Support

Polkit Vulnerability in RStudio Docker Images

Follow

A major security vulnerability has been discovered in the linux tool polkit (policykit)  A user on a vulnerable machine is able to escalate privileges to root.  See Ubuntu’s security notice and the CVE notice for more details.  This vulnerability is present in some docker images that RStudio provides.

If your RStudio Workbench installation uses Kubernetes, and if it uses the rstudio/r-session-complete docker image based on Ubuntu Bionic, you will need to re-pull that image.  The following versions of the image are vulnerable:

rstudio/rsession-complete:bionic-1.3.959-1
rstudio/rsession-complete:bionic-1.3.1056-1
rstudio/rsession-complete:bionic-1.3.1073-1
rstudio/rsession-complete:bionic-1.3.1093-1
rstudio/rsession-complete:bionic-1.4.702-1
rstudio/rsession-complete:bionic-1.4.1103-1
rstudio/rsession-complete:bionic-1.4.1103-3
rstudio/rsession-complete:bionic-1.4.1103-4
rstudio/rsession-complete:bionic-1.4.1106-5
rstudio/rsession-complete:bionic-1.4.1717-3
rstudio/rsession-complete:bionic-2021.09.0-351.pro6
rstudio/rsession-complete:bionic-2021.09.1-372.pro1
rstudio/rsession-complete:bionic-2021.09.2-382.pro1

 

Each existing supported version has been patched with the updated version of Polkit to resolve the security vulnerability. If you are using any Ubuntu Bionic version of this image, you will need to ensure that you have an updated version. 

Versions which are not listed above are no longer supported and will not be patched. Users on those versions should update to a supported version of RStudio Workbench.

Note that the CentOS 7 images in this docker repository are not affected by this vulnerability as they do not contain Polkit.

How to Verify 

From within the container, run the following command:

dpkg-query --list policy*

This command should show the following output:

dpkg-query-output.png

This article details the minimum version of policykit-1 to ensure that the vulnerability is not present: https://ubuntu.com/security/notices/USN-5252-1.

If you see 0.105-20ubuntu0.18.04.5 or below, you will need to pull your image again.

Updating To a New RSW Version

Use the instructions at https://docs.rstudio.com/rsw/upgrade/ to upgrade to a supported version of RStudio Workbench.  Supported versions are listed here: https://www.rstudio.com/support/.

Pulling the New Image

By default, RSW launches jobs with imagePullPolicy: IfNotPresent. This means that if your image repository cache already has the vulnerable docker image it will not pull the new layer that resolves the vulnerability. There are several methods to correct this issue.

Clear Your Image Repository Cache

The simplest way to resolve this issue is to remove the rstudio/rsession-complete:bionic-<version> image from your repository cache on each node. This will ensure that the next time a session is launched, the patched version of the image will be pulled.

Daemonset

If you prefer to fix the cache on the Kubernetes side without product changes, it is possible to force Kubernetes to re-pull a particular image on every node of your cluster.

It requires matching the image tag in use by users with a daemonset that re-pulls the image on each node of the cluster. When the pull is complete, all future jobs will use the updated image.

We talk through this process in detail here, and have created YAML files to simplify the process for recent and patched images. For the latest release of RStudio Workbench, this would look like:

kubectl apply -n default -f https://raw.githubusercontent.com/rstudio/helm/main/examples/yaml/daemonset-r-session-complete-dockerhub/prepull-rstudio-r-session-complete-bionic-2021.09.2-382.pro1.yaml

# look at the status of the daemonset
kubectl -n default get pods

 

Set imagePullPolicy to Always

If manually clearing the image repository cache is not an option, it is possible to configure RSW to use imagePullPolicy: Always when launching jobs in Kubernetes, which will force all images to be re-pulled every time RStudio starts a job or session through Kubernetes. To configure this, follow the instructions found in the imagePullPolicy section of this support article: https://support.rstudio.com/hc/en-us/articles/360051652094-Using-Job-Json-Overrides-with-RStudio-Server-Pro-and-Kubernetes#imagePullPolicy

Once your image is updated, you may wish to undo those configuration changes to prevent the image from being pulled every time that a job uses it.

Comments