Bug 1685213 (CVE-2019-1002101)

Summary: CVE-2019-1002101 kubernetes: Mishandling of symlinks allows for arbitrary file write via `kubectl cp`
Product: [Other] Security Response Reporter: Andrej Nemec <anemec>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: abhgupta, admiller, ahardin, bjarvis, bleanhar, ccoleman, dbaker, dedgar, dominik.mierzejewski, eparis, go-sig, hchiramm, ichavero, jbrooks, jcajka, jchaloup, jgoulding, jmulligan, jokerman, kramdoss, madam, mchappel, nhorman, rhs-bugs, sankarshan, security-response-team, sisharma, sponnaga, sthangav, storage-qa-internal, strigazi, syangsao, tdawson, trankin, tstclair, vbatts, vbellur
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: impact=moderate,public=20190328,reported=20190304,source=researcher,cvss3=5.3/CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N,cwe=CWE-59,fedora-29/kubernetes:1.1/kubernetes=affected,fedora-29/kubernetes:openshift-3.10/origin=affected,fedora-all/kubernetes=affected,fedora-all/origin=affected,openshift-enterprise-3.4/atomic-openshift=notaffected,openshift-enterprise-3.5/atomic-openshift=notaffected,openshift-enterprise-3.6/atomic-openshift=notaffected,openshift-enterprise-3.7/atomic-openshift=notaffected,openshift-enterprise-3.9/atomic-openshift=affected,openshift-enterprise-4.1/openshift=notaffected,openshift-enterprise-3.10/atomic-openshift=affected,openshift-enterprise-3.11/atomic-openshift=affected,openshift-online-3/atomic-openshift=defer,rhes-3/heketi=notaffected
Fixed In Version: kubernetes 1.11.9, kubernetes 1.12.7, kubernetes 1.13.5, kubernetes 1.14.0 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in Kubernetes via the mishandling of symlinks when copying files from a running container. An attacker could exploit this by convincing a user to use `kubectl cp` or `oc cp` with a malicious container, allowing for arbitrary files to be overwritten on the host machine.
Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
Bug Depends On: 1693881, 1693882, 1693885, 1686294, 1686295, 1687658, 1687659, 1693315, 1693318, 1693320, 1693884    
Bug Blocks: 1685214    

Description Andrej Nemec 2019-03-04 16:51:27 UTC
A potential symlink escape vulnerability was found in Kubernetes after 1.9.0-alpha. A compromised container could potentially be used to achieve code execution.

Introduced by:

https://github.com/kubernetes/kubernetes/commit/b1f85e2dfec6e64d8e1bc272251277df0058ab20

Comment 1 Andrej Nemec 2019-03-06 09:21:57 UTC
Acknowledgments:

Name: Ariel Zelivansky (Twistlock)

Comment 5 Hardik Vyas 2019-03-08 09:38:33 UTC
heketi-8.0.0 shipped with Gluster uses Kubernetes version v1.5.5 which is too old and the vulnerable code is not present which was introduced in v1.9.0-alpha.2.

Comment 7 Sam Fowler 2019-03-12 04:57:09 UTC
Statement:

This issue affects Kubernetes starting from version 1.9. OpenShift Container Platform (OCP) versions 3.9 and later are also affected.

This issue did not affect the version of Kubernetes(embedded in heketi) shipped with Red Hat Gluster Storage 3 as it does not contain the vulnerable code.

Comment 10 Laura Pardo 2019-03-28 21:16:47 UTC
Upstream Patch:
https://github.com/kubernetes/kubernetes/pull/75037

Comment 12 Laura Pardo 2019-03-28 21:17:49 UTC
Created kubernetes tracking bugs for this issue:

Affects: fedora-all [bug 1693884]


Created kubernetes:1.1/kubernetes tracking bugs for this issue:

Affects: fedora-29 [bug 1693881]


Created kubernetes:openshift-3.10/origin tracking bugs for this issue:

Affects: fedora-29 [bug 1693882]


Created origin tracking bugs for this issue:

Affects: fedora-all [bug 1693885]