The Kubernetes community recently discovered vulnerability CVE-2023-2878 in the secrets-store-csi-driver plug-in. If a Secret synchronization component developed based on secrets-store-csi-driver, such as csi-secrets-store-provider-alibabacloud, runs in your cluster to retrieve Secrets from a Secret store, attackers with access to the component logs can obtain the service account tokens used by the component. The attackers can then exploit these service account tokens to access the Secrets stored in Key Management Service (KMS) on the cloud.
CVE-2023-2878 is rated as medium severity and its Common Vulnerability Scoring System (CVSS) score is 6.5. For more information about the vulnerability, see #118419.
Affected versions
This vulnerability affects clusters that meet all of the following conditions:
The Secret synchronization component, such as csi-secrets-store-provider-alibabacloud, is developed based on a secrets-store-csi-driver version earlier than 1.3.3.
The Secret synchronization component uses the TokenRequest feature.
The
-vflag is configured for the Secret synchronization component to run at log level 2 or higher.
This vulnerability has been fixed by the Kubernetes community in secrets-store-csi-driver 1.3.3 and later versions.
Solution
CVE-2023-2878 is fixed in csi-secrets-store-provider-alibabacloud 0.2.0. You can log on to the Container Service for Kubernetes (ACK) console, go to the Marketplace page, and then update the csi-secrets-store-provider-alibabacloud component to 0.2.0.