed because it hasn't had any activity for 7 days after stale. miwithro feel free to comment again on the next 7 days to reopen or open a new issue after that time if you still have a question/issue or suggestion.