The Go team has released a fix in Go versions 1.21.11 and 1.22.4 addressing a symlink race condition when using os.RemoveAll. The Kubernetes Security Response Committee received a report that this issue could be abused in Kubernetes to delete arbitrary directories on a Node with root permissions by a local non-root user with the same UID as the user in a Pod.

The Go team has not issued a CVE for this, as it is considered a hardening issue, and the SRC is following that decision as well.

Am I affected?

Kubernetes built with Go versions prior to 1.21.11 or 1.22.4 are affected.

Affected Versions

• <1.30.2
• <1.29.6
• <1.28.11
• <1.27.15

How do I mitigate this issue?

Upgrade to a fixed (or newer) version of Kubernetes.

Fixed Versions

• 1.30.2+
• 1.29.6+
• 1.28.11+
• 1.27.15+

To upgrade, refer to the documentation: https://kubernetes.io/docs/tasks/administer-cluster/cluster-upgrade

Detection

This issue could be detected by looking for unexpected file deletions on a Node.

If you find evidence that this issue has been exploited, please contact [email protected]

Additional Details

• os: RemoveAll susceptible to symlink race golang/go#52745
• os: RemoveAll susceptible to symlink race [1.21 backport] golang/go#67695
• os: RemoveAll susceptible to symlink race [1.22 backport] golang/go#67696
• https://go-review.googlesource.com/c/go/+/588495
• https://go-review.googlesource.com/c/go/+/589057
• https://go-review.googlesource.com/c/go/+/589056

Acknowledgements

This issue was reported by @addisoncrump.

/area security
/kind bug
/committee security-response
/sig node
/area kubelet