Security
Headlines
HeadlinesLatestCVEs

Headline

GHSA-q6hv-wcjr-wp8h: kcp is missing update validation allows arbitrary LogicalCluster status patches through initializingworkspaces Virtual Workspace

Impact

Because UPDATE validation is not being applied, it is possible for an actor with access to an instance of the initializingworkspaces virtual workspace to run arbitrary patches on the status field of LogicalCluster objects while the workspace is initializing.

This allows to add or remove any initializers as well as changing the phase of a LogicalCluster (to “Ready” for example).

As this effectively allows to skip certain initializers or the entire initialization phase, potential integrations with external systems such as billing or security could be affected. Their initializers could be skipped by a WorkspaceType that adds another initializer and grants permissions to the virtual workspace to a rogue or compromised entity.

Who is impacted?

  • Impacts other owners of WorkspaceTypes with initializers that are inherited by other WorkspaceTypes.
  • Impacts developers using the virtual/framework package to create their own virtualworkspaces if they are using UpdateFuncs in their custom storageWrappers.

Details

The issue occurs because the rest.ValidateObjectUpdateFunc is not being called within the DefaultDynamicDelegatedStoreFuncs. As a result, the intended status overwrite protection from initializers never gets called, allowing arbitrary logicalcluster status patches.

Patches

The problem has been patched in #3599 and is available in kcp 0.28.3 and higher.

Workarounds

  • Further limit access to the initialize verb on WorkspaceType objects (see documentation for details).
  • Only use trusted WorkspaceType objects.

References

See the pull request (#3599).

ghsa
Open in Source
#git

Impact

Because UPDATE validation is not being applied, it is possible for an actor with access to an instance of the initializingworkspaces virtual workspace to run arbitrary patches on the status field of LogicalCluster objects while the workspace is initializing.

This allows to add or remove any initializers as well as changing the phase of a LogicalCluster (to “Ready” for example).

As this effectively allows to skip certain initializers or the entire initialization phase, potential integrations with external systems such as billing or security could be affected. Their initializers could be skipped by a WorkspaceType that adds another initializer and grants permissions to the virtual workspace to a rogue or compromised entity.

Who is impacted?

  • Impacts other owners of WorkspaceTypes with initializers that are inherited by other WorkspaceTypes.
  • Impacts developers using the virtual/framework package to create their own virtualworkspaces if they are using UpdateFuncs in their custom storageWrappers.

Details

The issue occurs because the rest.ValidateObjectUpdateFunc is not being called within the DefaultDynamicDelegatedStoreFuncs. As a result, the intended status overwrite protection from initializers never gets called, allowing arbitrary logicalcluster status patches.

Patches

The problem has been patched in #3599 and is available in kcp 0.28.3 and higher.

Workarounds

  • Further limit access to the initialize verb on WorkspaceType objects (see documentation for details).
  • Only use trusted WorkspaceType objects.

References

See the pull request (#3599).

References

  • GHSA-q6hv-wcjr-wp8h
  • kcp-dev/kcp#3599
  • kcp-dev/kcp@02134a2
  • https://github.com/kcp-dev/kcp/releases/tag/v0.28.3

ghsa: Latest News

GHSA-6gvq-jcmp-8959: ALTCHA Proof-of-Work Vulnerable to Challenge Splicing and Replay
ghsa