[AutoPR- Security] Patch kubevirt for CVE-2025-64432, CVE-2025-64433, CVE-2025-64435, CVE-2025-64437 [MEDIUM] (#15071)

Co-authored-by: BinduSri-6522866 <v-badabala@microsoft.com>
Co-authored-by: Kanishk Bansal <103916909+Kanishk-Bansal@users.noreply.github.com>

Author: 3 people

SPECS/kubevirt/CVE-2025-64432.patch

@@ -0,0 +1,359 @@
+From e7c75f46002eb7678820f0901a40e323351f7881 Mon Sep 17 00:00:00 2001
+From: Luboslav Pivarc <lpivarc@redhat.com>
+Date: Mon, 14 Jul 2025 14:03:08 +0200
+Subject: [PATCH] SetupTLSWithCertManager now enforces CN
+
+The CNs will be provided by Kubernetes.
+If empty, any client certificate validated
+by the authority is allowed.
+
+Signed-off-by: Luboslav Pivarc <lpivarc@redhat.com>
+Signed-off-by: Azure Linux Security Servicing Account <azurelinux-security@microsoft.com>
+Upstream-reference: https://patch-diff.githubusercontent.com/raw/kubevirt/kubevirt/pull/15339.diff
+---
+ pkg/util/tls/ca-manager.go      | 69 +++++++++++++++++++++++++++----
+ pkg/util/tls/ca-manager_test.go | 72 ++++++++++++++++++++++++++++++---
+ pkg/util/tls/tls.go             | 30 +++++++++++++-
+ pkg/util/tls/tls_test.go        | 27 ++++++++++++-
+ pkg/virt-api/api.go             |  2 +-
+ 5 files changed, 182 insertions(+), 18 deletions(-)
+
+diff --git a/pkg/util/tls/ca-manager.go b/pkg/util/tls/ca-manager.go
+index 950f17a..6e9f01a 100644
+--- a/pkg/util/tls/ca-manager.go
++++ b/pkg/util/tls/ca-manager.go
+@@ -21,6 +21,7 @@ package tls
+ 
+ import (
+ 	"crypto/x509"
++	"encoding/json"
+ 	"fmt"
+ 	"sync"
+ 
+@@ -40,6 +41,11 @@ type ClientCAManager interface {
+ 	GetCurrentRaw() ([]byte, error)
+ }
+ 
++type KubernetesCAManager interface {
++	ClientCAManager
++	GetCNs() ([]string, error)
++}
++
+ type manager struct {
+ 	store        cache.Store
+ 	lock         *sync.Mutex
+@@ -52,14 +58,61 @@ type manager struct {
+ 	lastRaw  []byte
+ }
+ 
+-func NewKubernetesClientCAManager(configMapCache cache.Store) ClientCAManager {
+-	return &manager{
+-		store:        configMapCache,
+-		lock:         &sync.Mutex{},
+-		namespace:    metav1.NamespaceSystem,
+-		name:         util.ExtensionAPIServerAuthenticationConfigMap,
+-		secretKey:    util.RequestHeaderClientCAFileKey,
+-		lastRevision: "-1",
++type kubeManager struct {
++	manager
++	lastCNs        []string
++	lastCNRevision string
++}
++
++func (m *kubeManager) GetCNs() ([]string, error) {
++	m.lock.Lock()
++	defer m.lock.Unlock()
++	obj, exists, err := m.store.GetByKey(m.namespace + "/" + m.name)
++
++	if err != nil {
++		return nil, err
++	} else if !exists {
++		if m.lastPool != nil {
++			return m.lastCNs, nil
++		}
++
++		return nil, fmt.Errorf("configmap %s not found. Unable to detect request header CA", m.name)
++	}
++
++	configMap := obj.(*k8sv1.ConfigMap)
++
++	// no change detected.
