Security Bulletins
Calico Enterprise running Openshift is vulnerable to Privilege Escalation
Description | Severity | Notes |
---|---|---|
Calico Enterprise running Openshift is vulnerable to Privilege EscalationReference: TTA-2021-001 Date published: 2021-Sep-1 | High | N/A |
Description
Customers on Openshift running Calico Enterprise are vulnerable to privilege escalation via Security Context Constraint(SCC). Due to the misconfiguration of SCCs in Tigera’s resources, pods created under the affected SCCs can be granted privileged capabilities. An attacker with pod create and/or edit permission, is able to deploy privileged pods in the cluster to achieve privilege escalation.
Severity
HIGH
Due to the misconfiguration, all authenticated roles and service accounts in the cluster can use the affected SCCs. However, a compromised resource(token/credentials) with pod creation and modification permission is needed to leverage this vulnerability.
Affected Releases
- Calico Enterprise v2.5 and above (Openshift deployments only)
- Calico Cloud
Indicators of Impact/Compromise
Pods running in privileged mode or with host volume mounts.
Workaround / Remediation
An operator based patch has been released. Please update to the latest version of Calico Enterprise operator.
Steps:
- Download the latest operator (adjust version number if needed): https://docs.tigera.io/v3.8/manifests/ocp/tigera-operator/02-tigera-operator.yaml
`oc apply -f 02-tigera-operator.yaml`
Refer to our update guide for Openshift: https://docs.tigera.io/maintenance/openshift-upgrade
Fixed Software
- Calico Enterprise v3.4 and above
- Calico v3.2.4
Acknowledgment
We would like to thank our customers for reporting the issue.