Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CVE-2017-1002102 - atomic writer volume handling allows arbitrary file deletion in host filesystem #60814

Closed
liggitt opened this issue Mar 5, 2018 · 5 comments · Fixed by #57422 or #58720
Closed

CVE-2017-1002102 - atomic writer volume handling allows arbitrary file deletion in host filesystem #60814

liggitt opened this issue Mar 5, 2018 · 5 comments · Fixed by #57422 or #58720
Assignees
@liggitt
Labels
area/security kind/bug Categorizes issue or PR as related to a bug. official-cve-feed Issues or PRs related to CVEs officially announced by Security Response Committee (SRC) priority/critical-urgent Highest priority. Must be actively worked on as someone's top priority right now. sig/storage Categorizes an issue or PR as relevant to SIG Storage.

Comments

@liggitt
Copy link
Member

liggitt commented Mar 5, 2018
edited
Loading

CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H

This vulnerability allows containers using a secret, configMap, projected or downwardAPI volume to trigger deletion of arbitrary files and directories on the nodes where they are running.

Thanks to Joel Smith of Red Hat for reporting this problem.

Vulnerable versions:

  • Kubernetes 1.3.x-1.6.x
  • Kubernetes 1.7.0-1.7.13
  • Kubernetes 1.8.0-1.8.8
  • Kubernetes 1.9.0-1.9.3

Vulnerable configurations:

  • Clusters that run untrusted containers with secret, configMap, downwardAPI or projected volumes mounted (including auto-added service account token mounts).

Vulnerability impact:
A malicious container running in a pod with a secret, configMap, downwardAPI or projected volume mounted (including auto-added service account token mounts) can cause the Kubelet to remove any file or directory on the host filesystem.

Mitigations prior to upgrading:
Do not allow containers to be run with secret, configMap, downwardAPI and projected volumes (note that this prevents use of service account tokens in pods, and requires use of automountServiceAccountToken: false)

Fixed versions:

Fix impact:
Secret, configMap, downwardAPI and projected volumes will be mounted as read-only volumes. Applications that attempt to write to these volumes will receive read-only filesystem errors. Previously, applications were allowed to make changes to these volumes, but those changes were reverted at an arbitrary interval by the system. Applications should be re-configured to write derived files to another location.
@liggitt liggitt self-assigned this Mar 5, 2018
@k8s-ci-robot
Copy link
Contributor

@liggitt: There are no sig labels on this issue. Please add a sig label.

A sig label can be added by either:

  1. mentioning a sig: @kubernetes/sig-<group-name>-<group-suffix>
    e.g., @kubernetes/sig-contributor-experience-<group-suffix> to notify the contributor experience sig, OR

  2. specifying the label manually: /sig <group-name>
    e.g., /sig scalability to apply the sig/scalability label

Note: Method 1 will trigger an email to the group. See the group list.
The <group-suffix> in method 1 has to be replaced with one of these: bugs, feature-requests, pr-reviews, test-failures, proposals

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@k8s-ci-robot k8s-ci-robot added the needs-sig Indicates an issue or PR lacks a `sig/foo` label and requires one. label Mar 5, 2018
@liggitt liggitt added sig/release Categorizes an issue or PR as relevant to SIG Release. and removed needs-sig Indicates an issue or PR lacks a `sig/foo` label and requires one. labels Mar 5, 2018
@liggitt liggitt closed this as completed Mar 5, 2018
@liggitt liggitt changed the title <placeholder> CVE-2017-1002102 Mar 12, 2018
@liggitt liggitt reopened this Mar 12, 2018
This was referenced Mar 12, 2018
Merged
Merged
Merged
Merged
@liggitt liggitt added kind/bug Categorizes issue or PR as related to a bug. priority/critical-urgent Highest priority. Must be actively worked on as someone's top priority right now. area/security sig/storage Categorizes an issue or PR as relevant to SIG Storage. and removed sig/release Categorizes an issue or PR as relevant to SIG Release. labels Mar 12, 2018
This was referenced Mar 12, 2018
Merged
Merged
Merged
Merged
@liggitt liggitt changed the title CVE-2017-1002102 CVE-2017-1002102 - atomic writer volume handling allows arbitrary file deletion in host filesystem Mar 12, 2018
@liggitt liggitt closed this as completed Mar 12, 2018
@mikesplain mikesplain mentioned this issue Mar 12, 2018
Merged
knisbet pushed a commit to gravitational/planet that referenced this issue Mar 12, 2018
Bump kubernetes to avoid recently published CVE's
f1fc89a 
CVE-2017-1002101 - kubernetes/kubernetes#60813
CVE-2017-1002102 - kubernetes/kubernetes#60814
knisbet pushed a commit to gravitational/planet that referenced this issue Mar 12, 2018
Bump kubernetes to avoid recently published CVE's
52d38a2 
CVE-2017-1002101 - kubernetes/kubernetes#60813
CVE-2017-1002102 - kubernetes/kubernetes#60814
This was referenced Mar 12, 2018
Merged
Merged
@gh1001 gh1001 mentioned this issue Mar 12, 2018
Closed
@jfchevrette jfchevrette mentioned this issue Mar 15, 2018
Closed
@nrmitchi nrmitchi mentioned this issue Mar 29, 2018
Closed
@msau42
Copy link
Member

msau42 commented Apr 4, 2018

@sgorbaty thanks for reviewing the patch! Hard links are fine in this case because they cannot cross mounts. In general, if you see any further issues, please report it following the security disclosure process.

