Keptn-Vulnerability-2023-001

Version 1.0

Revision Information

Affected

Description

TL;DR

Remediation service container images between versions 0.7.3 to 0.8.2 are not safe to use. Building container images from Keptn’s source code between versions 0.1.0 and 0.8.2 is not safe, although the released container images are safe (except listed above).

Summary

The vulnerability happened due to a deleted Google Storage bucket by the Helm project (kubernetes-helm bucket) that hosted the CLI binaries. The Helm project switched to GitHub releases for their CLI binaries and deleted the storage bucket which made the name (and therefore identical URL) available again for other users to take. This makes components that depend on the Helm CLI vulnerable to RCE at build time since the storage bucket can be taken by any user and during container image build time and the content of the bucket is downloaded into the container image without any integrity (or any other) checks.

Impact

This is a vulnerability that can only be exploited during build time of Dockerfiles from Keptn versions 0.1.0 to 0.8.2.

Severity

CVSS v3.1 Vector Score 4.7: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N

Patches

The problem will not be patched since the affected versions are over 2 years old and are not built or maintained anymore by any automated system or otherwise.

The problem will be addressed by deleting the affected Docker images and deleting GitHub tags and release branches for the affected Keptn versions to avoid building the vulnerable code. Additionally, disclaimers will be added to the affected GitHub releases.

Workarounds/Mitigations

The vulnerability can be avoided by not building any of the aforementioned container images by oneself and using the released images instead.

References

GitHub Security Advisory