CVE-2021-3121

Vulnerability details

A program with this vulnerability may crash because of processing some messages that contain malicious Protobuf. If the version of Gogo Protobuf you are using is too low, this vulnerability may exist.

Scope

The Kubernetes system component has its own recovery mechanism to deal with crashes and will not interrupt service when encountering a maliciously submitted Protobuf message, so it is not within the scope affected by the vulnerability.

When the program receives and processes the Protobuf message in the application system, if the component does not have a recovery mechanism to deal with the crash, then such programs are within the scope of the vulnerability, and the service may be interrupted when such a malicious attack comes.

The Kubernetes community has tested and verified that API Server is not affected by this vulnerability, but in order to prevent you from being affected by the hidden risk of this security vulnerability, the community has upgraded the relevant Protobuf files.

Prevention

If you use the automatically generated Protobuf message in your application code and find that the relevant component exits due to the following exception, the vulnerability may exist.

panic: runtime error: index out of range [-9223372036854775804]

goroutine 1 [running]:

v1.(*MessageName).Unmarshal(0xc00006f1e8, 0xc0000281a8, 0xa, 0x10, 0xc00006f1b8, 0x1)

        .../protofile.pb.go:250 +0xb86

If you use a component related to the Protobuf message, it is recommended to upgrade the Gogo Protobuf compiler to the bug-fixed version (v1.3.2 or higher), and then regenerate the relevant Protobuf message based on the upgraded Protobuf compiler.

Fixed by official

  • v1.21.1
  • v1.20.7
  • v1.19.11
  • v1.18.19

Fixed by KLTS


Last modified March 8, 2022 : mv en to kuberentes/ (95aa90d4)