GHSA-wvmp-6r4v-j6cv
kuma-dp connects to control plane without verifying TLS certificate when no CA is configured
상세
When kuma-dp is started against an HTTPS control plane and the operator did not pass a CA certificate, the data plane connects with TLS peer verification disabled. The dataplane authentication token is sent over this unverified connection
## Impact
An on-path attacker can intercept the dataplane authentication token and impersonate the control plane to the data plane, allowing them to inject a forged bootstrap configuration and take over the proxy
## Affected configurations
- Universal mode `kuma-dp` started against an HTTPS control plane without `--ca-cert-file` (or `KUMA_CONTROL_PLANE_CA_CERT` unset)
## Not affected
- Kubernetes installs done through the standard installers (`kumactl install control-plane` or the official Helm chart). In both cases the control plane's mutating admission webhook injects `KUMA_CONTROL_PLANE_CA_CERT` into every sidecar at pod admission, so each `kuma-dp` starts with the CA already configured
## Workarounds
Set `--ca-cert-file` (or `KUMA_CONTROL_PLANE_CA_CERT`) on every Universal mode data plane and point it at the control plane's serving CA. Alternatively, terminate the control plane behind a publicly trusted certificate; the patched releases will verify successfully against the operating system trust store with no further configuration
## Resources
- Fix: https://github.com/kumahq/kuma/pull/16777
이 버전이 영향받나요?
사용 중인 패키지 버전을 입력하면 즉시 평가합니다.
영향 패키지
0 수정 버전: 2.7.26 go get github.com/kumahq/kuma/v2@v2.7.26 2.8.0 수정 버전: 2.9.16 go get github.com/kumahq/kuma/v2@v2.9.16 2.10.0 수정 버전: 2.11.14 go get github.com/kumahq/kuma/v2@v2.11.14 2.12.0 수정 버전: 2.12.11 go get github.com/kumahq/kuma/v2@v2.12.11 2.13.0 수정 버전: 2.13.7 go get github.com/kumahq/kuma/v2@v2.13.7 0 No fixed version published yet for github.com/kumahq/kuma (go modules). Pin to a known-safe version or switch to an alternative.