A symlink race in the openShift node process allows a malicious container to trick the node into deleting any file. Every sync iteration, the atomic writer code walks the volume looking for files that shouldn't be there or files that have changed. When it finds files that shouldn't be there, it adds them to a list. Once it's finished walking the tree, it sorts the list lexicographically then starts at the end (to make sure that files are removed before the directories that contain them) and removes them one by one. Because (a) the volume isn't mounted read-only by the runtime and (b) there is a time between finding the file and deleting the file, a malicious container can set up conditions to win a race such that the file to be deleted is removed and replaced with a symlink (to a node file to be deleted) between the time that the kubelet finds the file and the time it deletes it.
Acknowledgments: Name: Joel Smith (Red Hat)
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 3.3 Red Hat OpenShift Container Platform 3.4 Red Hat OpenShift Container Platform 3.5 Red Hat OpenShift Container Platform 3.6 Red Hat OpenShift Container Platform 3.7 Via RHSA-2018:0475 https://access.redhat.com/errata/RHSA-2018:0475
Created kubernetes tracking bugs for this issue: Affects: fedora-all [bug 1554539]
Created origin tracking bugs for this issue: Affects: fedora-all [bug 1554573]
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2017-1002102