There are two vulnerabilities found in released versions (< 1.1.3, < 1.2.3) as below. They have been fixed in the latest releases (1.1.3, 1.2.3). For more details, see each issue and security advisories.

• CVE-2021-36779: Host operations allowed in privileged Longhorn managed pods
• CVE-2021-36780: Unauthorized data access from replicas through vulnerable instance manager pods

CVE-2021-36779: Host operations allowed in privileged Longhorn managed pods

The privileged pods are managed by Longhorn running on every node for volume replica management in a Kubernetes cluster. Each pod container runs as root and exposes a gRPC service on TCP port 8500. The service is accessible by any workload in the cluster without authentication. A malicious workload can take advantage of this service to execute any binary present in the image on the host.

CVE-2021-36780: Unauthorized data access from replicas through vulnerable instance manager pods

The Longhorn instance manager pods are responsible for volume replica management and access. The vulnerability issue is found that it is possible to connect to a longhorn-engine replica instance running in the instance-manager replica pod. The longhorn-engine replica can handle multiple TCP connections. Each connection is able to read and write data on the replica. It may allow other pods in the cluster to read and write data to and from a replica that the malicious pod doesn't have access to.

Mitigation

There are no workarounds/mitigations. Please upgrade the Longhorn cluster to 1.1.3 or 1.2.3 to resolve the issue.

• If using 1.1.x, please upgrade to the latest 1.1.3.
• If using 1.2.x, please upgrade to the latest 1.2.3.

Credits

Thanks to Dagan Henderson and Will Kline for reporting this vulnerability issue.