You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
A security issue was discovered in azure-file-csi-driver where an actor with access to the driver logs could observe service account tokens. These tokens could then potentially be exchanged with external cloud providers to access cloud resources. Tokens are only logged when TokenRequests is configured in the CSIDriver object and the driver is set to run at log level 2 or greater via the -v flag.
This issue has been rated MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N (6.5), and assigned CVE-2024-3744
Am I vulnerable?
You may be vulnerable if TokenRequests is configured in the CSIDriver object and the driver is set to run at log level 2 or greater via the -v flag and you are using workload identity federation.
To check if token requests are configured, run the following command:
kubectl get csidriver file.csi.azure.com -o jsonpath="{.spec.tokenRequests}"
To check if tokens are being logged, examine the secrets-store container log:
this issue is already fixed in aks rp 0411 release, I think we could close it now.
btw, it only affect azure file csi driver on aks 1.29 before 0411 release.
Hello Kubernetes Community,
A security issue was discovered in azure-file-csi-driver where an actor with access to the driver logs could observe service account tokens. These tokens could then potentially be exchanged with external cloud providers to access cloud resources. Tokens are only logged when TokenRequests is configured in the CSIDriver object and the driver is set to run at log level 2 or greater via the -v flag.
This issue has been rated MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N (6.5), and assigned CVE-2024-3744
Am I vulnerable?
You may be vulnerable if TokenRequests is configured in the CSIDriver object and the driver is set to run at log level 2 or greater via the -v flag and you are using workload identity federation.
To check if token requests are configured, run the following command:
kubectl get csidriver file.csi.azure.com -o jsonpath="{.spec.tokenRequests}"
To check if tokens are being logged, examine the secrets-store container log:
kubectl logs csi-azurefile-controller-56bfddd689-dh5tk -c azurefile -f | grep --line-buffered "csi.storage.k8s.io/serviceAccount.tokens"
Affected Versions
azure-file-csi-driver <= v1.29.3
azure-file-csi-driver v1.30.0
How do I mitigate this vulnerability?
Prior to upgrading, this vulnerability can be mitigated by running azure-file-csi-driver at log level 0 or 1 via the -v flag.
AKS Fixed Versions
Upgrade your cluster to v1.28.5 and above to get -azure-file-csi-driver v1.29.4 or greater.
The text was updated successfully, but these errors were encountered: