A Helm contributor discovered an information disclosure vulnerability using the getHostByName template function.
Impact
getHostByName is a Helm template function introduced in Helm v3. The function is able to accept a hostname and return an IP address for that hostname. To get the IP address the function performs a DNS lookup. The DNS lookup happens when used with helm install|upgrade|template or when the Helm SDK is used to render a chart.
Information passed into the chart can be disclosed to the DNS servers used to lookup the IP address. For example, a malicious chart could inject getHostByName into a chart in order to disclose values to a malicious DNS server.
Patches
The issue has been fixed in Helm 3.11.1.
Workarounds
Prior to using a chart with Helm verify the getHostByName function is not being used in a template to disclose any information you do not want passed to DNS servers.
For more information
Helm's security policy is spelled out in detail in our SECURITY document.
Credits
Disclosed by Philipp Stehle at SAP.
Release Notes
helm/helm
### [`v3.11.1`](https://togithub.com/helm/helm/releases/tag/v3.11.1): Helm v3.11.1
[Compare Source](https://togithub.com/helm/helm/compare/v3.11.0...v3.11.1)
Helm v3.11.1 is a security (patch) release. Users are strongly recommended to update to this release.
The template function `getHostByName` can be used to disclose information. More details are available in the [CVE](https://togithub.com/helm/helm/security/advisories/GHSA-pwcw-6f5g-gxf8).
This release introduces a breaking changes to Helm:
- When using the `helm` client for the `template`, `install`, and `upgrade` commands there is a new flag. `--enable-dns` needs to be set for the `getHostByName` template function to attempt to lookup an IP address for a given hostname. If the flag is not set the template function will return an empty string and skip looping up an IP address for the host.
- The Helm SDK has added the `EnableDNS` property to the install action, the upgrade action, and the `Engine`. This property must be set to true for the in order for the `getHostByName` template function to attempt to lookup an IP address.
The default for both of these cases is false.
[Philipp Stehle](https://togithub.com/phil9909) at SAP disclosed the vulnerability to the Helm project.
#### Installation and Upgrading
Download Helm v3.11.1. The common platform binaries are here:
- [MacOS amd64](https://get.helm.sh/helm-v3.11.1-darwin-amd64.tar.gz) ([checksum](https://get.helm.sh/helm-v3.11.1-darwin-amd64.tar.gz.sha256sum) / 2548a90e5cc957ccc5016b47060665a9d2cd4d5b4d61dcc32f5de3144d103826)
- [MacOS arm64](https://get.helm.sh/helm-v3.11.1-darwin-arm64.tar.gz) ([checksum](https://get.helm.sh/helm-v3.11.1-darwin-arm64.tar.gz.sha256sum) / 43d0198a7a2ea2639caafa81bb0596c97bee2d4e40df50b36202343eb4d5c46b)
- [Linux amd64](https://get.helm.sh/helm-v3.11.1-linux-amd64.tar.gz) ([checksum](https://get.helm.sh/helm-v3.11.1-linux-amd64.tar.gz.sha256sum) / 0b1be96b66fab4770526f136f5f1a385a47c41923d33aab0dcb500e0f6c1bf7c)
- [Linux arm](https://get.helm.sh/helm-v3.11.1-linux-arm.tar.gz) ([checksum](https://get.helm.sh/helm-v3.11.1-linux-arm.tar.gz.sha256sum) / 77b797134ea9a121f2ede9d159a43a8b3895a9ff92cc24b71b77fb726d9eba6d)
