Hello Kubernetes Community, The Go team has released a fix in Go versions 1.21.11 and 1.22.4 addressing a symlink race condition when using os.RemoveAll. The Kubernetes Security Response Committee received a report that this issue could be abused in Kubernetes to delete arbitrary directories on a Node with root permissions by a local non-root user with the same UID as the user in a Pod.
The Go team has not issued a CVE for this, as it is considered a hardening issue, and the SRC is following that decision as well. Am I affected? Kubernetes built with Go versions prior to 1.21.11 or 1.22.4 are affected. Affected Versions - <1.30.2 - <1.29.6 - <1.28.11 - <1.27.15 How do I mitigate this issue? Upgrade to a fixed (or newer) version of Kubernetes. Fixed Versions - 1.30.2+ - 1.29.6+ - 1.28.11+ - 1.27.15+ To upgrade, refer to the documentation: https://kubernetes.io/docs/tasks/administer-cluster/cluster-upgrade/ Detection This issue could be detected by looking for unexpected file deletions on a Node. If you find evidence that this vulnerability has been exploited, please contact secur...@kubernetes.io Additional Details See the GitHub issue for more details: https://github.com/kubernetes/kubernetes/issues/132267 Acknowledgements This issue was reported by Addison Crump Thank You, Craig Ingram on behalf of the Kubernetes Security Response Committee
