Calico Enterprise running Openshift is vulnerable to Privilege Escalation
Date published: 2021-Sep-1
Customers on Openshift running Calico Enterprise are vulnerable to privilege escalation via Security Context Constraint(SCC). Due to the misconfiguration of SCCs in Tigera’s resources, pods created under the affected SCCs can be granted privileged capabilities. An attacker with pod create and/or edit permission, is able to deploy privileged pods in the cluster to achieve privilege escalation.
Due to the misconfiguration, all authenticated roles and service accounts in the cluster can use the affected SCCs. However, a compromised resource(token/credentials) with pod creation and modification permission is needed to leverage this vulnerability.
- Calico Enterprise v2.5 and above (Openshift deployments only)
- Calico Cloud
Indicators of Impact/Compromise
Pods running in privileged mode or with host volume mounts.
Workaround / Remediation
An operator based patch has been released. Please update to the latest version of Calico Enterprise operator.
- Download the latest operator (adjust version number if needed): https://docs.tigera.io/v3.8/manifests/ocp/tigera-operator/02-tigera-operator.yaml
`oc apply -f 02-tigera-operator.yaml`
Refer to our update guide for Openshift: https://docs.tigera.io/maintenance/openshift-upgrade
- Calico Enterprise v3.4 and above
- Calico v3.2.4
We would like to thank our customers for reporting the issue.