CVE-2021-36780: Unauthorized data access from replicas through vulnerable instance manager pods #3420
Assignees
Labels
area/security
System or volume data access security
backport/1.1.3
Require to backport to 1.1.3 release branch
kind/bug
Milestone
Comments
innobead
added
kind/bug
backport/1.1.3
innobead
changed the title
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
The Longhorn instance manager pods are responsible for volume replica management and access. The vulnerability issue is found that it is possible to connect to a longhorn-engine replica instance running in the instance-manager replica pod. The longhorn-engine replica can handle multiple TCP connections. Each connection is able to read and write data on the replica. It may allow other pods in the cluster to read and write data to and from a replica that the malicious pod doesn't have access to.
The text was updated successfully, but these errors were encountered: