NetApp Instaclustr Security Advisory – CVE-2024-48990
Issue Details
Through regular security scanning, Instaclustr by NetApp has detected a vulnerability affecting customer clusters on the Instaclustr Managed Platform: CVE 2024-48990. This vulnerability is in the ‘needrestart’ package, a component of the Debian apt command used on nodes throughout our Managed Platform.
Impact analysis: CVE-2024-48990
Instaclustr performed an investigation into this vulnerability and its potential impact on our Managed Platform customers. We have assessed its severity rating as 7.8, HIGH on the CVSS v3.1 scale. The findings are as follows:
- The primary risk of this vulnerability is privilege escalation to root due to a vulnerability in the
needrestart
package.
- Exploiting this vulnerability requires SSH access to the cluster/nodes. This access is only available to Instaclustr staff users with an assigned role for the purpose of performing maintenance. Such access is authenticated, logged and regularly reviewed.
- The likelihood of exploit is reduced by Instaclustr’s access control mechanisms for customer clusters.
- For more detail refer to our Security Policy.
Mitigation Approaches
After thorough investigation by both our platform and security engineers, it was decided that the preferred mitigation path is to remove the needrestart
package from the existing nodes and from the images deployed onto new nodes.
For existing nodes, this maintenance will be non-disruptive – there will be no impact to your services.
We recommend Instaclustr customers do the following to help mitigate this vulnerability:
- Customers of the Instaclustr Managed Platform using Run In Your Own Account (RIYOA) and On-Prem configurations are advised to review their firewall rules to ensure that they are configured in accordance with Instaclustr guidance. You can find information about how to manage users, access controls and firewalls on our support documentation portal.
- For support customers, in addition to the steps above, we recommend reviewing all servers for instances of the ‘needrestart’ package and resolve as necessary.
Instaclustr Response
- Our Support team will immediately patch existing clusters to ensure that these fixes are delivered to all affected clusters on our Managed Platform.
- PCI-enabled clusters will be patched with priority beginning in early December 2024.
- After the PCI-enabled clusters are patched, remaining clusters will be patched through December 2024.
- As mentioned in the impact analysis, Instaclustr’s built-in access control mechanisms reduce the likelihood of exploit.