Bug 1486336 (CVE-2017-1000056)

Summary: CVE-2017-1000056 kubernetes: Privilege escalation in the PodSecurityPolicy admission plugin
Product: [Other] Security Response Reporter: Andrej Nemec <anemec>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED WONTFIX QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: bleanhar, ccoleman, dedgar, dmcphers, eparis, ichavero, jbrooks, jcajka, jchaloup, jgoulding, jkeck, lsm5, nhorman, ssorce, tstclair, vbatts
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: kubernetes 1.5.5 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-06-08 03:22:27 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1486337, 1486838, 1516612, 1516613    
Bug Blocks: 1486339    

Description Andrej Nemec 2017-08-29 13:49:49 UTC 
Kubernetes is vulnerable to a privilege escalation in the PodSecurityPolicy admission plugin resulting in the ability to make use of any existing PodSecurityPolicy object.

Upstream patch:

https://github.com/kubernetes/kubernetes/commit/7fef0a4f6a44ea36f166c39fdade5324eff2dd5e

Upstream issue:

https://github.com/kubernetes/kubernetes/issues/43459

References:

https://snyk.io/vuln/SNYK-GOLANG-K8SIOKUBERNETES-50004
Comment 1 Andrej Nemec 2017-08-29 13:51:45 UTC 
Created kubernetes tracking bugs for this issue:

Affects: fedora-25 [bug 1486337]
Comment 4 Mark Knowles 2017-11-23 06:26:06 UTC 
OpenShift isn't affected because we use Security Context Constraints (SCC) instead of Pod Security Policy (PSP).  PSP support is not imported from upstream.

This will only affect OpenShift if we start using PSP.  If that becomes the case, it would need to be imported from upstream (where it is fixed).