A high-severity vulnerability in the Fission serverless framework allows attackers to bypass PodSpec validation and gain unauthorized system capabilities.

The vulnerability stems from an incomplete capability denylist in PodSpec validation, which allows a tenant to add CAP_SYS_TIME. This can be exploited by an authenticated user to potentially corrupt the node's wall-clock.

With a CVSS score of 8.5, this vulnerability represents a significant risk to the integrity of the underlying Kubernetes infrastructure. Successful exploitation allows for the manipulation of system time, which can disrupt time-sensitive services, invalidate authentication tokens, and interfere with log integrity, ultimately leading to a loss of service availability and operational instability.

Immediate Action: Upgrade Fission to version 1.25.0 or later to ensure the capability denylist is correctly enforced.

Proactive Monitoring: Monitor Kubernetes audit logs for suspicious PodSpec creation or update events, specifically looking for unauthorized capability additions.

Compensating Controls: Implement Kubernetes Pod Security Admissions or admission controllers to strictly enforce allowed capabilities and prevent the addition of sensitive syscall privileges.

Public Exploit Available: false

Given the potential for node-level impact in a shared serverless environment, this vulnerability poses a severe risk. Organizations should prioritize the update to version 1.25.0 to remediate the validation flaw and prevent unauthorized capability elevation.