Mobydick

Name of the Vulnerable Software and Affected Versions: Weave Net versions prior to 2.8.0 Description: Weave Net is open source software that creates a virtual network connecting Docker containers across multiple hosts and enables their automatic discovery. A vulnerability in Weave Net before version 2.8.0 can allow an attacker to take over any host in the cluster. The manifest that runs pods on every node in a Kubernetes cluster sets `privileged: true` and `hostPID: true`, giving it significant power over the host. However, the `hostPID: true` setting is not necessary and is being removed. This vulnerability can be exploited if there is an additional vulnerability, such as a bug in Kubernetes, or a misconfiguration that allows an attacker to run code inside the Weave Net pod. No such bug is known, and there are no known instances of this being exploited. Recommendations: For Weave Net versions prior to 2.8.0, update to version 2.8.0 to remove the `hostPID` setting and move CNI plugin install to an init container. As a temporary workaround, edit the `hostPID` line in the existing DaemonSet manifest to say `false` instead of `true`, arrange some other way to install CNI plugins, and remove those mounts from the DaemonSet manifest.