Fission is an open-source, Kubernetes-native serverless framework that simplifies the deployment of functions and applications on Kubernetes. Prior to version 1.24.0, a tenant with environments.fission.io create/update RBAC can run privileged / allowPrivilegeEscalation / dangerous-capability containers in the Fission function or builder namespace, scheduled under the executor's high-privilege service account — enabling container-sandbox escape, host filesystem and network access, and potential node- and cluster-level compromise. This issue has been patched in version 1.24.0.
An attacker with RBAC permissions to the environments.fission.io resource (create/update) can create or modify environments in such a way as to run containers with privileged flags or allowPrivilegeEscalation or with dangerous system capabilities. These containers are scheduled under the context of the executor service account, which has high privileges in the cluster. This allows the attacker to escape the container sandbox and gain access to the host file system and host network.
An attacker can gain access to the host file system and network, and then take control of a Kubernetes node or entire cluster (container-sandbox escape, node- and cluster-level compromise).
Fission should be updated to version 1.24.0, in which the issue has been fixed (https://github.com/fission/fission/releases/tag/v1.24.0). Additionally, it is recommended to review the granted RBAC permissions for the environments.fission.io resource and restrict them to trusted users.
Fission in versions prior to 1.24.0
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H