Volcano Scheduler Denial-of-Service Vulnerability via Compromised Elastic Service or Extender Plugin

A denial-of-service vulnerability has been identified in Volcano, a Kubernetes-native batch scheduling system, affecting versions prior to 1.11.2, 1.10.2, 1.9.1, 1.11.0-network-topology-preview.3, and 1.12.0-alpha.2. The issue arises when an attacker compromises either the Elastic service or the extender plugin, potentially leading to a scheduler outage. This vulnerability also allows for privilege escalation, as Volcano users can operate their Elastic service and extender plugins in different pods or nodes from the scheduler. In Kubernetes, node isolation is a security boundary, and an attacker can exploit this vulnerability by compromising the affected services or the pod/node where they are deployed. The result is a scheduler that becomes unavailable to other users and workloads in the cluster, either crashing due to an unrecoverable out-of-memory panic or freezing while consuming excessive memory.

Impact

Exploitation of this vulnerability causes the scheduler to crash with an out-of-memory panic or freeze while using excessive memory, leading to a denial-of-service condition where the scheduler becomes unavailable to other users and workloads in the cluster.

Remediation

Users are advised to upgrade to Volcano versions 1.11.2, 1.10.2, 1.9.1, 1.11.0-network-topology-preview.3, or 1.12.0-alpha.2. After upgrading, be aware that the pprof endpoint for the Volcano Scheduler is disabled by default. If this endpoint is needed for debugging or monitoring, it must be explicitly enabled post-upgrade.