++	if m.lastCNRevision == configMap.ResourceVersion {
++		return m.lastCNs, nil
++	}
++
++	CNstring, ok := configMap.Data["requestheader-allowed-names"]
++	if !ok {
++		return nil, fmt.Errorf("requestheader-allowed-names not found in configmap %s/%s", m.namespace, m.name)
++	}
++	CNs := []string{}
++	if CNstring != "" {
++		err = json.Unmarshal([]byte(CNstring), &CNs)
++		if err != nil {
++			return CNs, err
++		}
++	}
++
++	m.lastCNs = CNs
++	m.lastCNRevision = configMap.ResourceVersion
++	return CNs, nil
++}
++
++func NewKubernetesClientCAManager(configMapCache cache.Store) *kubeManager {
++	return &kubeManager{
++		manager: manager{
++			store:        configMapCache,
++			lock:         &sync.Mutex{},
++			namespace:    metav1.NamespaceSystem,
++			name:         util.ExtensionAPIServerAuthenticationConfigMap,
++			secretKey:    util.RequestHeaderClientCAFileKey,
++			lastRevision: "-1",
++		},
+ 	}
+ }
+ 
+diff --git a/pkg/util/tls/ca-manager_test.go b/pkg/util/tls/ca-manager_test.go
+index 32e2c68..a2e0e74 100644
+--- a/pkg/util/tls/ca-manager_test.go
++++ b/pkg/util/tls/ca-manager_test.go
+@@ -5,8 +5,8 @@ import (
+ 
+ 	. "github.com/onsi/ginkgo/v2"
+ 	. "github.com/onsi/gomega"
+-	v1 "k8s.io/api/core/v1"
+-	v12 "k8s.io/apimachinery/pkg/apis/meta/v1"
++	k8sv1 "k8s.io/api/core/v1"
++	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+ 	"k8s.io/client-go/tools/cache"
+ 
+ 	"kubevirt.io/kubevirt/pkg/certificates/triple"
+@@ -16,17 +16,17 @@ import (
+ 
+ var _ = Describe("CaManager", func() {
+ 
+-	var configMap *v1.ConfigMap
++	var configMap *k8sv1.ConfigMap
+ 	var manager ClientCAManager
+ 	var store cache.Store
+ 
+ 	BeforeEach(func() {
+ 		ca, err := triple.NewCA("first", time.Hour)
+ 		Expect(err).ToNot(HaveOccurred())
+-		configMap = &v1.ConfigMap{
+-			ObjectMeta: v12.ObjectMeta{
++		configMap = &k8sv1.ConfigMap{
++			ObjectMeta: metav1.ObjectMeta{
+ 				Name:            util.ExtensionAPIServerAuthenticationConfigMap,
+-				Namespace:       v12.NamespaceSystem,
++				Namespace:       metav1.NamespaceSystem,
+ 				ResourceVersion: "1",
+ 			},
+ 			Data: map[string]string{
+@@ -93,3 +93,63 @@ var _ = Describe("CaManager", func() {
+ 		Expect(cert.Subjects()[0]).To(ContainSubstring("first"))
+ 	})
+ })
++
++var _ = Describe("KubernetesCAManager", func() {
++
++	prepareManagerComplex := func(f func(*k8sv1.ConfigMap)) KubernetesCAManager {
++		ca, err := triple.NewCA("first", time.Hour)
++		Expect(err).ToNot(HaveOccurred())
++		configMap := &k8sv1.ConfigMap{
++			ObjectMeta: metav1.ObjectMeta{
++				Name:            util.ExtensionAPIServerAuthenticationConfigMap,
++				Namespace:       metav1.NamespaceSystem,
++				ResourceVersion: "1",
++			},
++			Data: map[string]string{
++				util.RequestHeaderClientCAFileKey: string(cert.EncodeCertPEM(ca.Cert)),
++			},
++		}
++		f(configMap)
++		store := cache.NewStore(cache.DeletionHandlingMetaNamespaceKeyFunc)
++		Expect(store.Add(configMap)).To(Succeed())
++		return NewKubernetesClientCAManager(store)
++	}
++
++	prepareManager := func(data string) KubernetesCAManager {
++		return prepareManagerComplex(func(cm *k8sv1.ConfigMap) {
++			cm.Data["requestheader-allowed-names"] = data
++		})
++	}
++
++	DescribeTable("should return zero CNs", func(data string) {
