Bug 1835977 (CVE-2020-8557)

Summary: CVE-2020-8557 kubernetes: Node disk DOS by writing to container /etc/hosts
Product: [Other] Security Response Reporter: Jason Shepherd <jshepherd>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: admiller, aos-bugs, bmontgom, decarr, dominik.mierzejewski, eparis, jburrell, jcajka, joelsmith, jokerman, mfojtik, nstielau, security-response-team, sponnaga, sttts
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: kubernetes 1.19.0, kubernetes 1.18.6, kubernetes 1.17.10, kubernetes 1.16.13 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in Kubernetes, where the amount of disk space the /etc/hosts file can use is unconstrained . This flaw can allow attacker-controlled pods to cause a denial of service if they have permission to write to the node's /etc/hosts file.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2020-08-24 15:15:19 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1858269, 1858270, 1858271, 1858272, 1858273, 1858274, 1857079, 1857080, 1857081, 1857082, 1857083, 1857084, 1857085, 1857086, 1857088, 1857459, 1873180    
Bug Blocks: 1834641    

Description Jason Shepherd 2020-05-14 20:15:56 UTC 
The kubelet sets up a file called etc-hosts for each pod, which is mounted in the containers as /etc/hosts. The file isn't counted against memory limits (as a tmpfs file would be) or ephemeral storage usage limits. The container can fill up the node disk on the node which it was scheduled.
Comment 1 Jason Shepherd 2020-05-14 20:15:59 UTC 
Mitigation:

On OpenShift Container Platform (OCP) 3.11 and 4.x it's possible to set the allowPrivilegeEscalation Security Context Constraint to 'false' to prevent this. Note that this is set to 'true' by default, and setting it to false will prevent certain binaries which require setuid to stop working. On OCP 3.11 for example the 'ping' command will no longer work [1]. On OCP 4.x and later the 'ping' command will work with allowPrivilegeEscalation set to False, but other setuid binaries will not work.
[1] https://docs.openshift.com/container-platform/3.11/release_notes/ocp_3_11_release_notes.html
Comment 4 Sam Fowler 2020-07-15 05:56:21 UTC 
Upstream patch:

https://github.com/kubernetes/kubernetes/pull/92916
Comment 5 Sam Fowler 2020-07-15 05:56:39 UTC 
Upstream issue:

https://github.com/kubernetes/kubernetes/issues/93032
Comment 8 Sam Fowler 2020-07-15 06:09:29 UTC 
Acknowledgments:

Name: the Kubernetes Product Security Committee
Upstream: Kebe Liu (DaoCloud)
Comment 9 Sam Fowler 2020-07-15 22:07:41 UTC 
External References:

https://groups.google.com/g/kubernetes-security-announce/c/cB_JUsYEKyY
Comment 10 Sam Fowler 2020-07-15 22:08:01 UTC 
Created origin tracking bugs for this issue:

Affects: fedora-all [bug 1857459]
Comment 14 errata-xmlrpc 2020-08-24 14:51:55 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.5

Via RHSA-2020:3519 https://access.redhat.com/errata/RHSA-2020:3519
Comment 15 errata-xmlrpc 2020-08-24 15:09:45 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.5

Via RHSA-2020:3520 https://access.redhat.com/errata/RHSA-2020:3520
Comment 16 Product Security DevOps Team 2020-08-24 15:15:19 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-8557
Comment 19 errata-xmlrpc 2020-09-01 18:47:23 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.4

Via RHSA-2020:3579 https://access.redhat.com/errata/RHSA-2020:3579
Comment 20 errata-xmlrpc 2020-09-01 18:55:13 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.4

Via RHSA-2020:3580 https://access.redhat.com/errata/RHSA-2020:3580
Comment 22 errata-xmlrpc 2020-09-23 12:44:33 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.3

Via RHSA-2020:3808 https://access.redhat.com/errata/RHSA-2020:3808
Comment 23 errata-xmlrpc 2020-09-23 14:15:02 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.3

Via RHSA-2020:3809 https://access.redhat.com/errata/RHSA-2020:3809
Comment 26 Jason Shepherd 2020-12-14 04:47:36 UTC 
Statement:

In OpenShift Container Platform (OCP) there is LocalStorageCapacityIsolation feature gate functionality which prevents a denial of service (DoS) attack on the node by writing to the ephemeral storage.This feature is disabled by default in OCP 3.11 and can be enabled as per [1]. Even with enabled  LocalStorageCapacityIsolation feature gate, OCP is affected by this vulnerability, therefore it is recommended to enable the feature gate and also upgrade to an OCP version which has a fix for this vulnerability.

[1] https://docs.openshift.com/container-platform/3.11/install_config/configuring_ephemeral.html
Comment 28 errata-xmlrpc 2021-10-28 15:58:18 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 3.11

Via RHSA-2021:3915 https://access.redhat.com/errata/RHSA-2021:3915