Bug 1492101 (CVE-2017-1002100) - CVE-2017-1002100 kubernetes: Incorrect default access permissions for Persistent Volumes
Summary: CVE-2017-1002100 kubernetes: Incorrect default access permissions for Persist...
Keywords:
Status: CLOSED WONTFIX
Alias: CVE-2017-1002100
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks: 1492102
TreeView+ depends on / blocked
 
Reported: 2017-09-15 13:07 UTC by Adam Mariš
Modified: 2019-09-29 14:22 UTC (History)
16 users (show)

Fixed In Version: kubernetes 1.6.6
Clone Of:
Environment:
Last Closed: 2018-04-10 11:41:06 UTC
Embargoed:

Attachments (Terms of Use)

Description Adam Mariš 2017-09-15 13:07:54 UTC 
A vulnerability has been disclosed in which default access permissions for Persistent Volumes (PVs) created by the Kubernetes Azure cloud provider in versions 1.6.0 to 1.6.5 are set to "container" which exposes a URI that can be accessed without authentication on the public internet. Access to the URI string requires privileged access to the Kubernetes cluster or authenticated access to the Azure portal.

Only Kubernetes 1.6.0-1.6.5 installations that have Persistent Volumes (PVs) actively provisioned through the Azure cloud provider are subject to the vulnerability. Clusters without PVs are unaffected. No other form of cluster storage is impacted.

An individual with the full URI of an actively provisioned persistent volume can download the VHD file for that volume. It does not apply retroactively to volumes already deleted from the cluster.

Upstream bug:

https://github.com/kubernetes/kubernetes/issues/47611

Upstream patch:

https://github.com/kubernetes/kubernetes/pull/47605
Note You need to log in before you can comment on or make changes to this bug.