CVE-2021-27098
First published: Fri Mar 05 2021(Updated: )
#### Summary In SPIRE 0.8.1 through 0.8.4 and before versions 0.9.4, 0.10.2, 0.11.3 and 0.12.1, specially crafted requests to the FetchX509SVID RPC of SPIRE Server’s Legacy Node API (github.com/spiffe/spire/pkg/server/endpoints/node) can result in the possible issuance of an X.509 certificate with a URI SAN for a SPIFFE ID that the agent is not authorized to distribute. Proper controls are in place to require that the caller presents a valid agent certificate that is already authorized to issue at least one SPIFFE ID, and the requested SPIFFE ID belongs to the same trust domain, prior to being able to trigger this vulnerability. This issue has been fixed in SPIRE versions 0.8.5, 0.9.4, 0.10.2, 0.11.3 and 0.12.1. #### What are the changes introduced by the patched versions? The changes introduced to address this issue are related to enforcing that the FetchX509SVID RPC of SPIRE Server’s Legacy Node API only issues X.509 certificates with SPIFFE IDs that the agent is authorized to distribute. The patched version also includes a back-ported change that improves the handling of file descriptors related to workload attestation in SPIRE Agent. There are no changes in the expected behavior of SPIRE. #### Should I upgrade SPIRE? All SPIRE users running affected versions are advised to upgrade to the corresponding patched version. #### Workarounds No workarounds have been identified for this vulnerability.
Credit: cve@mitre.org cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Cncf Spire | >=0.8.1<=0.8.4 | |
| Cncf Spire | >=0.9.0<0.9.4 | |
| Cncf Spire | >=0.10.0<0.10.2 | |
| Cncf Spire | >=0.11.0<0.11.3 | |
| Cncf Spire | >=0.12.0<0.12.1 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://github.com/spiffe/spire/security/advisories/GHSA-h746-rm5q-8mgq
- https://nvd.nist.gov/vuln/detail/CVE-2021-27098
- https://github.com/spiffe/spire/commit/3c5115b57afc20a0a2c2b1b9dd60dd1fd9082e13
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-27098
- https://github.com/advisories/GHSA-h746-rm5q-8mgq (Advisory)
Frequently Asked Questions
What is CVE-2021-27098?
CVE-2021-27098 is a vulnerability in SPIRE versions 0.8.1 through 0.8.4 and before versions 0.9.4, 0.10.2, 0.11.3, and 0.12.1 that can result in the possible issuance of an X.509 certificate with a maliciously crafted Common Name or Subject Alternative Name.
What is the severity of CVE-2021-27098?
CVE-2021-27098 has a severity score of 8.1 (high).
How does CVE-2021-27098 affect SPIRE?
CVE-2021-27098 affects SPIRE versions 0.8.1 through 0.8.4 and versions 0.9.4, 0.10.2, 0.11.3, and 0.12.1. It allows specially crafted requests to the FetchX509SVID RPC of SPIRE Server's Legacy Node API to potentially issue an X.509 certificate with a maliciously crafted Common Name or Subject Alternative Name.
How can I fix CVE-2021-27098?
To fix CVE-2021-27098, update SPIRE to versions 0.8.5, 0.9.4, 0.10.2, 0.11.3, or 0.12.1.
Where can I find more information about CVE-2021-27098?
You can find more information about CVE-2021-27098 on the SPIRE GitHub Security Advisory (https://github.com/spiffe/spire/security/advisories/GHSA-h746-rm5q-8mgq) and the NVD (https://nvd.nist.gov/vuln/detail/CVE-2021-27098).
- collector/github-advisory-latest
- alias/GHSA-h746-rm5q-8mgq
- alias/CVE-2021-27098
- collector/github-advisory
- collector/nvd-index
- collector/nvd-cve
- agent/type
- agent/author
- agent/event
- agent/first-publish-date
- agent/last-modified-date
- agent/severity
- agent/weakness
- agent/references
- agent/softwarecombine
- agent/description
- agent/tags
- collector/mitre-cve
- source/MITRE
- package-manager/go
- vendor/cncf
- canonical/cncf spire
- version/cncf spire/0.8.1
- version/cncf spire/0.8.4
- version/cncf spire/0.9.0
- version/cncf spire/0.10.0
- version/cncf spire/0.11.0
- version/cncf spire/0.12.0