Bug 1835977 (CVE-2020-8557)
Summary: | CVE-2020-8557 kubernetes: Node disk DOS by writing to container /etc/hosts | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Jason Shepherd <jshepherd> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | unspecified | CC: | admiller, aos-bugs, bmontgom, decarr, dominik.mierzejewski, eparis, jburrell, jcajka, joelsmith, jokerman, mfojtik, nstielau, security-response-team, sponnaga, sttts |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | kubernetes 1.19.0, kubernetes 1.18.6, kubernetes 1.17.10, kubernetes 1.16.13 | Doc Type: | If docs needed, set a value |
Doc Text: |
A flaw was found in Kubernetes, where the amount of disk space the /etc/hosts file can use is unconstrained . This flaw can allow attacker-controlled pods to cause a denial of service if they have permission to write to the node's /etc/hosts file.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2020-08-24 15:15:19 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1858269, 1858270, 1858271, 1858272, 1858273, 1858274, 1857079, 1857080, 1857081, 1857082, 1857083, 1857084, 1857085, 1857086, 1857088, 1857459, 1873180 | ||
Bug Blocks: | 1834641 |
Description
Jason Shepherd
2020-05-14 20:15:56 UTC
Mitigation: On OpenShift Container Platform (OCP) 3.11 and 4.x it's possible to set the allowPrivilegeEscalation Security Context Constraint to 'false' to prevent this. Note that this is set to 'true' by default, and setting it to false will prevent certain binaries which require setuid to stop working. On OCP 3.11 for example the 'ping' command will no longer work [1]. On OCP 4.x and later the 'ping' command will work with allowPrivilegeEscalation set to False, but other setuid binaries will not work. [1] https://docs.openshift.com/container-platform/3.11/release_notes/ocp_3_11_release_notes.html Upstream patch: https://github.com/kubernetes/kubernetes/pull/92916 Upstream issue: https://github.com/kubernetes/kubernetes/issues/93032 Acknowledgments: Name: the Kubernetes Product Security Committee Upstream: Kebe Liu (DaoCloud) External References: https://groups.google.com/g/kubernetes-security-announce/c/cB_JUsYEKyY Created origin tracking bugs for this issue: Affects: fedora-all [bug 1857459] This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.5 Via RHSA-2020:3519 https://access.redhat.com/errata/RHSA-2020:3519 This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.5 Via RHSA-2020:3520 https://access.redhat.com/errata/RHSA-2020:3520 This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-8557 This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.4 Via RHSA-2020:3579 https://access.redhat.com/errata/RHSA-2020:3579 This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.4 Via RHSA-2020:3580 https://access.redhat.com/errata/RHSA-2020:3580 This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.3 Via RHSA-2020:3808 https://access.redhat.com/errata/RHSA-2020:3808 This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.3 Via RHSA-2020:3809 https://access.redhat.com/errata/RHSA-2020:3809 Statement: In OpenShift Container Platform (OCP) there is LocalStorageCapacityIsolation feature gate functionality which prevents a denial of service (DoS) attack on the node by writing to the ephemeral storage.This feature is disabled by default in OCP 3.11 and can be enabled as per [1]. Even with enabled LocalStorageCapacityIsolation feature gate, OCP is affected by this vulnerability, therefore it is recommended to enable the feature gate and also upgrade to an OCP version which has a fix for this vulnerability. [1] https://docs.openshift.com/container-platform/3.11/install_config/configuring_ephemeral.html This issue has been addressed in the following products: Red Hat OpenShift Container Platform 3.11 Via RHSA-2021:3915 https://access.redhat.com/errata/RHSA-2021:3915 |