Fission is an open-source, Kubernetes-native serverless framework that simplifies the deployment of functions and applications on Kubernetes. Prior to version 1.24.0, Fission's Environment CRD exposes spec.runtime.podSpec and spec.builder.podSpec, which are merged into the Kubernetes pod specs for runtime and builder pods. The merge logic propagated hostNetwork, hostPID, hostIPC, container privileged, and serviceAccountName from the user-supplied podspec with no filtering, and Environment.Validate performed no security-relevant checks on these fields. This issue has been patched in version 1.24.0.
The Environment CRD resource in Fission exposes spec.runtime.podSpec and spec.builder.podSpec fields, whose contents are merged with internal Kubernetes pod specifications for runtime and builder environments. The merge logic propagated without any filtering fields such as hostNetwork, hostPID, hostIPC, container privileged, and serviceAccountName supplied by the user. The Environment.Validate function performed no security checks on these fields, allowing them to be freely overwritten by an unprivileged user.
An attacker with access to create or modify Environment CRD resources can launch containers with host privileges (hostNetwork, hostPID, hostIPC, privileged) or assume the identity of any ServiceAccount in the cluster, which in practice can lead to complete compromise of a Kubernetes node or the entire cluster.
Fission should be updated to version 1.24.0, where the issue has been fixed. The patch is available in the official GitHub repository of the project: https://github.com/fission/fission/releases/tag/v1.24.0
Fission in versions earlier than 1.24.0 (open-source Kubernetes-native serverless framework)
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H