Issue
A critical vulnerability was identified in the version of Minio utilized in our applications. This issue could potentially grant unauthorized access to the output data of application processes stored in Minio.
Impact
This vulnerability significantly impacts users of our application who utilize Minio for storage. It may lead to unauthorized access to or manipulation of the output data from application processes. Users who use managed object storage solutions, such as AWS S3, are not affected. The rest of the application functionalities are not impacted.
Patches
Users are advised to upgrade their RADAR-Kubernetes to version v1.1.3, which includes the latest, secure version of Minio. Before the upgrade make sure to update s3_access_key and s3_secret_key variables with new secrets and then run:
helmfile -f helmfile.d/20-s3.yaml -l name=radar-output -l name=radar-s3-connector -l name=minio sync
After the upgrade inspect the Minio and check for any suspicious change. Also make sure there aren't any extra users created on the Minio and ideally reset password for all users.
Workarounds
If an immediate upgrade is not possible, users can mitigate the vulnerability by deleting the Ingress definition for the Minio API with the command: kubectl delete ingress minio-api. Additionally, users should change the root password of their Minio to revoke any unauthorized access. However, note that the workaround involving the command will cause the mc client and any APIs accessing Minio to cease functioning until the upgrade is complete.
References
For more detailed information about the vulnerability, users can visit the following links:
Regular checks on these sites for updates and potential vulnerabilities are advised for all users.
Issue
A critical vulnerability was identified in the version of Minio utilized in our applications. This issue could potentially grant unauthorized access to the output data of application processes stored in Minio.
Impact
This vulnerability significantly impacts users of our application who utilize Minio for storage. It may lead to unauthorized access to or manipulation of the output data from application processes. Users who use managed object storage solutions, such as AWS S3, are not affected. The rest of the application functionalities are not impacted.
Patches
Users are advised to upgrade their RADAR-Kubernetes to version v1.1.3, which includes the latest, secure version of Minio. Before the upgrade make sure to update
s3_access_keyands3_secret_keyvariables with new secrets and then run:helmfile -f helmfile.d/20-s3.yaml -l name=radar-output -l name=radar-s3-connector -l name=minio syncAfter the upgrade inspect the Minio and check for any suspicious change. Also make sure there aren't any extra users created on the Minio and ideally reset password for all users.
Workarounds
If an immediate upgrade is not possible, users can mitigate the vulnerability by deleting the Ingress definition for the Minio API with the command:
kubectl delete ingress minio-api. Additionally, users should change the root password of their Minio to revoke any unauthorized access. However, note that the workaround involving the command will cause themcclient and any APIs accessing Minio to cease functioning until the upgrade is complete.References
For more detailed information about the vulnerability, users can visit the following links:
Regular checks on these sites for updates and potential vulnerabilities are advised for all users.