Bug 1659877 (CVE-2018-1002101)

Summary: CVE-2018-1002101 kubernetes: Improper input validation while setting up volume mounts on Windows nodes allows for command injection
Product: [Other] Security Response Reporter: Sam Fowler <sfowler>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: adeshpan, ahardin, bleanhar, bmontgom, ccoleman, dedgar, eparis, hchiramm, jburrell, jgoulding, jmulligan, jokerman, kramdoss, madam, mchappel, nstielau, rhs-bugs, rlichti, sisharma, sponnaga
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: kubernetes 1.12.0, kubernetes 1.11.2, kubernetes 1.10.6, kubernetes 1.9.10 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-10-27 03:19:36 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1659878, 1659879, 1659880, 1659881, 1679391, 1679392    
Bug Blocks: 1659882    

Description Sam Fowler 2018-12-17 06:06:54 UTC 
In Kubernetes versions 1.9.0-1.9.9, 1.10.0-1.10.5, and 1.11.0-1.11.1, user input was handled insecurely while setting up volume mounts on Windows nodes, which could lead to command line argument injection.


Upstream Issue:

https://github.com/kubernetes/kubernetes/issues/65750


Upstream Patches:

https://github.com/kubernetes/kubernetes/commit/d65039c56ce (v1.12.0)
https://github.com/kubernetes/kubernetes/commit/914e404d3fc (v1.11.2)
https://github.com/kubernetes/kubernetes/commit/46981ede3a6 (v1.10.6)
https://github.com/kubernetes/kubernetes/commit/b2fb73ffead (v1.9.10)
Comment 1 Sam Fowler 2018-12-17 06:07:15 UTC 
Created kubernetes tracking bugs for this issue:

Affects: fedora-all [bug 1659878]


Created kubernetes:1.1/kubernetes tracking bugs for this issue:

Affects: fedora-29 [bug 1659879]


Created kubernetes:openshift-3.10/origin tracking bugs for this issue:

Affects: fedora-29 [bug 1659880]


Created origin tracking bugs for this issue:

Affects: fedora-all [bug 1659881]