@kubernetes/sig-storage-bugs

@liggitt liggitt mentioned this issue Apr 5, 2018
Closed
@jgoclawski jgoclawski mentioned this issue Apr 8, 2018
Closed
@jcscottiii jcscottiii mentioned this issue Apr 13, 2018
Merged
@andyzhangx andyzhangx mentioned this issue Apr 17, 2018
Closed
@mingfang
Copy link

Forcing configmap and secret mounts to be readonly is not acceptable.
I should have the option to make it writeable.
Also the ReadOnlyAPIDataVolumes feature gate will be removed so I'm forced to change my application because of this.

timn added a commit to timn/ceph-container that referenced this issue May 13, 2018
@timn
daemon: move monmap to ephemeral storage dir
4a36e41 
In k8s 1.9.4 and later a fix for kubernetes/kubernetes#60814 makes
mounted secrets and config maps read-only. This breaks the current
ceph-container image.

This is a first patch fixing one of the issues. More fixes are
required. See ceph#1004 for more details.
timn added a commit to timn/ceph-container that referenced this issue May 13, 2018
@timn
daemon: move monmap to ephemeral storage dir
f246923 
In k8s 1.9.4 and later a fix for kubernetes/kubernetes#60814 makes
mounted secrets and config maps read-only. This breaks the current
ceph-container image.

This is a first patch fixing one of the issues. More fixes are
required. See ceph#1004 for more details.
onap-github pushed a commit to onap/doc that referenced this issue May 15, 2018
Updated git submodules
9c6960c 
Project: oom master 180384b6787e2fe1663b93057e6024d7811c504a

Merge "enforcing helm and kubernetes version requirements"

enforcing helm and kubernetes version requirements

helm 2.8.x
k8s 1.7.14+ and 1.8.9+

versions selected because of:
kubernetes/kubernetes#60814

Issue-ID: OOM-1075

Change-Id: Ife365ac8e8b7812c1fe4fa0764739511c3c6eb55
Signed-off-by: Mandeep Khinda <mandeep.khinda@amdocs.com>
onap-github pushed a commit to onap/oom that referenced this issue May 15, 2018
enforcing helm and kubernetes version requirements
0116b46 
helm 2.8.x
k8s 1.7.14+ and 1.8.9+

versions selected because of:
kubernetes/kubernetes#60814

Issue-ID: OOM-1075

Change-Id: Ife365ac8e8b7812c1fe4fa0764739511c3c6eb55
Signed-off-by: Mandeep Khinda <mandeep.khinda@amdocs.com>
@tuchodi tuchodi mentioned this issue Jul 26, 2018
Closed
@AntonFriberg AntonFriberg mentioned this issue Aug 8, 2018
Closed
@mitom mitom mentioned this issue Sep 4, 2018
Closed
@t-l-k t-l-k mentioned this issue Sep 28, 2018
Open
@muratkars muratkars mentioned this issue Dec 3, 2018
Closed
@jingxu97 jingxu97 mentioned this issue Apr 17, 2019
Closed
@ivanfetch ivanfetch mentioned this issue Oct 6, 2019
Closed
@kevin-bates kevin-bates mentioned this issue Feb 5, 2020
Closed
@andrewlecuyer andrewlecuyer mentioned this issue Jun 25, 2020
Merged
6 tasks
@baijum baijum mentioned this issue Sep 14, 2020
Closed
@PushkarJ
Copy link
Member

/label official-cve-feed

(Related to kubernetes/sig-security#1)

@k8s-ci-robot k8s-ci-robot added the official-cve-feed Issues or PRs related to CVEs officially announced by Security Response Committee (SRC) label May 16, 2022
@k8s-sec-alert k8s-sec-alert mentioned this issue Sep 18, 2022
Open
@marquiz marquiz mentioned this issue Sep 6, 2023
Merged
This was referenced May 7, 2024
Open
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@liggitt liggitt

Labels
area/security kind/bug Categorizes issue or PR as related to a bug. official-cve-feed Issues or PRs related to CVEs officially announced by Security Response Committee (SRC) priority/critical-urgent Highest priority. Must be actively worked on as someone's top priority right now. sig/storage Categorizes an issue or PR as relevant to SIG Storage.
Projects
None yet
Milestone
No milestone
6 participants
@sgorbaty @mingfang @liggitt @PushkarJ @k8s-ci-robot @msau42