Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CVE-2017-1002101 - subpath volume mount handling allows arbitrary file access in host filesystem #60813

liggitt opened this issue Mar 5, 2018 · 4 comments


Copy link

@liggitt liggitt commented Mar 5, 2018


This vulnerability allows containers using subpath volume mounts with any volume type (including non-privileged pods, subject to file permissions) to access files/directories outside of the volume, including the host’s filesystem.

Thanks to Maxim Ivanov for reporting this problem.

Vulnerable versions:

  • Kubernetes 1.3.x-1.6.x
  • Kubernetes 1.7.0-1.7.13
  • Kubernetes 1.8.0-1.8.8
  • Kubernetes 1.9.0-1.9.3

Vulnerable configurations:

  • Clusters that allow untrusted users to control pod spec content, and prevent host filesystem access via hostPath volumes (or other volume types) using PodSecurityPolicy (or custom admission plugins)
  • Clusters that make use of subpath volume mounts with untrusted containers or containers that can be compromised

Vulnerability impact:
A specially crafted pod spec combined with malicious container behavior can allow read/write access to arbitrary files outside volumes specified in the pod, including the host’s filesystem. This can be accomplished with any volume type, including emptyDir, and can be accomplished with a non-privileged pod (subject to file permissions).

Mitigations prior to upgrading:
Prevent untrusted users from creating pods (and pod-creating objects like deployments, replicasets, etc), or disable all volume types with PodSecurityPolicy (note that this prevents use of service account tokens in pods, and requires use of automountServiceAccountToken: false)

Fixed versions:

  • Fixed in v1.7.14 by #61047
  • Fixed in v1.8.9 by #61046
  • Fixed in v1.9.4 by #61045
  • Fixed in master by #61044 (included in v1.10.0-beta.3, will be in v1.10.0)

Action Required:
In addition to upgrading, PodSecurityPolicy objects designed to limit container permissions must completely disable hostPath volumes, as the allowedHostPaths feature does not restrict symlink creation and traversal. Future enhancements (tracked in issue #61043) are required to limit hostPath use to read only volumes or exact path matches before a PodSecurityPolicy can effectively restrict hostPath usage to a given subpath.

Known issues:

  • Status and availability of fixes for regressions in subPath volume mount handling are tracked in #61563
@liggitt liggitt self-assigned this Mar 5, 2018
Copy link

@k8s-ci-robot k8s-ci-robot commented Mar 5, 2018

@liggitt: There are no sig labels on this issue. Please add a sig label.

A sig label can be added by either:

  1. mentioning a sig: @kubernetes/sig-<group-name>-<group-suffix>
    e.g., @kubernetes/sig-contributor-experience-<group-suffix> to notify the contributor experience sig, OR

  2. specifying the label manually: /sig <group-name>
    e.g., /sig scalability to apply the sig/scalability label

Note: Method 1 will trigger an email to the group. See the group list.
The <group-suffix> in method 1 has to be replaced with one of these: bugs, feature-requests, pr-reviews, test-failures, proposals

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

Copy link

@k8s-github-robot k8s-github-robot commented Mar 12, 2018

[MILESTONENOTIFIER] Milestone Issue: Up-to-date for process

@jsafrane @liggitt @msau42

Note: This issue is marked as priority/critical-urgent, and must be updated every 1 day during code freeze.

Example update:

ACK.  In progress
Risks: Complicated fix required
Issue Labels
  • sig/storage: Issue will be escalated to these SIGs if needed.
  • priority/critical-urgent: Never automatically move issue out of a release milestone; continually escalate to contributor and SIG through all available channels.
  • kind/bug: Fixes a bug discovered during the current release.
k8s-github-robot pushed a commit that referenced this issue Mar 12, 2018
Kubernetes Submit Queue
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="">here</a>.

subpath fixes

fixes #60813 for master / 1.10

Fixes CVE-2017-1002101 - See for details
@liggitt liggitt changed the title CVE-2017-1002101 CVE-2017-1002101 - subpath volume mount handling allows arbitrary file access in host filesystem Mar 12, 2018
knisbet added a commit to gravitational/planet that referenced this issue Mar 12, 2018
CVE-2017-1002101 - kubernetes/kubernetes#60813
CVE-2017-1002102 - kubernetes/kubernetes#60814
Copy link

@dc70184 dc70184 commented Mar 23, 2018

This article states that:
•Kubernetes 1.7.0-1.7.13

Does this mean all versions between 1.7.0 and 1.17.13 are vulnerable? For example, is 1.17.6 vulnerable?

Copy link

@msau42 msau42 commented Mar 23, 2018

anything between 1.7.0 and 1.7.13 are vulnerable, including 1.7.6

@liggitt liggitt mentioned this issue Apr 17, 2018
1 of 2 tasks complete
pacoxu added a commit to pacoxu/website that referenced this issue Feb 18, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

6 participants