KIALI-SECURITY-003 - Installation into ad-hoc namespaces

Description

A vulnerability was found in the Kiali Operator allowing installation of a specified image into any namespace.

Kiali users are exposed to this vulnerability if all the following conditions are met:

  • Kiali operator is used for installation.
  • Kiali CR was edited to install an image into an unapproved namespace.

This vulnerability is filed as CVE-2021-3495

Mitigation

If you can update:

  • Update to Kiali Operator v1.33.0 or later.

If you can not update:

  • Ensure only trusted individuals can create or edit a Kiali CRs (resources of kind “kiali”).