Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLWg3NDYtcm01cS04bWdx
Legacy Node API Allows Impersonation in github.com/spiffe/spire/pkg/server/endpoints/node
Summary
In SPIRE 0.8.1 through 0.8.4 and before versions 0.9.4, 0.10.2, 0.11.3 and 0.12.1, specially crafted requests to the FetchX509SVID RPC of SPIRE Server’s Legacy Node API (github.com/spiffe/spire/pkg/server/endpoints/node) can result in the possible issuance of an X.509 certificate with a URI SAN for a SPIFFE ID that the agent is not authorized to distribute. Proper controls are in place to require that the caller presents a valid agent certificate that is already authorized to issue at least one SPIFFE ID, and the requested SPIFFE ID belongs to the same trust domain, prior to being able to trigger this vulnerability. This issue has been fixed in SPIRE versions 0.8.5, 0.9.4, 0.10.2, 0.11.3 and 0.12.1.
What are the changes introduced by the patched versions?
The changes introduced to address this issue are related to enforcing that the FetchX509SVID RPC of SPIRE Server’s Legacy Node API only issues X.509 certificates with SPIFFE IDs that the agent is authorized to distribute.
The patched version also includes a back-ported change that improves the handling of file descriptors related to workload attestation in SPIRE Agent.
There are no changes in the expected behavior of SPIRE.
Should I upgrade SPIRE?
All SPIRE users running affected versions are advised to upgrade to the corresponding patched version.
Workarounds
No workarounds have been identified for this vulnerability.
Permalink: https://github.com/advisories/GHSA-h746-rm5q-8mgqJSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLWg3NDYtcm01cS04bWdx
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: almost 3 years ago
Updated: 7 months ago
CVSS Score: 8.1
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Identifiers: GHSA-h746-rm5q-8mgq, CVE-2021-27098
References:
- https://github.com/spiffe/spire/security/advisories/GHSA-h746-rm5q-8mgq
- https://nvd.nist.gov/vuln/detail/CVE-2021-27098
- https://github.com/spiffe/spire/commit/3c5115b57afc20a0a2c2b1b9dd60dd1fd9082e13
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-27098
- https://github.com/advisories/GHSA-h746-rm5q-8mgq
Blast Radius: 13.0
Affected Packages
go:github.com/spiffe/spire
Dependent packages: 29Dependent repositories: 40
Downloads:
Affected Version Ranges: >= 0.12.0, < 0.12.1, >= 0.11.0, < 0.11.3, >= 0.10.0, < 0.10.2, >= 0.9.0, < 0.9.4, >= 0.8.1, < 0.8.5
Fixed in: 0.12.1, 0.11.3, 0.10.2, 0.9.4, 0.8.5
All affected versions: 0.9.2, 0.9.3, 0.10.0, 0.10.1, 0.11.0, 0.11.1, 0.11.2, 0.12.0
All unaffected versions: 0.9.4, 0.10.2, 0.11.3, 0.12.1, 0.12.2, 0.12.3, 1.0.0, 1.0.1, 1.0.2, 1.0.3, 1.0.4, 1.1.0, 1.1.1, 1.1.2, 1.1.3, 1.1.4, 1.1.5, 1.2.0, 1.2.1, 1.2.2, 1.2.3, 1.2.4, 1.2.5, 1.3.0, 1.3.1, 1.3.2, 1.3.3, 1.3.4, 1.3.5, 1.3.6, 1.4.0, 1.4.1, 1.4.2, 1.4.3, 1.4.4, 1.4.5, 1.4.6, 1.4.7, 1.5.0, 1.5.1, 1.5.2, 1.5.3, 1.5.4, 1.5.5, 1.5.6, 1.6.0, 1.6.1, 1.6.2, 1.6.3, 1.6.4, 1.6.5, 1.7.0, 1.7.1, 1.7.2, 1.7.3, 1.7.4, 1.7.5, 1.7.6, 1.8.0, 1.8.1, 1.8.2, 1.8.3, 1.8.4, 1.8.5, 1.8.6, 1.8.7, 1.8.8, 1.8.9, 1.8.10, 1.9.0, 1.9.1, 1.9.2, 1.9.3, 1.9.4