Bug 1648138 (CVE-2018-1002105) - CVE-2018-1002105 kubernetes: authentication/authorization bypass in the handling of non-101 responses
Summary: CVE-2018-1002105 kubernetes: authentication/authorization bypass in the handl...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2018-1002105
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
urgent
urgent
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1651073 1648171 1648172 1648173 1648174 1648175 1648176 1648177 1648178 1648179 1648180 1648181 1648731 1655686 1656650
Blocks: 1648143 1652502 1652503 1652504 1652505 1670468
TreeView+ depends on / blocked
 
Reported: 2018-11-08 22:10 UTC by Laura Pardo
Modified: 2021-03-26 15:17 UTC (History)
39 users (show)

Fixed In Version: kubernetes 1.10.11, kubernetes 1.11.5, kubernetes 1.12.3, kubernetes 1.13.0
Doc Type: If docs needed, set a value
Doc Text:
A privilege escalation vulnerability exists in OpenShift Container Platform which allows for compromise of pods running co-located on a compute node. This access could include access to all secrets, pods, environment variables, running pod/container processes, and persistent volumes, including in privileged containers.
Clone Of:
Environment:
Last Closed: 2019-03-05 04:35:46 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2018:2906 0 None None None 2018-12-03 17:34:48 UTC
Red Hat Product Errata RHSA-2018:2908 0 None None None 2018-12-03 17:36:14 UTC
Red Hat Product Errata RHSA-2018:3537 0 None None None 2018-12-03 17:28:23 UTC
Red Hat Product Errata RHSA-2018:3549 0 None None None 2018-12-03 17:31:17 UTC
Red Hat Product Errata RHSA-2018:3551 0 None None None 2018-12-03 17:33:50 UTC
Red Hat Product Errata RHSA-2018:3598 0 None None None 2018-12-03 17:33:25 UTC
Red Hat Product Errata RHSA-2018:3624 0 None None None 2018-12-03 17:34:27 UTC
Red Hat Product Errata RHSA-2018:3742 0 None None None 2018-12-03 17:26:40 UTC
Red Hat Product Errata RHSA-2018:3752 0 None None None 2018-12-03 17:30:54 UTC
Red Hat Product Errata RHSA-2018:3754 0 None None None 2018-12-03 17:29:14 UTC

Description Laura Pardo 2018-11-08 22:10:11 UTC 
With a specially crafted request, users are able to establish a connection through the Kubernetes API server to backend servers, then send arbitrary requests over the same connection directly to the backend, authenticated with the Kubernetes API server’s TLS credentials used to establish the backend connection.
Comment 20 Jason Shepherd 2018-11-27 00:03:16 UTC 
Mitigation:

See the vulnerability article for mitigation procedures.
Comment 21 Jason Shepherd 2018-11-27 07:35:35 UTC 
Upstream commit https://github.com/kubernetes/apimachinery/commit/b5d13f078af116d09ad9c323357497a0e9f623fc
Comment 23 Richard Maciel Costa 2018-12-03 17:04:01 UTC 
Created kubernetes tracking bugs for this issue:

Affects: fedora-all [bug 1655686]
Comment 24 errata-xmlrpc 2018-12-03 17:26:26 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 3.2

Via RHSA-2018:3742 https://access.redhat.com/errata/RHSA-2018:3742
Comment 25 errata-xmlrpc 2018-12-03 17:28:14 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 3.11

Via RHSA-2018:3537 https://access.redhat.com/errata/RHSA-2018:3537
Comment 26 errata-xmlrpc 2018-12-03 17:29:02 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 3.3

Via RHSA-2018:3754 https://access.redhat.com/errata/RHSA-2018:3754
Comment 27 errata-xmlrpc 2018-12-03 17:30:42 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 3.4

Via RHSA-2018:3752 https://access.redhat.com/errata/RHSA-2018:3752
Comment 28 errata-xmlrpc 2018-12-03 17:31:05 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 3.10

Via RHSA-2018:3549 https://access.redhat.com/errata/RHSA-2018:3549
Comment 29 errata-xmlrpc 2018-12-03 17:33:13 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 3.6

Via RHSA-2018:3598 https://access.redhat.com/errata/RHSA-2018:3598
Comment 30 errata-xmlrpc 2018-12-03 17:33:18 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 3.9

Via RHSA-2018:2908 https://access.redhat.com/errata/RHSA-2018:2908
Comment 31 errata-xmlrpc 2018-12-03 17:33:18 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 3.8

Via RHSA-2018:3551 https://access.redhat.com/errata/RHSA-2018:3551
Comment 32 errata-xmlrpc 2018-12-03 17:33:39 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 3.9

Via RHSA-2018:2908 https://access.redhat.com/errata/RHSA-2018:2908
Comment 33 errata-xmlrpc 2018-12-03 17:33:40 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 3.8

Via RHSA-2018:3551 https://access.redhat.com/errata/RHSA-2018:3551
Comment 34 errata-xmlrpc 2018-12-03 17:34:16 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 3.5

Via RHSA-2018:3624 https://access.redhat.com/errata/RHSA-2018:3624
Comment 35 errata-xmlrpc 2018-12-03 17:34:38 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 3.7

Via RHSA-2018:2906 https://access.redhat.com/errata/RHSA-2018:2906
Comment 36 errata-xmlrpc 2018-12-03 17:36:01 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 3.9

Via RHSA-2018:2908 https://access.redhat.com/errata/RHSA-2018:2908
Comment 39 Sam Fowler 2018-12-05 04:16:01 UTC 
Acknowledgments:

Name: the Kubernetes Product Security Team
Upstream: Darren Shepherd
Comment 40 Jason Shepherd 2018-12-05 21:58:03 UTC 
Statement:

In versions 3.6 and higher of OpenShift Container Platform, this vulnerability allows cluster-admin level access to any API hosted by an aggregated API server. This includes the ‘service catalog’ API which is installed by default in 3.7 and later. Cluster-admin level access to the service catalog allows creation of brokered services by an unauthenticated user with escalated privileges in any namespace and on any node. This could lead to an attacker being allowed to deploy malicious code, or alter existing services.
Comment 41 Jason Shepherd 2018-12-05 21:58:17 UTC 
External References:

https://groups.google.com/forum/#!topic/kubernetes-announce/GVllWCg6L88
https://access.redhat.com/security/vulnerabilities/3716411
Comment 42 Sam Fowler 2018-12-05 23:50:36 UTC 
Created origin tracking bugs for this issue:

Affects: fedora-all [bug 1656650]
Note You need to log in before you can comment on or make changes to this bug.