-
Notifications
You must be signed in to change notification settings - Fork 720
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat: secure redis authentication [CVE-2024-31989] #1364
feat: secure redis authentication [CVE-2024-31989] #1364
Conversation
Signed-off-by: iam-veeramalla <abhishek.veeramalla@gmail.com>
Signed-off-by: iam-veeramalla <abhishek.veeramalla@gmail.com>
Signed-off-by: iam-veeramalla <abhishek.veeramalla@gmail.com>
Signed-off-by: iam-veeramalla <abhishek.veeramalla@gmail.com>
Signed-off-by: iam-veeramalla <abhishek.veeramalla@gmail.com>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ran some manual test as well as ha kuttl test. LGTM. Thanks @iam-veeramalla
/cherry-pick release-0.10 |
Cherry-pick failed with |
/cherry-pick release-0.9 |
Cherry-pick failed with |
/cherry-pick release-0.8 |
Cherry-pick failed with |
/cherry-pick release-0.10 |
Cherry-pick failed with |
* feat: secure redis authentication Signed-off-by: iam-veeramalla <abhishek.veeramalla@gmail.com> * fix: failing unit tests Signed-off-by: iam-veeramalla <abhishek.veeramalla@gmail.com> * fix: code review comments and liniting issue Signed-off-by: iam-veeramalla <abhishek.veeramalla@gmail.com> * fix: issues with HA pod crashing Signed-off-by: iam-veeramalla <abhishek.veeramalla@gmail.com> * fix: mount password env Signed-off-by: iam-veeramalla <abhishek.veeramalla@gmail.com> --------- Signed-off-by: iam-veeramalla <abhishek.veeramalla@gmail.com>
Signed-off-by: iam-veeramalla <abhishek.veeramalla@gmail.com>
* feat: secure redis authentication * fix: failing unit tests * fix: code review comments and liniting issue * fix: issues with HA pod crashing * fix: mount password env --------- Signed-off-by: iam-veeramalla <abhishek.veeramalla@gmail.com>
Signed-off-by: iam-veeramalla <abhishek.veeramalla@gmail.com>
What type of PR is this?
What does this PR do / why we need it:
Fix CVE-2024-31989
It has been discovered that an unprivileged pod in a different namespace on the same cluster could connect to the Redis server on port 6379. Despite having installed the latest version of the VPC CNI plugin on the EKS cluster, it requires manual enablement through configuration to enforce network policies. This raises concerns that many clients might unknowingly have open access to their Redis servers. This vulnerability could lead to Privilege Escalation to the level of cluster controller, or to information leakage, affecting anyone who does not have strict access controls on their Redis instance. This issue has been patched in version(s) 2.8.19, 2.9.15 and 2.10.10.
Have you updated the necessary documentation?
NA
Which issue(s) this PR fixes:
Fixes CVE-2024-31989
How to test changes / Special notes to the reviewer: