The Kubernetes community discovered CVE-2021-25741, a vulnerability that can be exploited by attackers to access the host directories by using a symbolic link and creating a container that has a subPath volume mounted. This topic describes the impacts, affected Kubernetes versions, and fixes of this vulnerability.

CVE-2021-25741 is rated as high severity and its Common Vulnerability Scoring System (CVSS) score is 8.8.

Affected versions

kubelet that is installed in clusters of the following Kubernetes versions is affected by this vulnerability:
  • 1.22.0 to 1.22.1
  • 1.21.0 to 1.21.4
  • 1.20.0 to 1.20.10
  • 1.19.14 and earlier
This vulnerability is fixed in the following Kubernetes versions:
  • 1.22.2
  • 1.21.5
  • 1.20.11
  • 1.19.15

For more information about the vulnerability, see #104980.

Impacts

In multi-tenant scenarios, attackers with the permissions to start containers as the root user can exploit this vulnerability to escape into the host filesystem and obtain the read and write permissions on sensitive directories of the host.

Mitigation

  • Do not grant untrusted users the permissions to start containers as the root user.
  • Disable the VolumeSubpath feature gate on kubelet and kube-apiserver, and delete existing pods that have this feature enabled.