Bug 1525130 (CVE-2017-1002101)
Summary: | CVE-2017-1002101 kubernetes: Volume security can be sidestepped with innocent emptyDir and subpath | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Andrej Nemec <anemec> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | high | Docs Contact: | |
Priority: | high | ||
Version: | unspecified | CC: | admiller, ahardin, aos-bugs, aos-storage-staff, bchilds, bleanhar, ccoleman, dbaker, dedgar, dmcphers, eparis, hchiramm, ichavero, jbrooks, jcajka, jchaloup, jgoulding, jkeck, jokerman, jshepherd, madam, mchappel, nhorman, rhs-bugs, security-response-team, sisharma, smunilla, ssaha, storage-qa-internal, tdawson, tstclair, vbatts, vbellur |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | If docs needed, set a value | |
Doc Text: |
It was found that volume security can be sidestepped with innocent emptyDir and subpath. This could give an attacker with access to a pod full control over the node host by gaining access to docker socket.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2019-07-12 13:04:33 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1519365, 1520626, 1520627, 1520631, 1554165, 1554166, 1554420, 1554569 | ||
Bug Blocks: | 1525132 |
Description
Andrej Nemec
2017-12-12 16:34:42 UTC
Created kubernetes tracking bugs for this issue: Affects: fedora-all [bug 1554420] This issue has been addressed in the following products: Red Hat OpenShift Container Platform 3.3 Red Hat OpenShift Container Platform 3.4 Red Hat OpenShift Container Platform 3.5 Red Hat OpenShift Container Platform 3.6 Red Hat OpenShift Container Platform 3.7 Via RHSA-2018:0475 https://access.redhat.com/errata/RHSA-2018:0475 This flaw allows a pod to mount any part of the host filesystem. The pod will run with the security contraints placed on the user but could read anything with o=rx mode and appropriate SELinux label. External References: https://github.com/kubernetes/kubernetes/issues/60813 Created origin tracking bugs for this issue: Affects: fedora-all [bug 1554569] Statement: This flaw allows a pod to mount any part of the host filesystem. The pod will run with the security contraints placed on the user but could read anything with o=rx mode and appropriate SELinux label. Kubernetes has been deprecated from Red Hat Enterprise Linux Extras channel. See https://access.redhat.com/errata/RHSA-2018:1072 for details. This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2017-1002101 |