GMS-2022-5617: Improper use of metav1.Duration allows for Denial of Service

October 19, 2022

Flux controllers within the affected versions range is vulnerable to a denial of service attack. Users that have permissions to change Flux’s objects, either through a Flux source or directly within a cluster, can provide invalid data to fields .spec.interval or .spec.timeout (and structured variations of these fields), causing the entire object type to stop being processed. The issue has two root causes a) the Kubernetes type metav1.Duration not being fully compatible with the Go type time.Duration as explained on upstream report; b) lack of validation within Flux to restrict allowed values.

References

github.com/advisories/GHSA-f4p5-x4vc-mh4v
github.com/fluxcd/flux2/security/advisories/GHSA-f4p5-x4vc-mh4v
github.com/kubernetes/apimachinery/issues/131

Detect and mitigate GMS-2022-5617 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →