Bug 1821583 (CVE-2020-8555)

Summary: CVE-2020-8555 kubernetes: Server side request forgery (SSRF) in kube-controller-manager allows users to leak secret information
Product: [Other] Security Response Reporter: Sam Fowler <sfowler>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: adam.kaplan, admiller, aos-bugs, bbennett, bmontgom, chuffman, eparis, fbertina, hchiramm, hekumar, hvyas, jburrell, jcajka, jmulligan, joelsmith, jokerman, jsafrane, lhinds, madam, maszulik, mfojtik, mtleilia, nstielau, puebele, rhs-bugs, security-response-team, sfowler, sponnaga, storage-qa-internal, sttts, tsmetana, vbellur
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: kube-controller-manager 1.18.1, kube-controller-manager 1.17.5, kube-controller-manager 1.16.9, kube-controller-manager 1.15.12 Doc Type: If docs needed, set a value
Doc Text:
A server side request forgery (SSRF) flaw was found in Kubernetes. The kube-controller-manager allows authorized users with the ability to create StorageClasses or certain Volume types to leak up to 500 bytes of arbitrary information from the master's host network. This can include secrets from the kube-apiserver through the unauthenticated localhost port (if enabled).
 Story Points: ---
Clone Of: Environment:
Last Closed: 2020-06-17 23:20:46 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1822486, 1822487, 1822488, 1822489, 1822490, 1822491, 1822492, 1822494, 1822495, 1822496, 1822497, 1825883, 1840981, 1842692, 1890053, 1890054, 1890055    
Bug Blocks: 1821585    

Description Sam Fowler 2020-04-07 06:55:37 UTC 
There exists a Server Side Request Forgery (SSRF) vulnerability in
kube-controller-manager that allows certain authorized users to leak up to
500 bytes of arbitrary information from the master's host network,
including secrets from the kube-apiserver through the unauthenticated
localhost port (if enabled).

An attacker with permissions to create a pod with certain built-in Volume
types (GlusterFS, Quobyte, StorageFS, ScaleIO) or permissions to create a
StorageClass can cause kube-controller-manager to make GET requests or POST
requests without an attacker controlled request body from the master's host
network.
Comment 9 Sam Fowler 2020-05-27 05:36:10 UTC 
Statement:

OpenShift Container Platform does not expose kube-apiserver through an unauthenticated localhost port. However, other link-local addresses are reachable without authentication that allow an attacker to access sensitive data.

The version of heketi shipped with Red Hat Gluster Storage 3 includes the affected client side code for heketi and quobyte volume plugin, however the vulnerable functionality is currently not used by the product and hence this issue has been rated as having a security impact of Low.

Red Hat Openshift Container Storage 4.2 is not affected by this vulnerability as rook-ceph-operator container does not include support for affected volume plugins(storageos, scaleio, glusterfs, quobyte).
Comment 15 Sam Fowler 2020-06-01 21:08:23 UTC 
External References:

https://groups.google.com/forum/#!topic/kubernetes-security-announce/kEK27tqqs30
Comment 16 Sam Fowler 2020-06-01 21:08:51 UTC 
Created origin tracking bugs for this issue:

Affects: fedora-all [bug 1842692]
Comment 18 Sam Fowler 2020-06-02 04:39:33 UTC 
Mitigation:

Restrict use of the vulnerable volume type and restrict StorageClass write permissions via RBAC
Comment 20 Sam Fowler 2020-06-02 07:31:40 UTC 
Upstream Issue:

https://github.com/kubernetes/kubernetes/issues/91542


Upstream Patches:

https://github.com/kubernetes/kubernetes/pull/89794 (master)
https://github.com/kubernetes/kubernetes/pull/89796 (1.18.1+)
https://github.com/kubernetes/kubernetes/pull/89837 (1.17.5+)
https://github.com/kubernetes/kubernetes/pull/89838 (1.16.9+)
https://github.com/kubernetes/kubernetes/pull/89839 (1.15.12+)
Comment 21 Sam Fowler 2020-06-02 22:49:37 UTC 
Acknowledgments:

Name: the Kubernetes Product Security Committee
Upstream: Brice Augras (Groupe-Asten), Christophe Hauquiert (Nokia)
Comment 22 errata-xmlrpc 2020-06-17 19:44:37 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.3

Via RHSA-2020:2440 https://access.redhat.com/errata/RHSA-2020:2440
Comment 23 errata-xmlrpc 2020-06-17 20:15:34 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.3

Via RHSA-2020:2441 https://access.redhat.com/errata/RHSA-2020:2441
Comment 24 errata-xmlrpc 2020-06-17 20:18:07 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.4

Via RHSA-2020:2448 https://access.redhat.com/errata/RHSA-2020:2448
Comment 25 errata-xmlrpc 2020-06-17 21:30:20 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.4

Via RHSA-2020:2449 https://access.redhat.com/errata/RHSA-2020:2449
Comment 26 Product Security DevOps Team 2020-06-17 23:20:46 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-8555
Comment 27 errata-xmlrpc 2020-06-18 21:11:29 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 3.11

Via RHSA-2020:2479 https://access.redhat.com/errata/RHSA-2020:2479
Comment 28 errata-xmlrpc 2020-07-01 16:02:45 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.2

Via RHSA-2020:2594 https://access.redhat.com/errata/RHSA-2020:2594