We have been working with the team over at the Flux project on a security review and improving their tooling. The Cloud Native Computing Foundation contacted us a few months ago and wanted to facilitate both improving the testing infrastructure and to manually review Flux’s source code. We selected ADA Logics to do both the fuzzing integration work and the security review.

We are happy to report that our project has completed and Flux has its first CVE as a result! The bug allows an authenticated user with some specific permissions to escalate their privileges all the way to kubernetes cluster admin by injecting malicious shell scripts as Kubernetes Secrets in kustomize-controller. This issue impacts multiple large cloud vendors who have been notified to update. Flux version 1.18 and above contain the fix.

CVE-2021-41254: [Privilege escalation to cluster admin on multi-tenant Flux]

ADA Logics and the Flux team were excellent to work with! Our collaborative work has led to multiple fixes, improved overall testing with continuous fuzzing by way of OSS-Fuzz, and the comprehensive report below. The Flux team also created a public and easy to track dashboard showing all of the work we’ve done together and is a fantastic example of good issue-tracking and remediation.

A special thank you to the Cloud Native Computing Foundation for sponsoring this work and improving the security of Flux for everyone!

Click here for the full report (PDF)

More information:
https://www.cncf.io/blog/2021/11/11/flux-security-audit-has-concluded/
https://fluxcd.io/blog/2021-11-10-flux-security-audit/
https://fluxcd.io/security/
https://github.com/cncf/toc/blob/main/docs/projects.md
https://adalogics.com/blog/fluxcd-security-audit