Описание
In kubelet v1.13.6 and v1.14.2, containers for pods that do not specify an explicit runAsUser attempt to run as uid 0 (root) on container restart, or if the image was previously pulled to the node. If the pod specified mustRunAsNonRoot: true, the kubelet will refuse to start the container as root. If the pod did not specify mustRunAsNonRoot: true, the kubelet will run the container as uid 0.
Отчет
This vulnerability only affects upstream Kubernetes versions 1.13.6 and 1.14.2. All released versions of Red Hat OpenShift Container Platform and Red Hat Gluster Storage 3 are not affected by this flaw as they do not contain the vulnerable code.
Меры по смягчению последствий
There are two potential mitigations to this issue:
- Downgrade to kubelet v1.13.5 or v1.14.1 as instructed by your Kubernetes distribution.
- Set RunAsUser on all pods in the cluster that should not run as root. This is a Security Context feature; the docs are at https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat OpenShift Container Platform 3.10 | atomic-openshift | Not affected | ||
| Red Hat OpenShift Container Platform 3.11 | atomic-openshift | Not affected | ||
| Red Hat OpenShift Container Platform 3.6 | atomic-openshift | Not affected | ||
| Red Hat OpenShift Container Platform 3.7 | atomic-openshift | Not affected | ||
| Red Hat OpenShift Container Platform 3.9 | atomic-openshift | Not affected | ||
| Red Hat OpenShift Container Platform 4 | openshift | Not affected | ||
| Red Hat Storage 3 | heketi | Not affected |
Показывать по
Дополнительная информация
Статус:
EPSS
4.9 Medium
CVSS3
Связанные уязвимости
In kubelet v1.13.6 and v1.14.2, containers for pods that do not specify an explicit runAsUser attempt to run as uid 0 (root) on container restart, or if the image was previously pulled to the node. If the pod specified mustRunAsNonRoot: true, the kubelet will refuse to start the container as root. If the pod did not specify mustRunAsNonRoot: true, the kubelet will run the container as uid 0.
In kubelet v1.13.6 and v1.14.2, containers for pods that do not specify an explicit runAsUser attempt to run as uid 0 (root) on container restart, or if the image was previously pulled to the node. If the pod specified mustRunAsNonRoot: true, the kubelet will refuse to start the container as root. If the pod did not specify mustRunAsNonRoot: true, the kubelet will run the container as uid 0.
In kubelet v1.13.6 and v1.14.2, containers for pods that do not specif ...
EPSS
4.9 Medium
CVSS3