GHSA-5pmx-7r6r-wfqq: Kgateway transformation policy template can emit files from the container

Summary

The transformation policy template feature in Kgateway versions through 2.0.4 allows users with TrafficPolicy creation permissions to craft transformations that read and expose arbitrary files from the dataplane container filesystem.

Description

Impact

Users with permissions to create a TrafficPolicy can create a transformation that returns files from within the dataplane container. While no secrets are mounted to the container by default, users who mount custom volumes to the dataplane should be aware of potential data exposure through this vulnerability.

This could allow unauthorized access to:

• Configuration files within the container
• Custom mounted volumes and their contents
• Any files accessible to the dataplane container process

Patches

Upgrade to version 2.0.5 or 2.1.0. These versions include an updated transformation filter in envoy-gloo that prevents file access through transformation templates.

Workarounds

If you are not using transformations, you can disallow TrafficPolicy creation or restrict transformation usage using a ValidatingAdmissionPolicy to prevent exploitation while preparing to upgrade.

References

• Fix in 2.1.0: https://github.com/kgateway-dev/kgateway/pull/12528 (envoy-gloo v1.35.2-patch4)
• Backport to 2.0.5: Included in https://github.com/kgateway-dev/kgateway/pull/12535 (envoy-gloo v1.34.6-patch3)
• Envoy-gloo releases: https://github.com/solo-io/envoy-gloo/releases/tag/v1.35.2-patch4
• Envoy-gloo releases: https://github.com/solo-io/envoy-gloo/releases/tag/v1.34.6-patch3

Credits

Kindly reported by @rikatz

For More Information

If you have any questions or comments about this advisory, please reach out in slack https://cloud-native.slack.com/archives/C080D3PJMS4