CVE-2021-3495: 
vulnerability analysis and mitigation

An incorrect access control flaw was discovered in the kiali-operator affecting versions before 1.33.0 and before 1.24.7. The vulnerability, identified as CVE-2021-3495, was disclosed on May 11, 2021. This security issue allows attackers with basic cluster access (ability to deploy a kiali operand) to deploy arbitrary images anywhere in the cluster (NVD, Kiali Security).

The vulnerability stems from improper access control validation in the kiali-operator. It has been assigned a CVSS v3.1 base score of 8.8 (High) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. The flaw allows an attacker to bypass namespace restrictions and deploy specified images to any namespace in the cluster, regardless of their actual permissions to those namespaces (NVD, Red Hat Bugzilla).

The vulnerability poses significant risks to data confidentiality, integrity, and system availability. Successful exploitation could allow attackers to gain access to privileged service account tokens and deploy arbitrary images across the cluster, potentially compromising the entire kubernetes environment (NVD).

Organizations should update to Kiali Operator version 1.33.0 or later to address this vulnerability. If immediate updating is not possible, the recommended workaround is to ensure that only trusted individuals have permissions to create or edit Kiali CRs (resources of kind "kiali") (Kiali Security).

The vulnerability was discovered and reported by Vladimir Andryushin from VTB Bank (PJSC). Red Hat has addressed this issue in their OpenShift Service Mesh 2.0 through the security advisory RHSA-2021:1544 (Red Hat Bugzilla).