Bug 1715726 (CVE-2019-11245)

Summary: CVE-2019-11245 kubernetes: container uid changes to root after first restart
Product: [Other] Security Response Reporter: Dhananjay Arunesh <darunesh>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: admiller, ahardin, bleanhar, bmontgom, ccoleman, dedgar, eparis, hchiramm, jburrell, jcajka, jgoulding, jmulligan, jokerman, kramdoss, madam, mchappel, nstielau, rhs-bugs, sankarshan, sisharma, sponnaga, ssaha, storage-qa-internal, tdawson, vbellur
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: kubernetes 1.13.7, kubernetes 1.14.3 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-06-10 10:56:25 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1715727    

Description Dhananjay Arunesh 2019-05-31 05:57:38 UTC 
In kubelet v1.13.6 and v1.14.2, containers for pods that do not specify an explicit runAsUser attempt to run as uid 0 (root) on container restart, or if the image was previously pulled to the node. If the pod specified mustRunAsNonRoot: true, the kubelet will refuse to start the container as root. If the pod did not specify mustRunAsNonRoot: true, the kubelet will run the container as uid 0.

Reference:
https://github.com/kubernetes/kubernetes/issues/78308
https://github.com/rancher/k3s/issues/511
https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod
Comment 1 Sam Fowler 2019-05-31 06:13:01 UTC 
Upstream Fixes:

https://github.com/kubernetes/kubernetes/pull/78261 (master)
https://github.com/kubernetes/kubernetes/pull/78320 (1.13.7)
https://github.com/kubernetes/kubernetes/pull/78316 (1.14.3)
Comment 2 Sam Fowler 2019-05-31 06:44:39 UTC 
Flaw introduced by:

https://github.com/kubernetes/kubernetes/pull/76665 (master)
https://github.com/kubernetes/kubernetes/pull/77322 (1.13)
https://github.com/kubernetes/kubernetes/pull/77320 (1.14)
Comment 4 Hardik Vyas 2019-05-31 06:56:03 UTC 
Gluster embeds very old kubernetes version v1.5.5 with heketi, which is not affected by this vulnerability.

v1.5.5
======
140         uid, username, err := m.getImageUser(container.Image)
141         if err != nil {
142                 return nil, err
143         }
Comment 5 Hardik Vyas 2019-05-31 06:56:09 UTC 
Statement:

This vulnerability only affects upstream Kubernetes versions 1.13.6 and 1.14.2. All released versions of Red Hat OpenShift Container Platform and Red Hat Gluster Storage 3 are not affected by this flaw as they do not contain the vulnerable code.
Comment 6 Hardik Vyas 2019-05-31 07:03:46 UTC 
External References:

https://discuss.kubernetes.io/t/security-regression-in-kubernetes-kubelet-v1-13-6-and-v1-14-2-only-cve-2019-11245/6584
Comment 7 Hardik Vyas 2019-05-31 07:07:58 UTC 
Mitigation:

There are two potential mitigations to this issue:

1. Downgrade to kubelet v1.13.5 or v1.14.1 as instructed by your Kubernetes distribution.
2. Set RunAsUser on all pods in the cluster that should not run as root. This is a Security Context feature; the docs are at https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod