How the CVE Works
The vulnerability in Volcano Scheduler arises due to improper handling of responses from the Elastic service or extender plugin. An attacker who compromises either service can send unbounded responses, causing the scheduler to consume excessive memory. This leads to either an Out-of-Memory (OOM) crash or a freeze, effectively denying service to the Kubernetes cluster. Since Volcano allows these services to run in separate pods or nodes, the attack bypasses Kubernetes’ node isolation security boundary, escalating privileges by disrupting the scheduler across the cluster.
DailyCVE Form
Platform: Volcano Scheduler
Version: Pre-patch versions
Vulnerability: Unbounded response DoS
Severity: High
Date: 2025-04-30
What Undercode Say:
Exploitation Analysis
- Attack Vector: Malicious Elastic service or extender plugin sends oversized responses.
- Impact: Scheduler OOM crash or freeze, cluster-wide disruption.
3. Privilege Escalation: Crosses node isolation boundary.
Exploit Commands
Simulate malicious Elastic response (PoC)
curl -X POST http://<volcano-elastic>/api --data '{"large_payload": "'$(dd if=/dev/zero bs=1M count=1000 | base64)'"}'}'
Detection & Mitigation
1. Monitor Scheduler Memory:
kubectl top pod -n volcano-system | grep scheduler
2. Patch: Upgrade to fixed versions (check Volcano releases).
3. Network Policies: Restrict scheduler communication to trusted services.
apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: restrict-volcano spec: podSelector: matchLabels: app: volcano-scheduler ingress: - from: - podSelector: matchLabels: service: trusted-elastic
Protection Code (Rate Limiting)
// Example middleware for Volcano to limit response size
func LimitResponseSize(next http.Handler) http.Handler {
return http.HandlerFunc(func(w http.ResponseWriter, r http.Request) {
r.Body = http.MaxBytesReader(w, r.Body, 10<<20) // 10MB limit
next.ServeHTTP(w, r)
})
}
Logging Suspicious Activity
kubectl logs -n volcano-system -l app=volcano-scheduler --tail=100 | grep -i "large response"
References
- Volcano GitHub Advisory: GHSA-xxxx-xxxx-xxxx
- Kubernetes Network Policies: Official Docs
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
