CVE-2021-25735 : What You Need to Know

A security issue was discovered in kube-apiserver that could allow node updates to bypass a Validating Admission Webhook. This vulnerability affects Kubernetes clusters running a Validating Admission Webhook for Nodes that denies admission based on the old state of the Node object.

Understanding CVE-2021-25735

This CVE affects Kubernetes and specifically relates to how the Validating Admission Webhook handles node updates.

What is CVE-2021-25735?

CVE-2021-25735 is a vulnerability in kube-apiserver that allows node updates to bypass a Validating Admission Webhook, impacting Kubernetes clusters utilizing certain validation mechanisms.

The Impact of CVE-2021-25735

The vulnerability poses a medium severity risk with a base score of 6.5. It has a high impact on availability and integrity, requiring high privileges for exploitation.

Technical Details of CVE-2021-25735

The technical details of the CVE include:

Vulnerability Description

The issue arises from the Validating Admission Webhook not properly observing certain previous fields during node updates.

Affected Systems and Versions

Kubernetes versions up to 1.20.5 are affected by this vulnerability when using Validating Admission Webhooks for Nodes.

Exploitation Mechanism

Exploiting this vulnerability requires high privileges and involves bypassing the Validating Admission Webhook during node updates.

Mitigation and Prevention

To address CVE-2021-25735, consider the following measures:

Immediate Steps to Take

Update Kubernetes to a non-vulnerable version (beyond 1.20.5).
Review and adjust Validating Admission Webhook configurations.

Long-Term Security Practices

Regularly monitor Kubernetes security announcements and update processes.
Implement robust access controls and monitoring within Kubernetes environments.

Patching and Updates

Apply relevant patches and updates provided by Kubernetes to mitigate the vulnerability.