Flux controllers within the affected versions range are vulnerable to a denial of service attack. Users that have permissions to change Flux’s objects, either through a Flux source or directly within a cluster, can provide invalid data to fields .spec.interval
or .spec.timeout
(and structured variations of these fields), causing the entire object type to stop being processed.
The issue has two root causes: a) the Kubernetes type metav1.Duration
not being fully compatible with the Go type time.Duration
as explained on upstream report; b) lack of validation within Flux to restrict allowed values.
Workarounds
Admission controllers can be employed to restrict the values that can be used for fields .spec.interval
and .spec.timeout
, however upgrading to the latest versions is still the recommended mitigation.
Credits
This issue was reported by Alexander Block (@codablock) through the Flux security mailing list (as recommended).
For more information
If you have any questions or comments about this advisory:
- Open an issue in any of the affected repositories.
- Contact us at the CNCF Flux channel.
References
Flux controllers within the affected versions range are vulnerable to a denial of service attack. Users that have permissions to change Flux’s objects, either through a Flux source or directly within a cluster, can provide invalid data to fields
.spec.interval
or.spec.timeout
(and structured variations of these fields), causing the entire object type to stop being processed.The issue has two root causes: a) the Kubernetes type
metav1.Duration
not being fully compatible with the Go typetime.Duration
as explained on upstream report; b) lack of validation within Flux to restrict allowed values.Workarounds
Admission controllers can be employed to restrict the values that can be used for fields
.spec.interval
and.spec.timeout
, however upgrading to the latest versions is still the recommended mitigation.Credits
This issue was reported by Alexander Block (@codablock) through the Flux security mailing list (as recommended).
For more information
If you have any questions or comments about this advisory:
References