Security Bulletins

Calico Enterprise running Openshift is vulnerable to Privilege Escalation

Return to List


Calico Enterprise running Openshift is vulnerable to Privilege Escalation

Reference: TTA-2021-001

Date published: 2021-Sep-1




Customers on Openshift running Calico Enterprise are vulnerable to privilege escalation via Security Context Constraint(SCC). Due to the misconfiguration of SCCs in Tigera’s resources, pods created under the affected SCCs can be granted privileged capabilities. An attacker with pod create and/or edit permission, is able to deploy privileged pods in the cluster to achieve privilege escalation.




Due to the misconfiguration, all authenticated roles and service accounts in the cluster can use the affected SCCs. However, a compromised resource(token/credentials) with pod creation and modification permission is needed to leverage this vulnerability.


Affected Releases

  • Calico Enterprise v2.5 and above (Openshift deployments only)
  • Calico Cloud


Indicators of Impact/Compromise

Pods running in privileged mode or with host volume mounts.


Workaround / Remediation

An operator based patch has been released. Please update to the latest version of Calico Enterprise operator.


  1. Download the latest operator (adjust version number if needed):
  2. `oc apply -f 02-tigera-operator.yaml`

Refer to our update guide for Openshift:


Fixed Software

  • Calico Enterprise v3.4 and above
  • Calico v3.2.4



We would like to thank our customers for reporting the issue.

Return to List