Skip to content

CVE-2024-9042: Command Injection affecting Windows nodes via nodes/*/logs/query API #129654

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
SaranBalaji90 opened this issue Jan 15, 2025 · 3 comments
Closed

CVE-2024-9042: Command Injection affecting Windows nodes via nodes/*/logs/query API #129654

SaranBalaji90 opened this issue Jan 15, 2025 · 3 comments
Labels
area/kubelet area/security committee/security-response Denotes an issue or PR intended to be handled by the product security committee. kind/bug Categorizes issue or PR as related to a bug. needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. official-cve-feed Issues or PRs related to CVEs officially announced by Security Response Committee (SRC) sig/node Categorizes an issue or PR as relevant to SIG Node.

Comments

@SaranBalaji90
Copy link
Contributor

SaranBalaji90 commented Jan 15, 2025
edited
Loading

Hello Kubernetes Community,

A security vulnerability has been discovered in Kubernetes windows nodes that could allow a user with the ability to query a node's '/logs' endpoint to execute arbitrary commands on the host.

This issue has been rated Medium with a CVSS v3.1 score of 5.9 (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:N) and assigned CVE-2024-9042.

Am I vulnerable?

This CVE affects only Windows worker nodes. Your worker node is vulnerable to this issue if it is running one of the affected versions listed below.

Affected Components

Kubelet

Affected Versions

v1.32.0
v1.31.0 to v1.31.4
v1.30.0 to v1.30.8
<=v1.29.12

How do I mitigate this vulnerability?

To mitigate this vulnerability, you need to upgrade the Kubelet on your Windows worker nodes to one of the fixed versions listed below.

Fixed Versions

v1.32.1
v1.31.5
v1.30.9
v1.29.13

Detection

To detect whether this vulnerability has been exploited, you can examine your cluster's audit logs to search for node 'logs' queries with suspicious inputs.

If you find evidence that this vulnerability has been exploited, please contact [email protected]

Acknowledgements

This vulnerability was reported by Peled, Tomer and mitigated by Aravindh Puthiyaprambil.
@SaranBalaji90 SaranBalaji90 added the kind/bug Categorizes issue or PR as related to a bug. label Jan 15, 2025
@k8s-ci-robot k8s-ci-robot added needs-sig Indicates an issue or PR lacks a `sig/foo` label and requires one. needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. labels Jan 15, 2025
@k8s-ci-robot
Copy link
Contributor

This issue is currently awaiting triage.

If a SIG or subproject determines this is a relevant issue, they will accept it by applying the triage/accepted label and provide further guidance.

The triage/accepted label can be added by org members by writing /triage accepted in a comment.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@SaranBalaji90
Copy link
Contributor Author

/area security
/kind bug
/committee security-response
/label official-cve-feed
/sig node
/area kubelet

@k8s-ci-robot k8s-ci-robot added area/security committee/security-response Denotes an issue or PR intended to be handled by the product security committee. sig/node Categorizes an issue or PR as relevant to SIG Node. area/kubelet official-cve-feed Issues or PRs related to CVEs officially announced by Security Response Committee (SRC) and removed needs-sig Indicates an issue or PR lacks a `sig/foo` label and requires one. labels Jan 15, 2025
@SaranBalaji90
Copy link
Contributor Author

SaranBalaji90 commented Jan 15, 2025
edited
Loading

This has been fixed in the following PR and has been cherry picked to supported versions -
#129595
#129598
#129599
#129602
#129603

@github-project-automation github-project-automation bot moved this from Triage to Done in SIG Node Bugs Jan 15, 2025
@SaranBalaji90 SaranBalaji90 changed the title [Security Advisory] CVE-2024-9042: Command Injection affecting Windows nodes via nodes/*/logs/query API CVE-2024-9042: Command Injection affecting Windows nodes via nodes/*/logs/query API Jan 15, 2025
@bcho bcho mentioned this issue Jan 16, 2025
Open
@GoVulnBot GoVulnBot mentioned this issue Mar 13, 2025
Closed
@DmitriyLewen DmitriyLewen mentioned this issue Mar 26, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area/kubelet area/security committee/security-response Denotes an issue or PR intended to be handled by the product security committee. kind/bug Categorizes issue or PR as related to a bug. needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. official-cve-feed Issues or PRs related to CVEs officially announced by Security Response Committee (SRC) sig/node Categorizes an issue or PR as relevant to SIG Node.
Projects
SIG Node Bugs
Archived in project
Milestone
No milestone
Development

No branches or pull requests
2 participants
@SaranBalaji90 @k8s-ci-robot