Bug 1648138 (CVE-2018-1002105) - CVE-2018-1002105 kubernetes: authentication/authorization bypass in the handling of non-101 responses
Summary: CVE-2018-1002105 kubernetes: authentication/authorization bypass in the handl...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2018-1002105
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
urgent
urgent
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=critical,public=20181203:1700,...
Depends On: 1651073 1648171 1648172 1648173 1648174 1648175 1648176 1648177 1648178 1648179 1648180 1648181 1648731 1655686 1656650
Blocks: 1648143 1652502 1652503 1652504 1652505 1670468
TreeView+ depends on / blocked
 
Reported: 2018-11-08 22:10 UTC by Laura Pardo
Modified: 2019-06-08 23:42 UTC (History)
35 users (show)

Fixed In Version: kubernetes 1.10.11, kubernetes 1.11.5, kubernetes 1.12.3, kubernetes 1.13.0
Doc Type: If docs needed, set a value
Doc Text:
A privilege escalation vulnerability exists in OpenShift Container Platform which allows for compromise of pods running co-located on a compute node. This access could include access to all secrets, pods, environment variables, running pod/container processes, and persistent volumes, including in privileged containers.
Clone Of:
Environment:
Last Closed: 2019-03-05 04:35:46 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2018:2906 None None None 2018-12-03 17:34:48 UTC
Red Hat Product Errata RHSA-2018:2908 None None None 2018-12-03 17:36:14 UTC
Red Hat Product Errata RHSA-2018:3537 None None None 2018-12-03 17:28:23 UTC
Red Hat Product Errata RHSA-2018:3549 None None None 2018-12-03 17:31:17 UTC
Red Hat Product Errata RHSA-2018:3551 None None None 2018-12-03 17:33:50 UTC
Red Hat Product Errata RHSA-2018:3598 None None None 2018-12-03 17:33:25 UTC
Red Hat Product Errata RHSA-2018:3624 None None None 2018-12-03 17:34:27 UTC
Red Hat Product Errata RHSA-2018:3742 None None None 2018-12-03 17:26:40 UTC
Red Hat Product Errata RHSA-2018:3752 None None None 2018-12-03 17:30:54 UTC
Red Hat Product Errata RHSA-2018:3754 None None None 2018-12-03 17:29:14 UTC

Description Laura Pardo 2018-11-08 22:10:11 UTC
With a specially crafted request, users are able to establish a connection through the Kubernetes API server to backend servers, then send arbitrary requests over the same connection directly to the backend, authenticated with the Kubernetes API server’s TLS credentials used to establish the backend connection.

Comment 20 Jason Shepherd 2018-11-27 00:03:16 UTC
Mitigation:

See the vulnerability article for mitigation procedures.

Comment 23 Richard Maciel Costa 2018-12-03 17:04:01 UTC
Created kubernetes tracking bugs for this issue:

Affects: fedora-all [bug 1655686]

Comment 24 errata-xmlrpc 2018-12-03 17:26:26 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 3.2

Via RHSA-2018:3742 https://access.redhat.com/errata/RHSA-2018:3742

Comment 25 errata-xmlrpc 2018-12-03 17:28:14 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 3.11

Via RHSA-2018:3537 https://access.redhat.com/errata/RHSA-2018:3537

Comment 26 errata-xmlrpc 2018-12-03 17:29:02 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 3.3

Via RHSA-2018:3754 https://access.redhat.com/errata/RHSA-2018:3754

Comment 27 errata-xmlrpc 2018-12-03 17:30:42 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 3.4

Via RHSA-2018:3752 https://access.redhat.com/errata/RHSA-2018:3752

Comment 28 errata-xmlrpc 2018-12-03 17:31:05 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 3.10

Via RHSA-2018:3549 https://access.redhat.com/errata/RHSA-2018:3549

Comment 29 errata-xmlrpc 2018-12-03 17:33:13 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 3.6

Via RHSA-2018:3598 https://access.redhat.com/errata/RHSA-2018:3598

Comment 30 errata-xmlrpc 2018-12-03 17:33:18 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 3.9

Via RHSA-2018:2908 https://access.redhat.com/errata/RHSA-2018:2908

Comment 31 errata-xmlrpc 2018-12-03 17:33:18 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 3.8

Via RHSA-2018:3551 https://access.redhat.com/errata/RHSA-2018:3551

Comment 32 errata-xmlrpc 2018-12-03 17:33:39 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 3.9

Via RHSA-2018:2908 https://access.redhat.com/errata/RHSA-2018:2908

Comment 33 errata-xmlrpc 2018-12-03 17:33:40 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 3.8

Via RHSA-2018:3551 https://access.redhat.com/errata/RHSA-2018:3551

Comment 34 errata-xmlrpc 2018-12-03 17:34:16 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 3.5

Via RHSA-2018:3624 https://access.redhat.com/errata/RHSA-2018:3624

Comment 35 errata-xmlrpc 2018-12-03 17:34:38 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 3.7

Via RHSA-2018:2906 https://access.redhat.com/errata/RHSA-2018:2906

Comment 36 errata-xmlrpc 2018-12-03 17:36:01 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 3.9

Via RHSA-2018:2908 https://access.redhat.com/errata/RHSA-2018:2908

Comment 39 Sam Fowler 2018-12-05 04:16:01 UTC
Acknowledgments:

Name: the Kubernetes Product Security Team
Upstream: Darren Shepherd

Comment 40 Jason Shepherd 2018-12-05 21:58:03 UTC
Statement:

In versions 3.6 and higher of OpenShift Container Platform, this vulnerability allows cluster-admin level access to any API hosted by an aggregated API server. This includes the ‘service catalog’ API which is installed by default in 3.7 and later. Cluster-admin level access to the service catalog allows creation of brokered services by an unauthenticated user with escalated privileges in any namespace and on any node. This could lead to an attacker being allowed to deploy malicious code, or alter existing services.

Comment 42 Sam Fowler 2018-12-05 23:50:36 UTC
Created origin tracking bugs for this issue:

Affects: fedora-all [bug 1656650]


Note You need to log in before you can comment on or make changes to this bug.