Bug 1685213 (CVE-2019-1002101)

Summary: CVE-2019-1002101 kubernetes: Mishandling of symlinks allows for arbitrary file write via `kubectl cp`
Product: [Other] Security Response Reporter: Andrej Nemec <anemec>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: abhgupta, admiller, ahardin, bjarvis, bleanhar, bmontgom, ccoleman, dbaker, dedgar, dominik.mierzejewski, eparis, go-sig, hchiramm, ichavero, jbrooks, jburrell, jcajka, jchaloup, jgoulding, jmulligan, jokerman, kramdoss, madam, mchappel, nstielau, rhs-bugs, security-response-team, sisharma, sponnaga, sthangav, strigazi, tdawson, trankin, tstclair
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: kubernetes 1.11.9, kubernetes 1.12.7, kubernetes 1.13.5, kubernetes 1.14.0 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in Kubernetes via the mishandling of symlinks when copying files from a running container. An attacker could exploit this by convincing a user to use `kubectl cp` or `oc cp` with a malicious container, allowing for arbitrary files to be overwritten on the host machine.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2021-10-27 03:26:19 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1686294, 1686295, 1687658, 1687659, 1693315, 1693318, 1693320, 1693881, 1693882, 1693884, 1693885    
Bug Blocks: 1685214    

Description Andrej Nemec 2019-03-04 16:51:27 UTC 
A potential symlink escape vulnerability was found in Kubernetes after 1.9.0-alpha. A compromised container could potentially be used to achieve code execution.

Introduced by:

https://github.com/kubernetes/kubernetes/commit/b1f85e2dfec6e64d8e1bc272251277df0058ab20
Comment 1 Andrej Nemec 2019-03-06 09:21:57 UTC 
Acknowledgments:

Name: Ariel Zelivansky (Twistlock)
Comment 5 Hardik Vyas 2019-03-08 09:38:33 UTC 
heketi-8.0.0 shipped with Gluster uses Kubernetes version v1.5.5 which is too old and the vulnerable code is not present which was introduced in v1.9.0-alpha.2.
Comment 7 Sam Fowler 2019-03-12 04:57:09 UTC 
Statement:

This issue affects Kubernetes starting from version 1.9. OpenShift Container Platform (OCP) versions 3.9 and later are also affected.

This issue did not affect the version of Kubernetes(embedded in heketi) shipped with Red Hat Gluster Storage 3 as it does not contain the vulnerable code.
Comment 10 Laura Pardo 2019-03-28 21:16:47 UTC 
Upstream Patch:
https://github.com/kubernetes/kubernetes/pull/75037
Comment 11 Laura Pardo 2019-03-28 21:16:50 UTC 
External References:

https://discuss.kubernetes.io/t/announce-security-release-of-kubernetes-kubectl-potential-directory-traversal-releases-1-11-9-1-12-7-1-13-5-and-1-14-0-cve-2019-1002101/5712
Comment 12 Laura Pardo 2019-03-28 21:17:49 UTC 
Created kubernetes tracking bugs for this issue:

Affects: fedora-all [bug 1693884]


Created kubernetes:1.1/kubernetes tracking bugs for this issue:

Affects: fedora-29 [bug 1693881]


Created kubernetes:openshift-3.10/origin tracking bugs for this issue:

Affects: fedora-29 [bug 1693882]


Created origin tracking bugs for this issue:

Affects: fedora-all [bug 1693885]