Bug 1851422 (CVE-2020-8559)
| Summary: | CVE-2020-8559 kubernetes: compromised node could escalate to cluster level privileges | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Michael Kaplan <mkaplan> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | admiller, aos-bugs, bmontgom, eparis, hchiramm, hvyas, jburrell, jcajka, jmulligan, joelsmith, jokerman, lszaszki, madam, mfojtik, nstielau, puebele, rhs-bugs, security-response-team, sfowler, sponnaga, storage-qa-internal, sttts, xxia |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | kubernetes 1.18.6, kubernetes 1.17.9, kubernetes 1.16.13 | Doc Type: | If docs needed, set a value |
| Doc Text: |
A flaw was found in the Kubernetes API server, where it allows an attacker to escalate their privileges from a compromised node. This flaw allows an attacker who can intercept requests on a compromised node, to redirect those requests, along with their credentials, to perform actions on other endpoints that trust those credentials (including other clusters), allowing for escalation of privileges. The highest threat from this vulnerability is to confidentiality, integrity, and system availability.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2020-12-01 11:33:55 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1861748, 1861749, 1861750, 1861751, 1861754, 1861759, 1852692, 1852693, 1852694, 1852695, 1852696, 1852697, 1852698, 1852699, 1852700, 1853207, 1853208, 1853209, 1853210, 1857458, 1894005 | ||
| Bug Blocks: | 1851423 | ||
|
Description
Michael Kaplan
2020-06-26 13:32:24 UTC
Statement: Kubernetes is embedded in the version of heketi shipped with Red Hat Gluster Storage 3. However, it does not use Kubernetes API server part and only uses client side bits. Hence, this flaw does not affect heketi. Acknowledgments: Name: the Kubernetes Product Security Committee Upstream: Wouter ter Maat (Offensi) Upstream Issue: https://github.com/kubernetes/kubernetes/issues/92914 Upstream Patch: https://github.com/kubernetes/kubernetes/pull/92941 Mitigation: No mitigation is known. External References: https://groups.google.com/g/kubernetes-security-announce/c/JAIGG5yNROs Created origin tracking bugs for this issue: Affects: fedora-all [bug 1857458] This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.5 Via RHSA-2020:5194 https://access.redhat.com/errata/RHSA-2020:5194 This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-8559 This issue has been addressed in the following products: Red Hat OpenShift Container Platform 3.11 Via RHSA-2020:5363 https://access.redhat.com/errata/RHSA-2020:5363 This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.4 Via RHSA-2021:0030 https://access.redhat.com/errata/RHSA-2021:0030 This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.4 Via RHSA-2021:0281 https://access.redhat.com/errata/RHSA-2021:0281 |