SB2018030507 - Multiple vulnerabilities in Kubernetes
Published: March 5, 2018 Updated: July 30, 2018
Security Bulletin ID
SB2018030507
Severity
Low
Patch available
YES
Number of vulnerabilities
3
Exploitation vector
Remote access
Highest impact
Data manipulation
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 3 secuirty vulnerabilities.
1) Denial of service (CVE-ID: CVE-2017-1002102)
The vulnerability allows an adjacent authenticated attacker to cause DoS condition on the target system.The weakness exists due to improper atomic writer volume handling when using a container with secret, configMap, projected, or downwardAPI volume. An adjacent attacker can delete arbitrary files and directories and cause the service to crash.
2) Information disclosure (CVE-ID: CVE-2017-1002101)
The vulnerability allows a remote authenticated attacker to obtain potentially sensitive information on the target system.The weakness exists due to improper security restrictions when using subpath volume mounts with any volume type. A remote attacker can gain unauthorized access to files and directories.
3) Path traversal (CVE-ID: CVE-2018-1002100)
The vulnerability allows a remote attacker to conduct path traversal attack on the target system.
The vulnerability exists due to the kubectl cp command insecurely handles tar data returned from the container. A remote unauthenticated attacker can conduct path traversal attack and overwrite arbitrary local files.
Remediation
Install update from vendor's website.