A security vulnerability may cause whole cluster been hijacked

kubearmor / KubeArmor

Runtime Security Enforcement System. Workload hardening/sandboxing and implementing least-permissive policies made easy leveraging LSMs (BPF-LSM, AppArmor).

https://kubearmor.io/

Apache License 2.0

1.32k stars 323 forks source link

A security vulnerability may cause whole cluster been hijacked #1796

Open kaaass opened 3 days ago

kaaass commented 3 days ago

Hi community! I found a vulnerability in kubearmor and reported it privately with respect to the security policy one week ago. I tried to send an email to the security mailing list and some active maintainers, but I haven't received any response currently. This is not urging, I just wanted to ask if I haven't been successful in getting in touch with the maintainer (e.g. maybe the email is recognized as spam). I apologize if this issue has caused any trouble.

DelusionalOptimist commented 3 days ago

Hey @kaaass, thanks for the detailed analysis over e-mail as well as the gentle reminder here. We've tried to give some explanations for your analysis. Also, as I mentioned some of these have been implemented/are being tracked as part of #1186 already. Would love to further hear your thoughts on the same. Thanks. cc @daemon1024

kaaass commented 1 day ago

@DelusionalOptimist Thank you for the reply and analysis! I received the e-mail and just replied. I believe some of the risks can be eliminated through them, but the critical part is still not mitigated. I think we could continue to discuss this privately.