The Fluid community recently discovered vulnerability CVE-2023-30840. Users that have gained root access to the node on which fluid-csi-plugin is deployed can launch privilege escalation attacks to the Kubernetes cluster to which the node belongs.
CVE-2023-30840 is rated as medium severity. The Common Vulnerability Scoring System (CVSS) score of this vulnerability is 4.0. For more information about this vulnerability, see CVE-2023-30840.
Affected versions
ack-fluid 0.7.0 to 0.9.6 are affected by this vulnerability.
Impacts
Your cluster is affected by this vulnerability if a node in the cluster meets all the following requirements:
An untrusted user has gained root access to the node and has the permissions to query information about all nodes in the cluster.
A fluid-csi-plugin version from 0.7.0 to 0.9.6 runs on the nodes.
Solution
Update ack-fluid to 0.9.7 or later. For more information about how to update ack-fluid, see Update a component.
Mitigation
Block external access to Elastic Compute Service (ECS) instances in your cluster and use only trusted images to deploy applications in your cluster.
Grant only trusted users the permissions to log on to the nodes in your cluster.
Check for unexpected access to the ECS instances in your cluster in Security Center.