#VU11122 Denial of service in Kubernetes - CVE-2017-1002102

Cybersecurity Help s.r.o.

Published: 2018-03-16

Vulnerability identifier: #VU11122

Vulnerability risk: Low

CVSSv4.0: 1.2 [CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2017-1002102

CWE-ID: CWE-264

Exploitation vector: Local network

Exploit availability: No

Vulnerable software:
Kubernetes
Server applications / Frameworks for developing and running applications

Vendor: Kubernetes

Description
The vulnerability allows an adjacent authenticated attacker to cause DoS condition on the target system.

The weakness exists due to improper atomic writer volume handling when using a container with secret, configMap, projected, or downwardAPI volume. An adjacent attacker can delete arbitrary files and directories and cause the service to crash.

Mitigation
Update to versions 1.10.0-beta.3 or 1.10.0-beta.4.

Vulnerable software versions

Kubernetes: 1.3.0 - 1.3.10, 1.4.0 - 1.4.12, 1.5.0 - 1.5.8, 1.6.0 - 1.6.13, 1.7.0 - 1.7.13, 1.8.0 - 1.8.8, 1.9.0 - 1.9.3

External links
https://github.com/kubernetes/kubernetes/issues/60814

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the local network (LAN).

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Fedora 28 update for origin

Red Hat update for Red Hat OpenShift Container Platform

Multiple vulnerabilities in Kubernetes