Bug 1835977 (CVE-2020-8557) - CVE-2020-8557 kubernetes: Node disk DOS by writing to container /etc/hosts
Summary: CVE-2020-8557 kubernetes: Node disk DOS by writing to container /etc/hosts
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2020-8557
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1857082 1857083 1857088 1857459 1858269 1858270 1858271 1858272 1858273 1858274 1857079 1857080 1857081 1857084 1857085 1857086 1873180
Blocks: 1834641
TreeView+ depends on / blocked
 
Reported: 2020-05-14 20:15 UTC by Jason Shepherd
Modified: 2020-09-23 14:15 UTC (History)
15 users (show)

Fixed In Version: kubernetes 1.19.0, kubernetes 1.18.6, kubernetes 1.17.10, kubernetes 1.16.13
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in Kubernetes, where the amount of disk space the /etc/hosts file can use is unconstrained . This flaw can allow attacker-controlled pods to cause a denial of service if they have permission to write to the node's /etc/hosts file.
Clone Of:
Environment:
Last Closed: 2020-08-24 15:15:19 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2020:3519 None None None 2020-08-24 14:51:57 UTC
Red Hat Product Errata RHSA-2020:3520 None None None 2020-08-24 15:09:47 UTC
Red Hat Product Errata RHSA-2020:3579 None None None 2020-09-01 18:47:26 UTC
Red Hat Product Errata RHSA-2020:3580 None None None 2020-09-01 18:55:15 UTC
Red Hat Product Errata RHSA-2020:3808 None None None 2020-09-23 12:44:38 UTC
Red Hat Product Errata RHSA-2020:3809 None None None 2020-09-23 14:15:06 UTC

Description Jason Shepherd 2020-05-14 20:15:56 UTC
The kubelet sets up a file called etc-hosts for each pod, which is mounted in the containers as /etc/hosts. The file isn't counted against memory limits (as a tmpfs file would be) or ephemeral storage usage limits. The container can fill up the node disk on the node which it was scheduled.

Comment 1 Jason Shepherd 2020-05-14 20:15:59 UTC
Mitigation:

On OpenShift Container Platform (OCP) 3.11 and 4.x it's possible to set the allowPrivilegeEscalation Security Context Constraint to 'false' to prevent this. Note that this is set to 'true' by default, and setting it to false will prevent certain binaries which require setuid to stop working. On OCP 3.11 for example the 'ping' command will no longer work [1]. On OCP 4.x and later the 'ping' command will work with allowPrivilegeEscalation set to False, but other setuid binaries will not work.
[1] https://docs.openshift.com/container-platform/3.11/release_notes/ocp_3_11_release_notes.html

Comment 4 Sam Fowler 2020-07-15 05:56:21 UTC
Upstream patch:

https://github.com/kubernetes/kubernetes/pull/92916

Comment 5 Sam Fowler 2020-07-15 05:56:39 UTC
Upstream issue:

https://github.com/kubernetes/kubernetes/issues/93032

Comment 8 Sam Fowler 2020-07-15 06:09:29 UTC
Acknowledgments:

Name: the Kubernetes Product Security Committee
Upstream: Kebe Liu (DaoCloud)

Comment 9 Sam Fowler 2020-07-15 22:07:41 UTC
External References:

https://groups.google.com/g/kubernetes-security-announce/c/cB_JUsYEKyY

Comment 10 Sam Fowler 2020-07-15 22:08:01 UTC
Created origin tracking bugs for this issue:

Affects: fedora-all [bug 1857459]

Comment 14 errata-xmlrpc 2020-08-24 14:51:55 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.5

Via RHSA-2020:3519 https://access.redhat.com/errata/RHSA-2020:3519

Comment 15 errata-xmlrpc 2020-08-24 15:09:45 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.5

Via RHSA-2020:3520 https://access.redhat.com/errata/RHSA-2020:3520

Comment 16 Product Security DevOps Team 2020-08-24 15:15:19 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-8557

Comment 17 Jason Shepherd 2020-08-25 01:03:51 UTC
Statement:

In OpenShift Container Platform (OCP) there is LocalStroageCapacityIsolation feature gate functionality which prevents a denial of service (DoS) attack on the node by writing to the ephemeral storage.This feature is disabled by default in OCP 3.11 and can be enabled as per [1]. Even with enabled  LocalStroageCapacityIsolation feature gate, OCP is affected by this vulnerability, therefore it is recommended to enable the feature gate and also upgrade to an OCP version which has a fix for this vulnerability.

[1] https://docs.openshift.com/container-platform/3.11/install_config/configuring_ephemeral.html

Comment 19 errata-xmlrpc 2020-09-01 18:47:23 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.4

Via RHSA-2020:3579 https://access.redhat.com/errata/RHSA-2020:3579

Comment 20 errata-xmlrpc 2020-09-01 18:55:13 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.4

Via RHSA-2020:3580 https://access.redhat.com/errata/RHSA-2020:3580

Comment 22 errata-xmlrpc 2020-09-23 12:44:33 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.3

Via RHSA-2020:3808 https://access.redhat.com/errata/RHSA-2020:3808

Comment 23 errata-xmlrpc 2020-09-23 14:15:02 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.3

Via RHSA-2020:3809 https://access.redhat.com/errata/RHSA-2020:3809


Note You need to log in before you can comment on or make changes to this bug.