A recent information disclosure vulnerability (CVE-2018-5256) was found and addressed in Tectonic, which affects versions 1.7 through 1.8. Unauthenticated users were able to list all Namespaces through the Console. In 1.8, which finalized the transition from Third Party Resources (TPRs) to Custom Resource Definitions (CRDs), the ability to list all CRDs was affected by the same bug. The intention of this API endpoint is to enable listing all namespaces by logged-in users.
This is necessary because, at this time, Kubernetes's RBAC system lacks the capability to ensure LIST operations are filtered and scoped to objects that a user is able to GET. As a compromise until this is addressed upstream, all authenticated users can get the list of all namespaces for navigation in Tectonic Console. Future user experience work will prioritize features to bookmark certain namespaces to reduce or eliminate the need for browsing the full namespace list.
The root cause is this API path was missing the required authentication middleware that would normally protect it from unauthenticated access and return a 401. After addressing this issue, we will further investigate refactoring and testing the authentication middleware code. This should reduce implementation errors in this critical part of the system.
Versions 1.8.4-tectonic.3 and 1.7.9-tectonic.4 of Tectonic are available across the following channels:
- Tectonic 1.7 preproduction
- Tectonic 1.7 production
- Tectonic 1.8 preproduction
- Tectonic 1.8 production
More info on the update process and how to use each channel is available in our documentation.
Follow @CoreOSSecurity on Twitter if you’d like an additional avenue for this information.
This post will be updated with a CVE, once assigned.