Denial of service in Kubernetes - CVE-2017-1002102
Published: March 16, 2018 / Updated: March 16, 2018
Vulnerability identifier: #VU11122
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2017-1002102
CWE-ID: CWE-264
Exploitation vector: Adjecent network
Exploit availability:
No public exploit available
Vendor: Kubernetes
Affected software:
Kubernetes
Kubernetes
Detailed vulnerability description
The vulnerability allows an adjacent authenticated attacker to cause DoS condition on the target system.
The weakness exists due to improper atomic writer volume handling when using a container with secret, configMap, projected, or downwardAPI volume. An adjacent attacker can delete arbitrary files and directories and cause the service to crash.
The weakness exists due to improper atomic writer volume handling when using a container with secret, configMap, projected, or downwardAPI volume. An adjacent attacker can delete arbitrary files and directories and cause the service to crash.
How to mitigate CVE-2017-1002102
Update to versions 1.10.0-beta.3 or 1.10.0-beta.4.