From 3860cdbe7ee93a459e5e3cd12bf2c8f7a7493230 Mon Sep 17 00:00:00 2001 From: faweizhao26 Date: Thu, 17 Oct 2024 15:57:12 +0800 Subject: [PATCH] add one news Signed-off-by: faweizhao26 --- content/en/news/kubesphere-cve-2024-46528.md | 43 ++++++++++++++++++++ content/zh/news/kubesphere-cve-2024-46528.md | 40 ++++++++++++++++++ 2 files changed, 83 insertions(+) create mode 100644 content/en/news/kubesphere-cve-2024-46528.md create mode 100644 content/zh/news/kubesphere-cve-2024-46528.md diff --git a/content/en/news/kubesphere-cve-2024-46528.md b/content/en/news/kubesphere-cve-2024-46528.md new file mode 100644 index 0000000000..c04874b5c2 --- /dev/null +++ b/content/en/news/kubesphere-cve-2024-46528.md @@ -0,0 +1,43 @@ +--- +title: 'Statement and Solution for KubeSphere IDOR Security Vulnerability CVE-2024-46528' +tag: 'Product News' +keywords: 'Kubernetes, KubeSphere, IDOR, Security Vulnerability' +description: 'A vulnerability of Insecure Direct Object Reference (IDOR) in KubeSphere 3.4.1 and 4.1.1.' +createTime: '2024-10-17' +author: 'KubeSphere' +image: 'https://pek3b.qingstor.com/kubesphere-community/images/kubesphere-idor-cve-en-cover.png' +--- + +Recently, security technicians from a third-party platform discovered a vulnerability of Insecure Direct Object Reference (IDOR) in KubeSphere 3.4.1 and 4.1.1. This vulnerability allows an authenticated attacker with low privileges to access sensitive resources without proper authorization checks. We promptly contacted the other party and helped them solve this problem. For detailed information about the CVE vulnerability and the problem-solving process, please refer to the following links: + +- [CVE-2024-46528](https://nvd.nist.gov/vuln/detail/CVE-2024-46528) +- [IDOR Vulnerability in KubeSphere](https://okankurtulus.com.tr/2024/09/09/idor-vulnerability-in-kubesphere/) + +## Affected Versions +- KubeSphere 4.x: < 4.1.3 +- KubeSphere 3.x: >= 3.0.0, <= 3.4.1 +- KubeSphere Enterprise 4.x: < 4.1.3 +- KubeSphere Enterprise 3.x: >= 3.0.0, <= 3.5.0 + +## Workaround +Remove the non-essential resource authorization of the `authenticated` platform role: + +```bash +kubectl patch globalrole.iam.kubesphere.io authenticated --type merge -p '{"rules": [{"apiGroups":["monitoring.kubesphere.io","metering.kubesphere.io","monitoring.coreos.com"],"resources":["cluster"],"verbs":["list"]},{"apiGroups":["resources.kubesphere.io"],"resources":["clusters"],"verbs":["get","list"]}]}' +``` + +This change strengthens the permission constraints on ordinary users. When an ordinary project member opens a page and wants to call these APIs that require privileges, a "forbidden" pop-up box will appear. + +## Remediation Plan + +The risk level of this vulnerability is not high. You can solve this problem through the above workaround. We will fix this issue in the next version KubeSphere 4.1.3, and the expected release time is January 2025. + +## Security Commitment + +KubeSphere is continuously committed to providing enterprise customers with a secure and reliable cloud-native full-stack solution. We value the trust of users in our platform and strive to ensure that our system meets the highest security and performance standards. + +At the same time, the KubeSphere community expresses great gratitude to [Okan Kurtuluş](https://www.linkedin.com/in/okankurtuluss/) for the timely discovery of this problem and the active communication with us. + +## More Information + +For more details about CVE-2024-46528 and its solution, you can contact the KubeSphere support team at security@kubesphere.io. \ No newline at end of file diff --git a/content/zh/news/kubesphere-cve-2024-46528.md b/content/zh/news/kubesphere-cve-2024-46528.md new file mode 100644 index 0000000000..fb5186f5d8 --- /dev/null +++ b/content/zh/news/kubesphere-cve-2024-46528.md @@ -0,0 +1,40 @@ +--- +title: '关于 KubeSphere IDOR 安全漏洞 CVE-2024-46528 的声明及解决方案' +tag: '产品动态' +keywords: 'Kubernetes, KubeSphere, IDOR, 安全漏洞' +description: '在 KubeSphere 开源版 3.4.1 及 4.1.1 上存在不安全的直接对象引用(IDOR)的漏洞。' +createTime: '2024-10-17' +author: 'KubeSphere' +image: 'https://pek3b.qingstor.com/kubesphere-community/images/kubesphere-idor-cve-cover.png' +--- + +近期,有第三方平台的安全技术人员发现了在 KubeSphere 开源版 3.4.1 及 4.1.1 上存在不安全的直接对象引用(IDOR)的漏洞,该漏洞允许低权限的通过认证的攻击者在没有适当授权检查的情况下访问敏感资源。我们及时与对方进行了联系,并帮助对方解决了此问题,CVE 漏洞的详细信息及问题处理过程可以参考以下链接: +- [CVE-2024-46528](https://nvd.nist.gov/vuln/detail/CVE-2024-46528) +- [IDOR Vulnerability in KubeSphere](https://okankurtulus.com.tr/2024/09/09/idor-vulnerability-in-kubesphere/) + +## 影响范围 + +- KubeSphere 4.x 受影响版本: < 4.1.3 +- KubeSphere 3.x 受影响版本: >= 3.0.0, <= 3.4.1 +- KubeSphere Enterprise 4.x 受影响版本: < 4.1.3 +- KubeSphere Enterprise 3.x 受影响版本: >= 3.0.0, <= 3.5.0 + +## 规避方案 + +移除 `authenticated` 平台角色非必需的资源授权: + +```bash +kubectl patch globalrole.iam.kubesphere.io authenticated --type merge -p '{"rules": [{"apiGroups":["monitoring.kubesphere.io","metering.kubesphere.io","monitoring.coreos.com"],"resources":["cluster"],"verbs":["list"]},{"apiGroups":["resources.kubesphere.io"],"resources":["clusters"],"verbs":["get","list"]}]}' +``` +此变更加强了对普通用户的权限约束,普通的项目成员在打开的页面,如果要调用这些需要特权 API 的时候会有 Forbidden 弹框。 + +## 未来的修复计划 +此漏洞风险等级不高,您可以通过以上规避方案解决此问题,同时,我们也会在 KubeSphere 下一个正式版本 4.1.3 中修复此问题,预计发布时间为 2025 年 1 月份。 + +## 对安全的承诺 +KubeSphere 持续致力于为企业客户提供安全可靠的云原生全栈解决方案。我们重视用户对我们平台的信任,并努力确保我们的系统符合最高的安全和性能标准。 +同时,KubeSphere 社区对 [Okan Kurtuluş](https://www.linkedin.com/in/okankurtuluss/) 对此问题的及时发现以及与我们的积极沟通表示极大的感谢。 + +## 更多信息 +寻求有关 CVE-2024-46528 及其解决方案的更多详情的用户可以联系 KubeSphere 支持团队,联系方式为 **security@kubesphere.io**。 +