Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CVE-2017-1002101 - subpath volume mount handling allows arbitrary file access in host filesystem #60813

Closed
liggitt opened this issue Mar 5, 2018 · 5 comments · Fixed by #61044
Closed

CVE-2017-1002101 - subpath volume mount handling allows arbitrary file access in host filesystem #60813

liggitt opened this issue Mar 5, 2018 · 5 comments · Fixed by #61044
Assignees
@liggitt @jsafrane @msau42
Labels
area/security kind/bug Categorizes issue or PR as related to a bug. official-cve-feed Issues or PRs related to CVEs officially announced by Security Response Committee (SRC) priority/critical-urgent Highest priority. Must be actively worked on as someone's top priority right now. sig/storage Categorizes an issue or PR as relevant to SIG Storage.
Milestone
v1.10

Comments

@liggitt
Copy link
Member

liggitt commented Mar 5, 2018
edited
Loading

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

This vulnerability allows containers using subpath volume mounts with any volume type (including non-privileged pods, subject to file permissions) to access files/directories outside of the volume, including the host’s filesystem.

Thanks to Maxim Ivanov for reporting this problem.

Vulnerable versions:

  • Kubernetes 1.3.x-1.6.x
  • Kubernetes 1.7.0-1.7.13
  • Kubernetes 1.8.0-1.8.8
  • Kubernetes 1.9.0-1.9.3

Vulnerable configurations:

  • Clusters that allow untrusted users to control pod spec content, and prevent host filesystem access via hostPath volumes (or other volume types) using PodSecurityPolicy (or custom admission plugins)
  • Clusters that make use of subpath volume mounts with untrusted containers or containers that can be compromised

Vulnerability impact:
A specially crafted pod spec combined with malicious container behavior can allow read/write access to arbitrary files outside volumes specified in the pod, including the host’s filesystem. This can be accomplished with any volume type, including emptyDir, and can be accomplished with a non-privileged pod (subject to file permissions).

Mitigations prior to upgrading:
Prevent untrusted users from creating pods (and pod-creating objects like deployments, replicasets, etc), or disable all volume types with PodSecurityPolicy (note that this prevents use of service account tokens in pods, and requires use of automountServiceAccountToken: false)

Fixed versions:

Action Required:
In addition to upgrading, PodSecurityPolicy objects designed to limit container permissions must completely disable hostPath volumes, as the allowedHostPaths feature does not restrict symlink creation and traversal. Future enhancements (tracked in issue #61043) are required to limit hostPath use to read only volumes or exact path matches before a PodSecurityPolicy can effectively restrict hostPath usage to a given subpath.

Known issues:
@liggitt liggitt self-assigned this Mar 5, 2018
@k8s-ci-robot k8s-ci-robot added the needs-sig Indicates an issue or PR lacks a `sig/foo` label and requires one. label Mar 5, 2018
@k8s-ci-robot
Copy link
Contributor

@liggitt: There are no sig labels on this issue. Please add a sig label.

A sig label can be added by either:

  1. mentioning a sig: @kubernetes/sig-<group-name>-<group-suffix>
    e.g., @kubernetes/sig-contributor-experience-<group-suffix> to notify the contributor experience sig, OR

  2. specifying the label manually: /sig <group-name>
    e.g., /sig scalability to apply the sig/scalability label

Note: Method 1 will trigger an email to the group. See the group list.
The <group-suffix> in method 1 has to be replaced with one of these: bugs, feature-requests, pr-reviews, test-failures, proposals

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@liggitt liggitt added sig/release Categorizes an issue or PR as relevant to SIG Release. and removed needs-sig Indicates an issue or PR lacks a `sig/foo` label and requires one. labels Mar 5, 2018
@liggitt liggitt closed this as completed Mar 5, 2018
This was referenced Mar 12, 2018
Merged
Merged
Merged
Merged
@liggitt liggitt reopened this Mar 12, 2018
@liggitt liggitt changed the title <placeholder> CVE-2017-1002101 Mar 12, 2018
@liggitt liggitt added kind/bug Categorizes issue or PR as related to a bug. priority/critical-urgent Highest priority. Must be actively worked on as someone's top priority right now. area/security sig/storage Categorizes an issue or PR as relevant to SIG Storage. status/approved-for-milestone and removed sig/release Categorizes an issue or PR as relevant to SIG Release. labels Mar 12, 2018
@liggitt liggitt added this to the v1.10 milestone Mar 12, 2018
@k8s-github-robot
Copy link

[MILESTONENOTIFIER] Milestone Issue: Up-to-date for process

@jsafrane @liggitt @msau42

Note: This issue is marked as priority/critical-urgent, and must be updated every 1 day during code freeze.