++		manager := prepareManager(data)
++		Expect(manager.GetCNs()).To(BeEmpty())
++	},
++		Entry("with empty", ""),
++		Entry("with empty slice", "[]"),
++	)
++
++	DescribeTable("should return", func(data string, expected []string) {
++		manager := prepareManager(data)
++		Expect(manager.GetCNs()).To(ConsistOf(expected))
++	},
++		Entry("with one element", `["one"]`, []string{"one"}),
++		Entry("with two elements", `["one", "two"]`, []string{"one", "two"}),
++	)
++
++	DescribeTable("should return error", func(data string) {
++		manager := prepareManager(data)
++		_, err := manager.GetCNs()
++		Expect(err).To(HaveOccurred())
++	},
++		Entry("with malformed", `["one",]`),
++		Entry("with malformed string", `[one]`),
++		Entry("with no array", "one"),
++	)
++
++	It(`should error when no "requestheader-allowed-names" is not specified`, func() {
++		manager := prepareManagerComplex(func(cm *k8sv1.ConfigMap) {})
++		_, err := manager.GetCNs()
++		Expect(err).To(MatchError(ContainSubstring("requestheader-allowed-names not found in")))
++	})
++})
+diff --git a/pkg/util/tls/tls.go b/pkg/util/tls/tls.go
+index e9e1405..1d1b949 100644
+--- a/pkg/util/tls/tls.go
++++ b/pkg/util/tls/tls.go
+@@ -17,6 +17,7 @@ import (
+ )
+ 
+ const noSrvCertMessage = "No server certificate, server is not yet ready to receive traffic"
++const serverNotReadyMsg = "Server is not yet ready to receive traffic"
+ 
+ var (
+ 	cipherSuites         = tls.CipherSuites()
+@@ -91,7 +92,7 @@ func SetupExportProxyTLS(certManager certificate.Manager, kubeVirtInformer cache
+ 	return tlsConfig
+ }
+ 
+-func SetupTLSWithCertManager(caManager ClientCAManager, certManager certificate.Manager, clientAuth tls.ClientAuthType, clusterConfig *virtconfig.ClusterConfig) *tls.Config {
++func SetupTLSWithCertManager(caManager KubernetesCAManager, certManager certificate.Manager, clientAuth tls.ClientAuthType, clusterConfig *virtconfig.ClusterConfig) *tls.Config {
+ 	tlsConfig := &tls.Config{
+ 		GetCertificate: func(info *tls.ClientHelloInfo) (certificate *tls.Certificate, err error) {
+ 			cert := certManager.Current()
+@@ -122,6 +123,33 @@ func SetupTLSWithCertManager(caManager ClientCAManager, certManager certificate.
+ 				Certificates: []tls.Certificate{*cert},
+ 				ClientCAs:    clientCAPool,
+ 				ClientAuth:   clientAuth,
++				VerifyPeerCertificate: func(rawCerts [][]byte, verifiedChains [][]*x509.Certificate) error {
++					if len(verifiedChains) == 0 || len(verifiedChains[0]) == 0 {
++						return nil
++					}
++
++					certificate, err := x509.ParseCertificate(rawCerts[0])
++					if err != nil {
++						return fmt.Errorf("failed to parse peer certificate: %v", err)
++					}
++
++					CNs, err := caManager.GetCNs()
++					if err != nil {
++						log.Log.Reason(err).Error(serverNotReadyMsg)
++						return fmt.Errorf(serverNotReadyMsg)
++					}
++
++					if len(CNs) == 0 {
++						return nil
++					}
++					for _, CN := range CNs {
++						if certificate.Subject.CommonName == CN {
++							return nil
++						}
++					}
++
++					return fmt.Errorf("Common name is invalid")
++				},
+ 			}
+ 
+ 			config.BuildNameToCertificate()
+diff --git a/pkg/util/tls/tls_test.go b/pkg/util/tls/tls_test.go
+index e3776ec..cd6ee90 100644
