Compliance Impact

The vulnerability allows an authenticated Kubernetes user with local access to perform unauthorized read or write operations outside the intended safe directory by exploiting a path traversal flaw. This could lead to unauthorized access or modification of sensitive data.

Such unauthorized access or data manipulation could potentially impact compliance with data protection standards and regulations like GDPR or HIPAA, which require strict controls over data confidentiality and integrity.

However, the vulnerability is rated as low severity (CVSS 3.6) with low confidentiality and integrity impacts, and requires local access with high attack complexity and low privileges.

Useful 0 Not Useful 0

Executive Summary

The vulnerability in Fission involves the SanitizeFilePath function, which was intended to ensure that file paths stayed within a designated safe directory. However, it used a lexical check with strings.HasPrefix that did not enforce directory boundary checks. This meant that paths starting with the safe directory string but actually pointing outside it (e.g., sibling directories with similar names) could bypass validation.

An attacker with the ability to pre-create or control a sibling directory under the shared volume used by the fetcher or builder components could exploit this flaw to read or write files outside the intended safe directory. This could lead to unauthorized access or modification of files.

The issue was fixed in version 1.25.0 by replacing SanitizeFilePath with new helper functions that enforce directory confinement at the kernel level, preventing path traversal attacks.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can allow an authenticated Kubernetes user with local access to the system to perform unauthorized read or write operations outside the intended safe directory used by Fission's fetcher and builder components.

Such unauthorized access could lead to low-level confidentiality and integrity impacts, such as exposure or modification of files that should be protected.

However, the overall severity is rated as low (CVSS 3.6), requiring high attack complexity and low privileges, with no user interaction needed.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability involves improper path validation in the Fission serverless framework prior to version 1.25.0, specifically in the SanitizeFilePath function which allowed path traversal by accepting sibling directories starting with the safe directory string.

Detection would involve checking if your Fission deployment is running a vulnerable version (before 1.25.0) and if any unauthorized directory creations or file accesses outside intended safe directories have occurred.

Since the vulnerability is local and requires control over sibling directories in shared volumes, you can inspect the filesystem for suspicious directories that start with safe directory names but are actually siblings (e.g., directories like /packages-extra when /packages is the safe directory).

Suggested commands to detect potential exploitation or presence of suspicious directories include:

• List directories in the shared volume to find suspicious sibling directories: `ls -l /path/to/shared/volume`
• Find directories whose names start with the safe directory prefix but are siblings: `find /path/to/shared/volume -maxdepth 1 -type d -name 'packages*'`
• Check Fission version to confirm if it is vulnerable: `fission --version` or check deployment manifests for image tags before v1.25.0

No specific network detection commands or signatures are provided in the resources, as the vulnerability is related to local filesystem path validation and requires local access.

Useful 0 Not Useful 0

Mitigation Strategies

The primary mitigation step is to upgrade Fission to version 1.25.0 or later, where the vulnerability has been patched by replacing the vulnerable SanitizeFilePath function with new kernel-enforced path confinement helpers such as RootJoin, RootStat, RootWriteFile, and others.

These changes enforce proper directory boundaries at the kernel level, preventing path traversal and unauthorized file access outside intended directories.

Additionally, review and restrict permissions on shared volumes used by the fetcher and builder components to prevent tenants from pre-creating or controlling sibling directories that could be exploited.

If upgrading immediately is not possible, consider implementing strict access controls and monitoring for suspicious directory creations as a temporary mitigation.

Useful 0 Not Useful 0