Example update:

ACK.  In progress
ETA: DD/MM/YYYY
Risks: Complicated fix required
Issue Labels
  • sig/storage: Issue will be escalated to these SIGs if needed.
  • priority/critical-urgent: Never automatically move issue out of a release milestone; continually escalate to contributor and SIG through all available channels.
  • kind/bug: Fixes a bug discovered during the current release.
Help

k8s-github-robot pushed a commit that referenced this issue Mar 12, 2018
Merge pull request #61044 from liggitt/subpath-master
3d1331f 
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.

subpath fixes

fixes #60813 for master / 1.10

```release-note
Fixes CVE-2017-1002101 - See https://issue.k8s.io/60813 for details
```
@liggitt liggitt changed the title CVE-2017-1002101 CVE-2017-1002101 - subpath volume mount handling allows arbitrary file access in host filesystem Mar 12, 2018
@mikesplain mikesplain mentioned this issue Mar 12, 2018
Merged
knisbet pushed a commit to gravitational/planet that referenced this issue Mar 12, 2018
Bump kubernetes to avoid recently published CVE's
f1fc89a 
CVE-2017-1002101 - kubernetes/kubernetes#60813
CVE-2017-1002102 - kubernetes/kubernetes#60814
@knisbet knisbet mentioned this issue Mar 12, 2018
Merged
@gh1001 gh1001 mentioned this issue Mar 12, 2018
Closed
@Silvenga Silvenga mentioned this issue Mar 13, 2018
Closed
4 tasks
@andyzhangx andyzhangx mentioned this issue Mar 16, 2018
Closed
@liggitt liggitt mentioned this issue Mar 22, 2018
Closed
8 tasks
@vincent99 vincent99 mentioned this issue Mar 23, 2018
Closed
@dc70184
Copy link

dc70184 commented Mar 23, 2018

This article states that:
•Kubernetes 1.7.0-1.7.13

Does this mean all versions between 1.7.0 and 1.17.13 are vulnerable? For example, is 1.17.6 vulnerable?

@msau42
Copy link
Member

msau42 commented Mar 23, 2018

anything between 1.7.0 and 1.7.13 are vulnerable, including 1.7.6

@magaldima magaldima mentioned this issue Mar 28, 2018
Closed
@msau42 msau42 mentioned this issue Apr 6, 2018
Closed
@kevtaylor kevtaylor mentioned this issue Apr 11, 2018
Closed
@liggitt liggitt mentioned this issue Apr 17, 2018
Closed
2 tasks
@andyzhangx andyzhangx mentioned this issue Jul 6, 2018
Closed
@outcoldman outcoldman mentioned this issue Oct 14, 2018
Closed
@msau42 msau42 mentioned this issue Nov 3, 2018
Merged
@surajssd surajssd mentioned this issue Jan 21, 2020
Merged
@myugan myugan mentioned this issue Jun 16, 2020
Open
pacoxu added a commit to pacoxu/website that referenced this issue Feb 18, 2021
@pacoxu
VolumeSubpath is GA since 1.10
037e767 
kubernetes/kubernetes#60813
This was referenced Feb 18, 2021
Merged
Merged
@liggitt liggitt mentioned this issue Jul 10, 2021
Merged
Closed
@PushkarJ
Copy link
Member

/label official-cve-feed

(Related to kubernetes/sig-security#1)

@k8s-ci-robot k8s-ci-robot added the official-cve-feed Issues or PRs related to CVEs officially announced by Security Response Committee (SRC) label May 16, 2022
@k8s-sec-alert k8s-sec-alert mentioned this issue Sep 18, 2022
Open
This was referenced May 7, 2024
Open
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@liggitt liggitt

@jsafrane jsafrane

@msau42 msau42

Labels
area/security kind/bug Categorizes issue or PR as related to a bug. official-cve-feed Issues or PRs related to CVEs officially announced by Security Response Committee (SRC) priority/critical-urgent Highest priority. Must be actively worked on as someone's top priority right now. sig/storage Categorizes an issue or PR as relevant to SIG Storage.
Projects
None yet
Milestone
v1.10
Development

Successfully merging a pull request may close this issue.

subpath fixes liggitt/kubernetes
7 participants
@liggitt @jsafrane @PushkarJ @k8s-github-robot @k8s-ci-robot @msau42 @dc70184