Apache Airflow CNCF Kubernetes Provider: KubernetesPodOperator RCE via connection configuration

Vulnerability

Description

CVE-2023-33234 is an arbitrary code execution vulnerability in the Apache Airflow CNCF Kubernetes provider version 5.0.0. The root cause is that the provider allows users to change the xcom sidecar container image and its resource specifications via an Airflow connection object. This design flaw enables an attacker to specify a malicious container image that will be executed as a sidecar during task execution.

Exploitation

Prerequisites

To exploit this vulnerability, an attacker must already have elevated permissions, specifically Operator or Admin roles, within the Airflow environment. These privileges are required to modify the connection object that controls the sidecar configuration. Thus, the attack surface is limited to users who already possess significant access rights.

Impact

Successful exploitation leads to arbitrary code execution within the Kubernetes cluster where Airflow tasks are run. An attacker can deploy a malicious sidecar container with arbitrary commands, potentially compromising the host cluster and accessing sensitive data or disrupting operations.

Mitigation

The vulnerability has been removed in Apache Airflow CNCF Kubernetes provider version 7.0.0. Operators are strongly advised to upgrade to this version or later. No known workarounds exist; upgrading is the only remediation [1][2].