CVE-2024-39690
📋 TL;DR
In Capsule v0.7.0 and earlier, tenant owners can patch arbitrary namespaces that haven't been taken over by tenants, allowing them to gain control of those namespaces. This affects Kubernetes clusters using Capsule for multi-tenancy where tenant owners have namespace management privileges.
💻 Affected Systems
- Capsule (Kubernetes multi-tenancy framework)
📦 What is this software?
Capsule by Projectcapsule
⚠️ Risk & Real-World Impact
Worst Case
Tenant owner gains unauthorized control over critical system namespaces, potentially compromising the entire Kubernetes cluster through privilege escalation.
Likely Case
Tenant owner takes over other tenants' namespaces or system namespaces, leading to data exposure, service disruption, and privilege boundary violations.
If Mitigated
Limited impact if strict RBAC and network policies prevent lateral movement, but namespace integrity is still compromised.
🎯 Exploit Status
Exploitation requires authenticated tenant owner access to Kubernetes API with namespace patching permissions.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: v0.7.1
Vendor Advisory: https://github.com/projectcapsule/capsule/security/advisories/GHSA-mq69-4j5w-3qwp
Restart Required: Yes
Instructions:
1. Backup current Capsule configuration. 2. Update Capsule to v0.7.1 using Helm or direct deployment. 3. Restart Capsule controller pods. 4. Verify all tenants are functioning correctly.
🔧 Temporary Workarounds
Restrict namespace patching permissions
allTemporarily remove namespace patching permissions from tenant owners via RBAC
kubectl edit clusterrole capsule-tenant-owner
Remove 'patch' verb from namespace resources
🧯 If You Can't Patch
- Implement strict network policies to isolate tenant namespaces
- Enable audit logging for all namespace modification events and monitor for unauthorized changes
🔍 How to Verify
Check if Vulnerable:
Check Capsule version: kubectl get deployment -n capsule-system capsule-controller-manager -o jsonpath='{.spec.template.spec.containers[0].image}'Check Version:
kubectl get deployment -n capsule-system capsule-controller-manager -o jsonpath='{.spec.template.spec.containers[0].image}' | grep -o 'v[0-9]\+\.[0-9]\+\.[0-9]\+'Verify Fix Applied:
Confirm version is v0.7.1 or later and test that tenant owners cannot patch unowned namespaces📡 Detection & Monitoring
Log Indicators:
- Unauthorized namespace patch events from tenant owners
- Namespace ownership changes without proper workflow
Network Indicators:
- Unusual API calls to patch namespaces from tenant contexts
SIEM Query:
kubernetes.audit.verb:PATCH AND kubernetes.audit.objectRef.resource:namespaces AND NOT kubernetes.audit.user.username:system:*