Bug 1821583 (CVE-2020-8555) - CVE-2020-8555 kubernetes: Server side request forgery (SSRF) in kube-controller-manager allows users to leak secret information
Summary: CVE-2020-8555 kubernetes: Server side request forgery (SSRF) in kube-controll...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2020-8555
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1890053 1890054 1890055 1822486 1822487 1822488 1822489 1822490 1822491 1822492 1822494 1822495 1822496 1822497 1825883 1840981 1842692
Blocks: 1821585
TreeView+ depends on / blocked
 
Reported: 2020-04-07 06:55 UTC by Sam Fowler
Modified: 2021-02-16 20:19 UTC (History)
32 users (show)

Fixed In Version: kube-controller-manager 1.18.1, kube-controller-manager 1.17.5, kube-controller-manager 1.16.9, kube-controller-manager 1.15.12
Doc Type: If docs needed, set a value
Doc Text:
A server side request forgery (SSRF) flaw was found in Kubernetes. The kube-controller-manager allows authorized users with the ability to create StorageClasses or certain Volume types to leak up to 500 bytes of arbitrary information from the master's host network. This can include secrets from the kube-apiserver through the unauthenticated localhost port (if enabled).
Clone Of:
Environment:
Last Closed: 2020-06-17 23:20:46 UTC


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2020:2440 0 None None None 2020-06-17 19:44:39 UTC
Red Hat Product Errata RHSA-2020:2441 0 None None None 2020-06-17 20:15:37 UTC
Red Hat Product Errata RHSA-2020:2448 0 None None None 2020-06-17 20:18:09 UTC
Red Hat Product Errata RHSA-2020:2449 0 None None None 2020-06-17 21:30:23 UTC
Red Hat Product Errata RHSA-2020:2479 0 None None None 2020-06-18 21:11:33 UTC
Red Hat Product Errata RHSA-2020:2594 0 None None None 2020-07-01 16:02:47 UTC

Description Sam Fowler 2020-04-07 06:55:37 UTC
There exists a Server Side Request Forgery (SSRF) vulnerability in
kube-controller-manager that allows certain authorized users to leak up to
500 bytes of arbitrary information from the master's host network,
including secrets from the kube-apiserver through the unauthenticated
localhost port (if enabled).

An attacker with permissions to create a pod with certain built-in Volume
types (GlusterFS, Quobyte, StorageFS, ScaleIO) or permissions to create a
StorageClass can cause kube-controller-manager to make GET requests or POST
requests without an attacker controlled request body from the master's host
network.

Comment 9 Sam Fowler 2020-05-27 05:36:10 UTC
Statement:

OpenShift Container Platform does not expose kube-apiserver through an unauthenticated localhost port. However, other link-local addresses are reachable without authentication that allow an attacker to access sensitive data.

The version of heketi shipped with Red Hat Gluster Storage 3 includes the affected client side code for heketi and quobyte volume plugin, however the vulnerable functionality is currently not used by the product and hence this issue has been rated as having a security impact of Low.

Red Hat Openshift Container Storage 4.2 is not affected by this vulnerability as rook-ceph-operator container does not include support for affected volume plugins(storageos, scaleio, glusterfs, quobyte).

Comment 16 Sam Fowler 2020-06-01 21:08:51 UTC
Created origin tracking bugs for this issue:

Affects: fedora-all [bug 1842692]

Comment 18 Sam Fowler 2020-06-02 04:39:33 UTC
Mitigation:

Restrict use of the vulnerable volume type and restrict StorageClass write permissions via RBAC

Comment 21 Sam Fowler 2020-06-02 22:49:37 UTC
Acknowledgments:

Name: the Kubernetes Product Security Committee
Upstream: Brice Augras (Groupe-Asten), Christophe Hauquiert (Nokia)

Comment 22 errata-xmlrpc 2020-06-17 19:44:37 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.3

Via RHSA-2020:2440 https://access.redhat.com/errata/RHSA-2020:2440

Comment 23 errata-xmlrpc 2020-06-17 20:15:34 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.3

Via RHSA-2020:2441 https://access.redhat.com/errata/RHSA-2020:2441

Comment 24 errata-xmlrpc 2020-06-17 20:18:07 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.4

Via RHSA-2020:2448 https://access.redhat.com/errata/RHSA-2020:2448

Comment 25 errata-xmlrpc 2020-06-17 21:30:20 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.4

Via RHSA-2020:2449 https://access.redhat.com/errata/RHSA-2020:2449

Comment 26 Product Security DevOps Team 2020-06-17 23:20:46 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-8555

Comment 27 errata-xmlrpc 2020-06-18 21:11:29 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 3.11

Via RHSA-2020:2479 https://access.redhat.com/errata/RHSA-2020:2479

Comment 28 errata-xmlrpc 2020-07-01 16:02:45 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.2

Via RHSA-2020:2594 https://access.redhat.com/errata/RHSA-2020:2594


Note You need to log in before you can comment on or make changes to this bug.