GHSA-qv98-3369-g364: 
vulnerability analysis and mitigation

A path traversal vulnerability was discovered in KubeVirt versions 0.20.0 through 0.56 (and 0.55.1) that allows users with permissions to configure KubeVirt to read arbitrary files on the host filesystem. The vulnerability affects files that are publicly readable or accessible to UID/GID 107, though /proc/self/<> remains inaccessible. The issue was discovered by Oliver Brooks and James Klopchic of NCC Group, along with Diane Dubois and Roman Mohr of Google, and was assigned CVE-2022-1798 (GitHub Advisory).

The vulnerability stems from improper path validation in multiple VMI spec fields including spec.domain.firmware.kernelBoot.container.kernelPath, spec.domain.firmware.kernelBoot.container.initrdPath, and spec.volumes[*].containerDisk.path. These fields allowed relative paths to be mounted into the virt-launcher pod. The vulnerability could be exploited through three main vectors: using relative paths in VMI specs, placing malicious links in containerDisk, or leveraging PVC hotplugging. The CVSS v3.1 base score is 6.5 (MEDIUM) according to NVD, while Google Inc. assessed it at 8.7 (HIGH) (NVD).

Users with VMI creation permissions can construct VMI specifications that enable reading arbitrary files on the host system. This includes any publicly readable files or those accessible to UID/GID 107. The vulnerability allows attackers to access sensitive system files, as demonstrated by the ability to read /etc/passwd (GitHub Advisory).

The vulnerability has been patched in KubeVirt version 0.55.1. For systems that cannot immediately update, several workarounds are available: disable the HotplugVolumes feature-gate, use a policy controller to prevent containerDisk addition and spec.domain.firmware.kernelBoot usage on VirtualMachineInstances, and enable SELinux (though this doesn't provide 100% protection). ContainerDisk support cannot be disabled (GitHub Advisory).