Описание
In Kubernetes v1.8.x-v1.14.x, schema info is cached by kubectl in the location specified by --cache-dir (defaulting to $HOME/.kube/http-cache), written with world-writeable permissions (rw-rw-rw-). If --cache-dir is specified and pointed at a different location accessible to other users/groups, the written files may be modified by other users/groups and disrupt the kubectl invocation.
A flaw was found in kubectl that leaves http-cache files with read/write permissions for any user. In conjunction with a non-default value for --cache-dir, this may lead to the cache content being placed in a location accessible to other users on the system.
Отчет
OpenShift Container Platform includes kubectl. OCP 3.9 and later include this same flaw. This issue does not affect the version of Kubernetes (embedded in heketi) shipped with Red Hat Gluster Storage 3 as it does not contain the vulnerable functionality.
Меры по смягчению последствий
Do not use --cache-dir, or ensure that --cache-dir is not set to a location that other users have access to.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat OpenShift Container Platform 3.10 | atomic-openshift | Affected | ||
| Red Hat OpenShift Container Platform 3.6 | atomic-openshift | Not affected | ||
| Red Hat OpenShift Container Platform 3.7 | atomic-openshift | Not affected | ||
| Red Hat OpenShift Container Platform 3.9 | atomic-openshift | Affected | ||
| Red Hat Storage 3 | heketi | Not affected | ||
| Red Hat OpenShift Container Platform 3.11 | atomic-openshift | Fixed | RHSA-2020:0020 | 14.01.2020 |
| Red Hat OpenShift Container Platform 4.1 | openshift | Fixed | RHSA-2019:3942 | 21.11.2019 |
| Red Hat OpenShift Container Platform 4.1 | openshift4/ose-cli | Fixed | RHSA-2020:0074 | 21.01.2020 |
Показывать по
Дополнительная информация
Статус:
EPSS
3.3 Low
CVSS3
Связанные уязвимости
In Kubernetes v1.8.x-v1.14.x, schema info is cached by kubectl in the location specified by --cache-dir (defaulting to $HOME/.kube/http-cache), written with world-writeable permissions (rw-rw-rw-). If --cache-dir is specified and pointed at a different location accessible to other users/groups, the written files may be modified by other users/groups and disrupt the kubectl invocation.
In Kubernetes v1.8.x-v1.14.x, schema info is cached by kubectl in the ...
ELSA-2019-4717: kubeadm-ha-setup security update (IMPORTANT)
EPSS
3.3 Low
CVSS3