Keptn v1 reached EOL December 22, 2023. For more information see https://bit.ly/keptn

Keptn-Vulnerability-2022-001

Version 1.0

Revision Information

Revision Updated Reason
1.0 March 16, 2022 Initial Reason

Affected

Keptn webhook-service in version 0.10.0 and newer.

Description

Keptn webhook-service in version 0.10.0 and newer allow directly accessing the Kubernetes APIs. Furthermore, Kubernetes tokens, such as the service account token, could be leaked. The tokens could be exploited to read/write/delete the secrets created and managed by Keptn. This includes all secrets created via:

  • the secret management page and the secrets created;
  • the CLI with keptn create secret;
  • the APIs /api/secrets/v1.

The tokens that could be leaked do not compromise the Keptn configuration. Access to the Git tokens for configured upstreams is not compromised.

With Keptn versions >0.12.4 and >0.13.3 the bug is fixed (Release 0.12.4 and Release 0.13.3).

Severity

The severity of the vulnerability of webhook-service are:

Token Leak: CVSS v3.0 Vector Score 4.5: CVSS:3.0/AV:A/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

Kubernetes API access: CVSS v3.0 Vector Score 8.3:CVSS:3.0/AV:A/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:L

Note: The calculation of the CVSS is based on a Keptn 0.13.2 installation.

Recommendations

The release of webhook-service in version 0.12.4 and 0.13.3 (and following versions) contains fixes to the aforementioned issues. We recommend upgrading to one of these versions as soon as possible. Furthermore, we recommend rotating all credentials stored as Keptn secret. Also, investigation of downstream services is recommended.

Workaround

  • Disable the webhook-service.