Main Vulnerability Database SB2021110213

SB2021110213 - Red Hat OpenShift Container Platform 3.11 update for kubernetes

Published: November 2, 2021

Security Bulletin ID SB2021110213

Severity

Low

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Local access

Highest impact Denial of service

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 security vulnerability.

1) Resource exhaustion (CVE-ID: CVE-2020-8557)

The vulnerability allows a local authenticated user to perform a denial of service (DoS) attack.

The Kubernetes kubelet component in versions 1.1-1.16.12, 1.17.0-1.17.8 and 1.18.0-1.18.5 do not account for disk usage by a pod which writes to its own /etc/hosts file. The /etc/hosts file mounted in a pod by kubelet is not included by the kubelet eviction manager when calculating ephemeral storage usage by a pod. If a pod writes a large amount of data to the /etc/hosts file, it could fill the storage space of the node and cause the node to fail.

Remediation

Install update from vendor's website.

References

https://access.redhat.com/errata/RHSA-2021:3915

Vulnerable Software

openshift-kuryr (Red Hat package): 3.11.153-1.git.1.073ef06.el7 - 3.11.524-1.git.b234b49.el7
openshift-enterprise-cluster-capacity (Red Hat package): 3.11.16-1.git.380.1406f2f.el7 - 3.11.524-1.git.22be164.el7
openshift-enterprise-autoheal (Red Hat package): 3.11.16-1.git.219.5443970.el7 - 3.11.524-1.git.f2f435d.el7
openshift-ansible (Red Hat package): 3.11.16-1.git.0.4ac6f81.el7 - 3.11.524-1.git.0.150f8a9.el7
golang-github-prometheus-prometheus (Red Hat package): 3.11.16-1.git.5020.5e81ed1.el7 - 3.11.524-1.git.99aae51.el7
golang-github-prometheus-node_exporter (Red Hat package): 3.11.16-1.git.1056.1583d2a.el7 - 3.11.524-1.git.609cd20.el7
golang-github-prometheus-alertmanager (Red Hat package): 3.11.16-1.git.0.be735ec.el7 - 3.11.524-1.git.13de638.el7
golang-github-openshift-oauth-proxy (Red Hat package): 3.11.16-1.git.409.922769e.el7 - 3.11.524-1.git.edebe84.el7
atomic-openshift-web-console (Red Hat package): 3.11.16-1.git.289.ecf7441.el7 - 3.11.524-1.git.56ad978.el7
atomic-openshift-service-idler (Red Hat package): 3.11.16-1.git.14.a65cbf0.el7 - 3.11.524-1.git.39cfc66.el7
atomic-openshift-node-problem-detector (Red Hat package): 3.11.16-1.git.198.95f4dfa.el7 - 3.11.524-1.git.c8f26da.el7
atomic-openshift-metrics-server (Red Hat package): 3.11.16-1.git.52.9fd74a8.el7 - 3.11.524-1.git.f8bf728.el7
atomic-openshift-dockerregistry (Red Hat package): 3.11.51-1.git.446.d29ce0e.el7 - 3.11.524-1.git.3571208.el7
atomic-openshift-descheduler (Red Hat package): 3.11.16-1.git.300.abfab3c.el7 - 3.11.524-1.git.d435537.el7
atomic-openshift-cluster-autoscaler (Red Hat package): 3.11.16-1.git.0.8c8305e.el7 - 3.11.524-1.git.99b2acf.el7
atomic-openshift (Red Hat package): 3.11.16-1.git.0.b48b8f8.el7 - 3.11.524-1.git.0.2dffce7.el7
atomic-enterprise-service-catalog (Red Hat package): 3.11.16-1.git.1633.05087cb.el7 - 3.11.524-1.git.2e6be86.el7
Red Hat OpenShift Container Platform: 3.11.0 - 3.11.524