- [Linux arm64](https://get.helm.sh/helm-v3.11.1-linux-arm64.tar.gz) ([checksum](https://get.helm.sh/helm-v3.11.1-linux-arm64.tar.gz.sha256sum) / 919173e8fb7a3b54d76af9feb92e49e86d5a80c5185020bae8c393fa0f0de1e8)
- [Linux i386](https://get.helm.sh/helm-v3.11.1-linux-386.tar.gz) ([checksum](https://get.helm.sh/helm-v3.11.1-linux-386.tar.gz.sha256sum) / 1581a4ce9d0014c49a3b2c6421f048d5c600e8cceced636eb4559073c335af0b)
- [Linux ppc64le](https://get.helm.sh/helm-v3.11.1-linux-ppc64le.tar.gz) ([checksum](https://get.helm.sh/helm-v3.11.1-linux-ppc64le.tar.gz.sha256sum) / 6ab8f2e253c115b17eda1e10e96d1637047efd315e9807bcb1d0d0bcad278ab7)
- [Linux s390x](https://get.helm.sh/helm-v3.11.1-linux-s390x.tar.gz) ([checksum](https://get.helm.sh/helm-v3.11.1-linux-s390x.tar.gz.sha256sum) / ab133e6b709c8107dc4f8f62838947350adb8e23d76b8c2c592ff4c09bc956ef)
- [Windows amd64](https://get.helm.sh/helm-v3.11.1-windows-amd64.zip) ([checksum](https://get.helm.sh/helm-v3.11.1-windows-amd64.zip.sha256sum) / bc37d5d283e57c5dfa94f92ff704c8e273599ff8df3f8132cef5ca73f6a23d0a)
This release was signed with ` 672C 657B E06B 4B30 969C 4A57 4614 49C2 5E36 B98E ` and can be found at [@mattfarina](https://togithub.com/mattfarina) [keybase account](https://keybase.io/mattfarina). Please use the attached signatures for verifying this release using `gpg`.
The [Quickstart Guide](https://helm.sh/docs/intro/quickstart/) will get you going from there. For **upgrade instructions** or detailed installation notes, check the [install guide](https://helm.sh/docs/intro/install/). You can also use a [script to install](https://raw.githubusercontent.com/helm/helm/main/scripts/get-helm-3) on any system with `bash`.
#### What's Next
- 3.11.2 is the next patch/bug fix release and will be on March 08, 2023.
- 3.12.0 is the next feature release and be on May 10, 2023.
Configuration
π Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
π¦ Automerge: Disabled by config. Please merge this manually once you are satisfied.
β» Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
π Ignore: Close this PR and you won't be reminded about this update again.
[ ] If you want to rebase/retry this PR, check this box
This PR has been generated by Mend Renovate. View repository job log here.
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.
This PR contains the following updates:
v3.11.0
->v3.11.1
GitHub Vulnerability Alerts
CVE-2023-25165
A Helm contributor discovered an information disclosure vulnerability using the
getHostByName
template function.Impact
getHostByName
is a Helm template function introduced in Helm v3. The function is able to accept a hostname and return an IP address for that hostname. To get the IP address the function performs a DNS lookup. The DNS lookup happens when used withhelm install|upgrade|template
or when the Helm SDK is used to render a chart.Information passed into the chart can be disclosed to the DNS servers used to lookup the IP address. For example, a malicious chart could inject
getHostByName
into a chart in order to disclose values to a malicious DNS server.Patches
The issue has been fixed in Helm 3.11.1.
Workarounds
Prior to using a chart with Helm verify the
getHostByName
function is not being used in a template to disclose any information you do not want passed to DNS servers.For more information
Helm's security policy is spelled out in detail in our SECURITY document.
Credits
Disclosed by Philipp Stehle at SAP.
