CVE-2021-43979

Name of the Vulnerable Software and Affected Versions: Styra Open Policy Agent (OPA) Gatekeeper versions 3.7.0 and earlier

Description: The issue arises from the mishandling of concurrency, which can result in incorrect access control. This occurs because the data replication mechanism, allowing policies to access the Kubernetes cluster state, does not wait for replication to finish before processing a request. This can cause inconsistencies between the replicated resources in OPA/Gatekeeper and the resources actually present in the cluster, potentially leading to a policy bypass. It's noted that the vendor disagrees with this being classified as a vulnerability, citing that Kubernetes states are only eventually consistent.

Recommendations: For versions 3.7.0 and earlier, consider implementing a mechanism to ensure that the data replication finishes before processing requests to minimize the risk of inconsistencies and potential policy bypasses. As a temporary workaround, consider restricting access to sensitive resources until a more robust solution can be implemented. At the moment, there is no information about a newer version that contains a fix for this vulnerability.