Описание
The Kubernetes kubelet component in versions 1.1-1.16.12, 1.17.0-1.17.8 and 1.18.0-1.18.5 do not account for disk usage by a pod which writes to its own /etc/hosts file. The /etc/hosts file mounted in a pod by kubelet is not included by the kubelet eviction manager when calculating ephemeral storage usage by a pod. If a pod writes a large amount of data to the /etc/hosts file, it could fill the storage space of the node and cause the node to fail.
A flaw was found in Kubernetes, where the amount of disk space the /etc/hosts file can use is unconstrained . This flaw can allow attacker-controlled pods to cause a denial of service if they have permission to write to the node's /etc/hosts file.
Отчет
In OpenShift Container Platform (OCP) there is LocalStorageCapacityIsolation feature gate functionality which prevents a denial of service (DoS) attack on the node by writing to the ephemeral storage.This feature is disabled by default in OCP 3.11 and can be enabled as per [1]. Even with enabled LocalStorageCapacityIsolation feature gate, OCP is affected by this vulnerability, therefore it is recommended to enable the feature gate and also upgrade to an OCP version which has a fix for this vulnerability. [1] https://docs.openshift.com/container-platform/3.11/install_config/configuring_ephemeral.html
Меры по смягчению последствий
On OpenShift Container Platform (OCP) 3.11 and 4.x it's possible to set the allowPrivilegeEscalation Security Context Constraint to 'false' to prevent this. Note that this is set to 'true' by default, and setting it to false will prevent certain binaries which require setuid to stop working. On OCP 3.11 for example the 'ping' command will no longer work [1]. On OCP 4.x and later the 'ping' command will work with allowPrivilegeEscalation set to False, but other setuid binaries will not work. [1] https://docs.openshift.com/container-platform/3.11/release_notes/ocp_3_11_release_notes.html
Дополнительная информация
Статус:
EPSS
5.5 Medium
CVSS3
Связанные уязвимости
The Kubernetes kubelet component in versions 1.1-1.16.12, 1.17.0-1.17.8 and 1.18.0-1.18.5 do not account for disk usage by a pod which writes to its own /etc/hosts file. The /etc/hosts file mounted in a pod by kubelet is not included by the kubelet eviction manager when calculating ephemeral storage usage by a pod. If a pod writes a large amount of data to the /etc/hosts file, it could fill the storage space of the node and cause the node to fail.
The Kubernetes kubelet component in versions 1.1-1.16.12, 1.17.0-1.17.8 and 1.18.0-1.18.5 do not account for disk usage by a pod which writes to its own /etc/hosts file. The /etc/hosts file mounted in a pod by kubelet is not included by the kubelet eviction manager when calculating ephemeral storage usage by a pod. If a pod writes a large amount of data to the /etc/hosts file, it could fill the storage space of the node and cause the node to fail.
The Kubernetes kubelet component in versions 1.1-1.16.12, 1.17.0-1.17. ...
Bugfixes on cilium, gangway and skuba and security fix for Kubernetes (cve-2020-8557)
EPSS
5.5 Medium
CVSS3