ID CVE-2017-1002102
Summary In Kubernetes versions 1.3.x, 1.4.x, 1.5.x, 1.6.x and prior to versions 1.7.14, 1.8.9 and 1.9.4 containers using a secret, configMap, projected or downwardAPI volume can trigger deletion of arbitrary files/directories from the nodes where they are running.
References
Vulnerable Configurations
CVSS
Base: 6.3
Impact:
Exploitability:
nessus via4
  • NASL family Oracle Linux Local Security Checks
    NASL id ORACLELINUX_ELSA-2018-4061.NASL
    description Description of changes: [1.9.1-2.1.5] - Production built 1.9.1-2.1.5 - Fix the upgrade version check - Remove w/a from [Orabug 27125915] [1.9.1-2.1.4.dev] - Make sure worker node upgrade properly - [Orabug 27649898] [1.9.1-2.1.3.dev] - Ensure that the runtime mounts RO volumes read-only [CVE-2017-1002102] - Update Dashboard version to v1.8.3 [CVE-2017-1002102] - Fix nested volume mounts for read-only API data volumes [CVE-2017-1002102] - Fixed kubeadm-setup.sh and kubeadm-registry.sh - Add feature gate for subpath [CVE-2017-1002101] - Add subpath e2e tests [CVE-2017-1002101] - Lock subPath volumes [CVE-2017-1002101]
    last seen 2018-09-06
    modified 2018-09-05
    plugin id 108939
    published 2018-04-10
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=108939
    title Oracle Linux 7 : kubernetes (ELSA-2018-4061)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2018-2BFBD27A0B.NASL
    description - Rebase to 3.9 - Security fix for CVE-2017-1002101 and CVE-2017-1002102 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-01-16
    modified 2019-01-03
    plugin id 120316
    published 2019-01-03
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=120316
    title Fedora 28 : origin (2018-2bfbd27a0b)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2018-0475.NASL
    description An update is now available for Red Hat OpenShift Container Platform 3.7, 3.6, 3.5, 3.4, and 3.3. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. OpenShift Container Platform by Red Hat is the company's cloud computing Platform-as-a-Service (PaaS) solution designed for on-premise or private cloud deployments. This advisory contains the RPM packages for this release. See the following advisory for the container images for this release : https://access.redhat.com/errata/RHBA-2018:0476 All OpenShift Container Platform 3 users are advised to upgrade to these updated packages and images. Security Fix(es) : * kubernetes: Volume security can be sidestepped with innocent emptyDir and subpath (CVE-2017-1002101) * pod: Malicious containers can delete any file from the node (CVE-2017-1002102) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
    last seen 2019-01-16
    modified 2018-12-04
    plugin id 119391
    published 2018-12-04
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=119391
    title RHEL 7 : Red Hat OpenShift Container Platform (RHSA-2018:0475)
redhat via4
advisories
rhsa
id RHSA-2018:0475
refmap via4
confirm https://github.com/kubernetes/kubernetes/issues/60814
Last major update 13-03-2018 - 13:29
Published 13-03-2018 - 13:29
Last modified 11-04-2018 - 14:31
Back to Top