Advisory ID | D2IQ-2022-0003 |
Severity | Medium |
Synopsis | Minio CVE-2021-21287 |
Affected Product(s) | Kommander |
Affected Version(s) | 2.0.0, 2.1.0, 2.1.1 |
Issue date | 02-19-2021 |
Updated on | 04-02-2021 |
Issue:
The Velero Addon deployed by Kommander includes a Minio deployment with version RELEASE.2020-12-03T05-49-24Z. That deployment needs to be updated to a fix version in order to mitigate the CVE.
Details of the Minio CVE-2021-21287 can be found here:
https://www.opencve.io/cve/CVE-2021-21287
Workaround:
You can mitigate this CVE by updating the Minio docker image used in the Velero Addon. We have provided override files for both 2.0.0 and 2.1.X below. Confirm that your kubectl is configured for the appropriate cluster context and then paste these into a terminal window to apply:
2.1.X:
cat <<EOF | kubectl apply -f -
apiVersion: v1
kind: ConfigMap
metadata:
namespace: kommander
name: velero-overrides
data:
values.yaml: |
minio:
image:
tag: RELEASE.2021-02-14T04-01-33Z
mcImage:
tag: RELEASE.2021-02-14T04-28-06Z
---
apiVersion: apps.kommander.d2iq.io/v1alpha2
kind: AppDeployment
metadata:
name: velero
namespace: kommander
spec:
appRef:
name: velero-3.1.3
kind: ClusterApp
configOverrides:
name: velero-overrides
EOF
2.0.0:
cat <<EOF | kubectl apply -f -
apiVersion: v1
kind: ConfigMap
metadata:
namespace: kommander
name: velero-overrides
data:
values.yaml: |
minio:
image:
tag: RELEASE.2021-02-14T04-01-33Z
mcImage:
tag: RELEASE.2021-02-14T04-28-06Z
---
apiVersion: apps.kommander.d2iq.io/v1alpha1
kind: AppDeployment
metadata:
name: velero
namespace: kommander
spec:
appRef:
name: velero-3.1.3
configOverrides:
name: velero-overrides
EOF