The Kubernetes community recently discovered the vulnerability CVE-2024-3177. This vulnerability allows attackers to bypass the mountable Secret security policy enforced by the ServiceAccount admission plug-in by using the envFrom field in the container configuration of a workload. This vulnerability may cause the leak of sensitive information. The CVE-2024-3177 vulnerability is rated as low severity and its Common Vulnerability Scoring System (CVSS) score is 2.7. For more information about this vulnerability, see #124336.
Affected versions
The following versions of kube-apiserver are affected:
1.29.0 to 1.29.3
1.28.0 to 1.28.8
≤ 1.27.12
This vulnerability is fixed in the following versions:
1.29.4
1.28.9
1.27.13
The default components installed in Container Service for Kubernetes (ACK) clusters are not affected by this vulnerability. However, an ACK cluster is affected if the workloads in the cluster meet the following conditions:
The containers, init containers, or ephemeral containers of the workloads use the
envFromfield to mount Secrets.The workloads use a ServiceAccount that has the
kubernetes.io/enforce-mountable-secretsannotation. Run the following command to identify ServiceAccounts that may pose potential risks in the cluster.kubectl get serviceaccounts --all-namespaces -o jsonpath="{range .items[?(@.metadata.annotations['kubernetes\.io/enforce-mountable-secrets']=='true')]}{.metadata.namespace}{'\t'}{.metadata.name}{'\n'}{end}"
Solutions
You can enable the cluster auditing feature of the API server to identify unexpected updates to the envFrom field in a pod. For more information, see Work with cluster auditing.