Kyverno Denial-of-Service Vulnerability via Improper JMESPath Variable Evaluation

A denial-of-service vulnerability has been identified in Kyverno, a policy engine for cloud-native platforms, in versions 1.14.1 and prior. The issue arises from improper handling of JMESPath variable substitutions. Attackers with the ability to create or update Kyverno policies can craft expressions that lead to a nil value being introduced into the policy structure. This nil value causes a panic in internal functions that expect string values, disrupting Kyverno's admission controller and reports controller.

Impact

Exploitation of this vulnerability causes a denial-of-service condition, crashing Kyverno's admission controller and reports controller. In Enforce mode, the entire admission controller crashes, disrupting resource deployment. The reports controller also crashes and restarts, halting background policy scanning and report generation.

Reproduction

To reproduce this vulnerability, create a ClusterPolicy that includes a JMESPath expression evaluating to nil, such as '{{@ | non_existent_function}}'. Apply this policy and then trigger it by creating a Pod. This will cause a panic in the admission controller, which can be observed in the logs. For a more severe impact, reapply the policy with 'Enforce' as the validation failure action, which will crash the entire admission controller.

Remediation

Users can update to Kyverno version 1.14.2, where this vulnerability has been fixed.