Kyverno Denial-of-Service Vulnerability in forEach Mutation Handler

A denial-of-service vulnerability has been identified in Kyverno versions 1.13.0 through 1.17.1, excluding 1.17.2 and 1.16.4. The issue arises from an unchecked type assertion in the 'forEach' mutation handler of the legacy engine, allowing users with permission to create 'Policy' or 'ClusterPolicy' to crash the cluster-wide background controller. This crash leads to a persistent 'CrashLoopBackOff' state, disrupting all background processing across namespaces. Additionally, the admission controller drops connections, blocking resource operations for matching kinds. The crash loop continues until the problematic policy is deleted.

Impact

Exploitation of this vulnerability causes a persistent denial-of-service condition on the Kyverno background controller, leading to a 'CrashLoopBackOff' state. This disruption halts all background processing across the cluster, affecting tasks such as rule generation and cleanup. Furthermore, if a 'ClusterPolicy' is used, the denial-of-service extends to admission operations for the specified resource kinds across the entire cluster.

Reproduction

The vulnerability can be reproduced by creating a 'Policy' or 'ClusterPolicy' that includes a 'forEach' rule with a 'patchesJson6902' field containing a variable substitution that resolves to nil, such as '{{ element.nonexistent }}'. When this policy is applied, it triggers a panic in the mutation handler, causing the background controller to crash and enter a 'CrashLoopBackOff' state. In the case of a 'ClusterPolicy', the admission controller webhook fails, blocking resource operations for the specified kinds across the cluster.

Remediation

Users can upgrade to Kyverno versions 1.17.2 or 1.16.4, where this vulnerability has been fixed.