A major security vulnerability has been discovered in the linux tool
polkit (policykit) A user on a vulnerable machine is able to escalate privileges to root. See Ubuntu’s security notice and the CVE notice for more details. This vulnerability is present in some docker images that RStudio provides.
If your RStudio Workbench installation uses Kubernetes, and if it uses the rstudio/r-session-complete docker image based on Ubuntu Bionic, you will need to re-pull that image. The following versions of the image are vulnerable:
Each existing supported version has been patched with the updated version of Polkit to resolve the security vulnerability. If you are using any Ubuntu Bionic version of this image, you will need to ensure that you have an updated version.
Versions which are not listed above are no longer supported and will not be patched. Users on those versions should update to a supported version of RStudio Workbench.
Note that the CentOS 7 images in this docker repository are not affected by this vulnerability as they do not contain Polkit.
How to Verify
From within the container, run the following command:
dpkg-query --list policy*
This command should show the following output:
This article details the minimum version of
policykit-1 to ensure that the vulnerability is not present: https://ubuntu.com/security/notices/USN-5252-1.
If you see
0.105-20ubuntu0.18.04.5 or below, you will need to pull your image again.
Updating To a New RSW Version
Pulling the New Image
By default, RSW launches jobs with
imagePullPolicy: IfNotPresent. This means that if your image repository cache already has the vulnerable docker image it will not pull the new layer that resolves the vulnerability. There are several methods to correct this issue.
Clear Your Image Repository Cache
The simplest way to resolve this issue is to remove the
rstudio/rsession-complete:bionic-<version> image from your repository cache on each node. This will ensure that the next time a session is launched, the patched version of the image will be pulled.
If you prefer to fix the cache on the Kubernetes side without product changes, it is possible to force Kubernetes to re-pull a particular image on every node of your cluster.
It requires matching the image tag in use by users with a daemonset that re-pulls the image on each node of the cluster. When the pull is complete, all future jobs will use the updated image.
We talk through this process in detail here, and have created YAML files to simplify the process for recent and patched images. For the latest release of RStudio Workbench, this would look like:
kubectl apply -n default -f https://raw.githubusercontent.com/rstudio/helm/main/examples/yaml/daemonset-r-session-complete-dockerhub/prepull-rstudio-r-session-complete-bionic-2021.09.2-382.pro1.yaml
# look at the status of the daemonset
kubectl -n default get pods
If manually clearing the image repository cache is not an option, it is possible to configure RSW to use
imagePullPolicy: Always when launching jobs in Kubernetes, which will force all images to be re-pulled every time RStudio starts a job or session through Kubernetes. To configure this, follow the instructions found in the
imagePullPolicy section of this support article: https://support.rstudio.com/hc/en-us/articles/360051652094-Using-Job-Json-Overrides-with-RStudio-Server-Pro-and-Kubernetes#imagePullPolicy.
Once your image is updated, you may wish to undo those configuration changes to prevent the image from being pulled every time that a job uses it.