1784602 – (CVE-2018-1002102) CVE-2018-1002102 kubernetes: improper validation of URL redirection in the Kubernetes API server allows an attacker-controlled Kubelet to redirect API server requests from streaming endpoints

Bug 1784602 (CVE-2018-1002102) - CVE-2018-1002102 kubernetes: improper validation of URL redirection in the Kubernetes API server allows an attacker-controlled Kubelet to redirect API server requests from streaming endpoints

Summary: CVE-2018-1002102 kubernetes: improper validation of URL redirection in the Ku...

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2018-1002102
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	low
Severity:	low
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	1804558 1784603 1784604 1791520
Blocks:	1784605
TreeView+	depends on / blocked

Reported:	2019-12-17 20:13 UTC by Guilherme de Almeida Suckevicz
Modified:	2021-02-16 20:51 UTC (History)
CC List:	24 users (show)
Fixed In Version:	kubernetes 1.14
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2020-12-16 16:18:35 UTC
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2020:5363	0	None	None	None	2020-12-16 12:35:12 UTC

Description Guilherme de Almeida Suckevicz 2019-12-17 20:13:47 UTC

Improper validation of URL redirection in the Kubernetes API server in versions prior to v1.14.0 allows an attacker-controlled Kubelet to redirect API server requests from streaming endpoints to arbitrary hosts. Impacted API servers will follow the redirect as a GET request with client-certificate credentials for authenticating to the Kubelet.

Reference:
https://github.com/kubernetes/kubernetes/issues/85867

Comment 1 Guilherme de Almeida Suckevicz 2019-12-17 20:14:06 UTC

Created kubernetes tracking bugs for this issue:

Affects: fedora-all [bug 1784603]


Created kubernetes:1.10/kubernetes tracking bugs for this issue:

Affects: fedora-all [bug 1784604]

Comment 2 Hardik Vyas 2019-12-31 13:01:52 UTC

Kubernetes is embedded in the version of heketi shipped with Red Hat Gluster Storage 3. However, it does not use Kubernetes API server part and only uses client side bits.

Comment 3 Sam Fowler 2020-01-16 02:03:36 UTC

Fixed in OpenShift 4.1.0:

https://github.com/openshift/origin/commit/efc7e25e7d1475b7c0c6caa74093cdad64d467e9

Comment 8 Sam Fowler 2020-07-09 00:46:55 UTC

Statement:

OpenShift Container Platform 4 is not affected by this flaw as it has included the upstream patch since version 4.1.0.

Comment 10 errata-xmlrpc 2020-12-16 12:35:03 UTC

This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 3.11

Via RHSA-2020:5363 https://access.redhat.com/errata/RHSA-2020:5363

Comment 11 Product Security DevOps Team 2020-12-16 16:18:35 UTC

This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2018-1002102

Note You need to log in before you can comment on or make changes to this bug.

bmontgom
cscribne
dominik.mierzejewski
eparis
go-sig
hchiramm
hvyas
ichavero
jbrooks
jburrell
jcajka
jchaloup
jmulligan
jokerman
madam
nstielau
puebele
rhs-bugs
security-response-team
sisharma
sponnaga
storage-qa-internal
strigazi
tstclair