NVIDIA has announced the discovery of CVE-2021-1056, a vulnerability that exploits NVIDIA GPU drivers. The default GPU drivers that are installed by Container Service for Kubernetes (ACK) are also exposed to this vulnerability. This topic describes the background information, impact, and fixes of this vulnerability.

Background information

NVIDIA has announced the discovery of a vulnerability that exploits the device isolation capabilities of NVIDIA GPU drivers. This vulnerability allows an attacker to gain access to all GPU devices on a node by creating character device files in non-privileged containers that run on this node.

For more information about this vulnerability, see CVE-2021-1056.

Affected versions

The affected ACK cluster versions are:

  • ACK 1.12.6-aliyun.1 (By default, the NVIDIA driver of version 410.79 is installed.)
  • ACK 1.14.8-aliyun.1 (By default, the NVIDIA driver of version 410.79 is installed.)
  • ACK 1.16.9-aliyun.1 (By default, the NVIDIA driver of version 418.87.01 is installed.)
  • ACK 1.18.8-aliyun.1 (By default, the NVIDIA driver of version 418.87.01 is installed.)
If you selected a custom NVIDIA driver version, check whether your NVIDIA driver is affected by this vulnerability in the following figure. For more information, see the official NVIDIA website. an19
Notice When you upgrade the NVIDIA driver for a node, the node must be restarted. This disrupts the services that are deployed on the node.

Fix

Upgrade the NVIDIA driver based on the preceding figure.

  • If your NVIDIA driver belongs to the R390 branch, upgrade it to version 390.141.
  • If your NVIDIA driver belongs to the R418 branch, upgrade it to version 418.181.07.
  • If your NVIDIA driver belongs to the R450 branch, upgrade it to version 450.102.04.
  • If your NVIDIA driver belongs to the R460 branch, upgrade it to version 460.32.03.

For more information about how to upgrade the NVIDIA driver, see Use a node pool to upgrade the NVIDIA driver for a node, Manually upgrade the NVIDIA driver for a node, and Use a node pool to create a node with a custom NVIDIA driver version.