+--- a/pkg/util/tls/tls_test.go
++++ b/pkg/util/tls/tls_test.go
+@@ -31,6 +31,7 @@ import (
+ 
+ type mockCAManager struct {
+ 	caBundle []byte
++	cns      []string
+ }
+ 
+ type mockCertManager struct {
+@@ -66,9 +67,13 @@ func (m *mockCAManager) GetCurrentRaw() ([]byte, error) {
+ 	return nil, fmt.Errorf("not implemented")
+ }
+ 
++func (m *mockCAManager) GetCNs() ([]string, error) {
++	return m.cns, nil
++}
++
+ var _ = Describe("TLS", func() {
+ 
+-	var caManager kvtls.ClientCAManager
++	var caManager kvtls.KubernetesCAManager
+ 	var certmanagers map[string]certificate.Manager
+ 	var clusterConfig *virtconfig.ClusterConfig
+ 	var kubeVirtInformer cache.SharedIndexInformer
+@@ -220,7 +225,8 @@ var _ = Describe("TLS", func() {
+ 		}),
+ 	)
+ 
+-	DescribeTable("should verify self-signed client and server certificates", func(serverSecret, clientSecret string, errStr string) {
++	DescribeTable("should verify self-signed client and server certificates", func(serverSecret, clientSecret, errStr string, cns []string) {
++		caManager.(*mockCAManager).cns = cns
+ 		serverTLSConfig := kvtls.SetupTLSWithCertManager(caManager, certmanagers[serverSecret], tls.RequireAndVerifyClientCert, clusterConfig)
+ 		clientTLSConfig := kvtls.SetupTLSForVirtHandlerClients(caManager, certmanagers[clientSecret], false)
+ 		srv := httptest.NewUnstartedServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+@@ -248,18 +254,35 @@ var _ = Describe("TLS", func() {
+ 			components.VirtHandlerServerCertSecretName,
+ 			components.VirtHandlerCertSecretName,
+ 			"",
++			[]string{"kubevirt.io:system:client:virt-handler"},
++		),
++		Entry(
++			"connect with proper certificates with no CN auth",
++			components.VirtHandlerServerCertSecretName,
++			components.VirtHandlerCertSecretName,
++			"",
++			[]string{},
++		),
++		Entry(
++			"fail if client uses an invalid certificates (CN)",
++			components.VirtHandlerServerCertSecretName,
++			components.VirtHandlerCertSecretName,
++			"remote error: tls: bad certificate",
++			[]string{"kubevirt.io:system:clientv2:virt-handler"},
+ 		),
+ 		Entry(
+ 			"fail if client uses an invalid certificate",
+ 			components.VirtHandlerServerCertSecretName,
+ 			components.VirtHandlerServerCertSecretName,
+ 			"remote error: tls: bad certificate",
++			[]string{"kubevirt.io:system:client:virt-handler"},
+ 		),
+ 		Entry(
+ 			"fail if server uses an invalid certificate",
+ 			components.VirtHandlerCertSecretName,
+ 			components.VirtHandlerCertSecretName,
+ 			"x509: certificate specifies an incompatible key usage",
++			[]string{"kubevirt.io:system:client:virt-handler"},
+ 		),
+ 	)
+ 
+diff --git a/pkg/virt-api/api.go b/pkg/virt-api/api.go
+index 5b31c3d..8f693cb 100644
+--- a/pkg/virt-api/api.go
++++ b/pkg/virt-api/api.go
+@@ -858,7 +858,7 @@ func (app *virtAPIApp) registerMutatingWebhook(informers *webhooks.Informers) {
+ 	})
+ }
+ 
+-func (app *virtAPIApp) setupTLS(k8sCAManager kvtls.ClientCAManager, kubevirtCAManager kvtls.ClientCAManager) {
++func (app *virtAPIApp) setupTLS(k8sCAManager kvtls.KubernetesCAManager, kubevirtCAManager kvtls.ClientCAManager) {
+ 
+ 	// A VerifyClientCertIfGiven request means we're not guaranteed
+ 	// a client has been authenticated unless they provide a peer
+-- 
+2.45.4
+