Compliance Impact

This vulnerability allows an attacker with limited permissions to read packages, which may contain source code and embedded credentials, from other namespaces. Such unauthorized access to sensitive information can lead to confidentiality breaches.

Exposure of sensitive data like embedded credentials could impact compliance with regulations such as GDPR and HIPAA, which require strict controls on access to personal and sensitive information to protect confidentiality and privacy.

By enabling cross-namespace reads without proper validation, the vulnerability undermines namespace isolation, increasing the risk of data leakage and non-compliance with security standards that mandate data segregation and access controls.

Useful 0 Not Useful 0

Executive Summary

This vulnerability exists in Fission versions 1.23.0 and earlier, where the Function specification allowed a Package reference (PackageRef) to point to any namespace without validation. Specifically, the admission webhook did not verify that the PackageRef.Namespace matched the function's namespace, unlike Secret and ConfigMap references which were validated.

An attacker with permission to create functions in their own namespace could exploit this by setting the PackageRef.Namespace to a different namespace. This caused the fetcher sidecar to read packages from the victim's namespace using the fission-fetcher service account, which has namespace-wide permissions to get packages.

As a result, the attacker could access the victim's source code and embedded credentials, leading to a confidentiality breach. This issue was fixed in version 1.24.0 by adding namespace validation to ensure PackageRef.Namespace matches the function's namespace.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can lead to unauthorized disclosure of sensitive information. An attacker able to create functions in their namespace could read source code and embedded credentials from other namespaces, potentially exposing proprietary code, secrets, or credentials.

Such exposure can compromise the confidentiality of your applications and data, possibly enabling further attacks or unauthorized access to systems.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability involves unvalidated PackageRef.Namespace fields in Fission Function specs prior to version 1.24.0, allowing cross-namespace Package reads. Detection involves inspecting Function resources for PackageRef.Namespace values that do not match the Function's namespace.

You can detect potential exploitation by querying Kubernetes for Fission Functions where the PackageRef.Namespace differs from the Function's namespace.

• kubectl get functions --all-namespaces -o json | jq '.items[] | select(.spec.packageRef.namespace != .metadata.namespace) | {function: .metadata.name, functionNamespace: .metadata.namespace, packageNamespace: .spec.packageRef.namespace}'

Additionally, monitoring network traffic for unexpected calls from fission-fetcher sidecars accessing Packages in other namespaces may help detect exploitation attempts.

Useful 0 Not Useful 0

Mitigation Strategies

The primary mitigation is to upgrade Fission to version 1.24.0 or later, where the admission webhook validates that PackageRef.Namespace matches the Function's namespace, preventing cross-namespace Package reads.

Until the upgrade can be performed, restrict permissions to create or modify Functions to trusted users only, minimizing the risk of malicious PackageRef.Namespace manipulation.

Review and tighten RBAC permissions for the fission-fetcher service account to limit its ability to access Packages across namespaces.

Useful 0 Not Useful 0