Release Notes
helm/helm
### [`v3.11.1`](https://togithub.com/helm/helm/releases/tag/v3.11.1): Helm v3.11.1 [Compare Source](https://togithub.com/helm/helm/compare/v3.11.0...v3.11.1) Helm v3.11.1 is a security (patch) release. Users are strongly recommended to update to this release. The template function `getHostByName` can be used to disclose information. More details are available in the [CVE](https://togithub.com/helm/helm/security/advisories/GHSA-pwcw-6f5g-gxf8). This release introduces a breaking changes to Helm: - When using the `helm` client for the `template`, `install`, and `upgrade` commands there is a new flag. `--enable-dns` needs to be set for the `getHostByName` template function to attempt to lookup an IP address for a given hostname. If the flag is not set the template function will return an empty string and skip looping up an IP address for the host. - The Helm SDK has added the `EnableDNS` property to the install action, the upgrade action, and the `Engine`. This property must be set to true for the in order for the `getHostByName` template function to attempt to lookup an IP address. The default for both of these cases is false. [Philipp Stehle](https://togithub.com/phil9909) at SAP disclosed the vulnerability to the Helm project. #### Installation and Upgrading Download Helm v3.11.1. The common platform binaries are here: - [MacOS amd64](https://get.helm.sh/helm-v3.11.1-darwin-amd64.tar.gz) ([checksum](https://get.helm.sh/helm-v3.11.1-darwin-amd64.tar.gz.sha256sum) / 2548a90e5cc957ccc5016b47060665a9d2cd4d5b4d61dcc32f5de3144d103826) - [MacOS arm64](https://get.helm.sh/helm-v3.11.1-darwin-arm64.tar.gz) ([checksum](https://get.helm.sh/helm-v3.11.1-darwin-arm64.tar.gz.sha256sum) / 43d0198a7a2ea2639caafa81bb0596c97bee2d4e40df50b36202343eb4d5c46b) - [Linux amd64](https://get.helm.sh/helm-v3.11.1-linux-amd64.tar.gz) ([checksum](https://get.helm.sh/helm-v3.11.1-linux-amd64.tar.gz.sha256sum) / 0b1be96b66fab4770526f136f5f1a385a47c41923d33aab0dcb500e0f6c1bf7c) - [Linux arm](https://get.helm.sh/helm-v3.11.1-linux-arm.tar.gz) ([checksum](https://get.helm.sh/helm-v3.11.1-linux-arm.tar.gz.sha256sum) / 77b797134ea9a121f2ede9d159a43a8b3895a9ff92cc24b71b77fb726d9eba6d) - [Linux arm64](https://get.helm.sh/helm-v3.11.1-linux-arm64.tar.gz) ([checksum](https://get.helm.sh/helm-v3.11.1-linux-arm64.tar.gz.sha256sum) / 919173e8fb7a3b54d76af9feb92e49e86d5a80c5185020bae8c393fa0f0de1e8) - [Linux i386](https://get.helm.sh/helm-v3.11.1-linux-386.tar.gz) ([checksum](https://get.helm.sh/helm-v3.11.1-linux-386.tar.gz.sha256sum) / 1581a4ce9d0014c49a3b2c6421f048d5c600e8cceced636eb4559073c335af0b) - [Linux ppc64le](https://get.helm.sh/helm-v3.11.1-linux-ppc64le.tar.gz) ([checksum](https://get.helm.sh/helm-v3.11.1-linux-ppc64le.tar.gz.sha256sum) / 6ab8f2e253c115b17eda1e10e96d1637047efd315e9807bcb1d0d0bcad278ab7) - [Linux s390x](https://get.helm.sh/helm-v3.11.1-linux-s390x.tar.gz) ([checksum](https://get.helm.sh/helm-v3.11.1-linux-s390x.tar.gz.sha256sum) / ab133e6b709c8107dc4f8f62838947350adb8e23d76b8c2c592ff4c09bc956ef) - [Windows amd64](https://get.helm.sh/helm-v3.11.1-windows-amd64.zip) ([checksum](https://get.helm.sh/helm-v3.11.1-windows-amd64.zip.sha256sum) / bc37d5d283e57c5dfa94f92ff704c8e273599ff8df3f8132cef5ca73f6a23d0a) This release was signed with ` 672C 657B E06B 4B30 969C 4A57 4614 49C2 5E36 B98E ` and can be found at [@mattfarina](https://togithub.com/mattfarina) [keybase account](https://keybase.io/mattfarina). Please use the attached signatures for verifying this release using `gpg`. The [Quickstart Guide](https://helm.sh/docs/intro/quickstart/) will get you going from there. For **upgrade instructions** or detailed installation notes, check the [install guide](https://helm.sh/docs/intro/install/). You can also use a [script to install](https://raw.githubusercontent.com/helm/helm/main/scripts/get-helm-3) on any system with `bash`. #### What's Next - 3.11.2 is the next patch/bug fix release and will be on March 08, 2023. - 3.12.0 is the next feature release and be on May 10, 2023.Configuration
π Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
π¦ Automerge: Disabled by config. Please merge this manually once you are satisfied.
β» Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
π Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Mend Renovate. View repository job log here.