Vela is a widely used Pipeline Automation (CI/CD) framework designed with container technology in mind, specifically focusing on Linux containers and written in the Golang programming language. However, recent vulnerability reports revealed that Vela Server and Vela Worker prior to version .16., as well as Vela UI prior to version .17., come with some default configurations that can be exploited by malicious actors, which may lead to container breakouts. The following article will provide an overview of the vulnerability, along with information about how to resolve the issue and workarounds that can be applied in the meantime.
Links to original references
1. Vela GitHub Repository
2. Vela Server
3. Vela Worker
4. Vela UI
Exploit Details
In Vela Server and Vela Worker versions earlier than .16., and Vela UI versions before .17., certain default configurations make the system vulnerable and prone to container breakouts. These issues can lead to a compromised system if an attacker exploits these vulnerabilities.
What is it necessary to do?
Upon detection of these vulnerabilities, the Vela developers released updates addressing the security concerns. Users of the affected software should upgrade the Vela Server and Vela Worker to version .16., and Vela UI to version .17.. These upgrades will protect your system from the discovered exploits.
Post-upgrade steps for administrators
After upgrading your Vela components, administrators need to make specific changes to the default settings in order to safeguard the system from any potential risks. Some of these modifications might disrupt existing workflows, and Vela administrators must be prepared to make adjustments to those workflows.
Workarounds
If upgrading is not possible at the moment, a few workarounds are available to help mitigate the risks associated with CVE-2022-39395. Here's what Vela administrators can do:
1. Adjust the worker's VELA_RUNTIME_PRIVILEGED_IMAGES setting to be explicitly empty. This can be done in the Vela worker's configuration file as shown below:
runtime:
privileged_images: []
2. Leverage the VELA_REPO_ALLOWLIST setting on the server component to restrict access to a list of repositories that are allowed to be enabled. This will prevent unauthorized access to other repositories.
repo:
allowlist:
- '<organization>/<repository_1>'
- '<organization>/<repository_2>'
3. Vela administrators should also perform a thorough audit of all enabled repositories, and disable the pull_requests option where necessary. This will reduce the risk exposure further.
In conclusion, the CVE-2022-39395 vulnerability affects Vela Server and Vela Worker up to version .16. and Vela UI up to version .17.. Users are encouraged to upgrade their installations and apply the necessary changes to their configurations. In case an immediate upgrade is not possible, administrators should implement the workarounds outlined above to protect their system from exploitation and potential container breakouts.
Timeline
Published on: 11/10/2022 18:15:00 UTC
Last modified on: 11/17/2022 16:45:00 UTC