Security Bulletins

Calico Enterprise running Openshift is vulnerable to Privilege Escalation

Return to List

DescriptionSeverityNotes

Calico Enterprise running Openshift is vulnerable to Privilege Escalation

Reference: TTA-2021-001

Date published: 2021-Sep-1

HighN/A

 

Description

Customers on Openshift running Calico Enterprise are vulnerable to privilege escalation via Security Context Constraint(SCC). Due to the misconfiguration of SCCs in Tigera’s resources, pods created under the affected SCCs can be granted privileged capabilities. An attacker with pod create and/or edit permission, is able to deploy privileged pods in the cluster to achieve privilege escalation.

 

Severity

HIGH

Due to the misconfiguration, all authenticated roles and service accounts in the cluster can use the affected SCCs. However, a compromised resource(token/credentials) with pod creation and modification permission is needed to leverage this vulnerability.

 

Affected Releases

  • Calico Enterprise v2.5 and above (Openshift deployments only)
  • Calico Cloud

 

Indicators of Impact/Compromise

Pods running in privileged mode or with host volume mounts.

 

Workaround / Remediation

An operator based patch has been released. Please update to the latest version of Calico Enterprise operator.

Steps:

  1. Download the latest operator (adjust version number if needed): https://docs.tigera.io/v3.8/manifests/ocp/tigera-operator/02-tigera-operator.yaml
  2. `oc apply -f 02-tigera-operator.yaml`

Refer to our update guide for Openshift: https://docs.tigera.io/maintenance/openshift-upgrade

 

Fixed Software

  • Calico Enterprise v3.4 and above
  • Calico v3.2.4

 

Acknowledgment

We would like to thank our customers for reporting the issue.

Return to List