CVE-2020-8557: Kubernetes node disk Denial of Service by writing to container /etc/hosts
First published: Thu May 14 2020(Updated: )
A flaw was found in Kubernetes, where the amount of disk space the /etc/hosts file can use is unconstrained . This flaw can allow attacker-controlled pods to cause a denial of service if they have permission to write to the node's /etc/hosts file.
Credit: jordan@liggitt.net jordan@liggitt.net
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/atomic-openshift | <0:3.11.542-1.git.0.f2fd300.el7 | 0:3.11.542-1.git.0.f2fd300.el7 |
| redhat/openshift | <0:4.3.37-202009120213.p0.git.0.dffefe4.el8 | 0:4.3.37-202009120213.p0.git.0.dffefe4.el8 |
| redhat/openshift | <0:4.4.0-202008250319.p0.git.0.d653415.el8 | 0:4.4.0-202008250319.p0.git.0.d653415.el8 |
| redhat/openshift | <0:4.5.0-202008130146.p0.git.0.aaf1d57.el8 | 0:4.5.0-202008130146.p0.git.0.aaf1d57.el8 |
| Kubernetes Kubernetes | <1.16.13 | |
| Kubernetes Kubernetes | >=1.17.0<1.17.9 | |
| Kubernetes Kubernetes | >=1.18.0<1.18.6 | |
| redhat/kubernetes | <1.19.0 | 1.19.0 |
| redhat/kubernetes | <1.18.6 | 1.18.6 |
| redhat/kubernetes | <1.17.10 | 1.17.10 |
| redhat/kubernetes | <1.16.13 | 1.16.13 |
| go/k8s.io/kubernetes/pkg/kubelet | >=1.18.0<1.18.6 | 1.18.6 |
| go/k8s.io/kubernetes/pkg/kubelet | >=1.17.0<1.17.9 | 1.17.9 |
| go/k8s.io/kubernetes/pkg/kubelet | >=1.1.0<1.16.13 | 1.16.13 |
Remedy
On OpenShift Container Platform (OCP) 3.11 and 4.x it's possible to set the allowPrivilegeEscalation Security Context Constraint to 'false' to prevent this. Note that this is set to 'true' by default, and setting it to false will prevent certain binaries which require setuid to stop working. On OCP 3.11 for example the 'ping' command will no longer work [1]. On OCP 4.x and later the 'ping' command will work with allowPrivilegeEscalation set to False, but other setuid binaries will not work. [1] https://docs.openshift.com/container-platform/3.11/release_notes/ocp_3_11_release_notes.html
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://www.cve.org/CVERecord?id=CVE-2020-8557 https://nvd.nist.gov/vuln/detail/CVE-2020-8557 https://groups.google.com/g/kubernetes-security-announce/c/cB_JUsYEKyY
- https://bugzilla.redhat.com/show_bug.cgi?id=1835977
- https://access.redhat.com/errata/RHSA-2021:3915
- https://access.redhat.com/errata/RHSA-2020:3809
- https://access.redhat.com/errata/RHSA-2020:3808
- https://access.redhat.com/errata/RHSA-2020:3579
- https://access.redhat.com/errata/RHSA-2020:3580
- https://access.redhat.com/errata/RHSA-2020:3519
- https://access.redhat.com/errata/RHSA-2020:3520
- https://access.redhat.com/security/cve/cve-2020-8557
- https://github.com/kubernetes/kubernetes/issues/93032
- https://groups.google.com/g/kubernetes-security-announce/c/cB_JUsYEKyY/m/vVSO61AhBwAJ
- https://security.netapp.com/advisory/ntap-20200821-0002/
- https://docs.openshift.com/container-platform/3.11/release_notes/ocp_3_11_release_notes.html
- https://github.com/kubernetes/kubernetes/pull/92916
- https://groups.google.com/g/kubernetes-security-announce/c/cB_JUsYEKyY
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1857459
- https://docs.openshift.com/container-platform/3.11/install_config/configuring_ephemeral.html
- https://nvd.nist.gov/vuln/detail/CVE-2020-8557
- https://github.com/kubernetes/kubernetes/pull/92921
- https://github.com/kubernetes/kubernetes/commit/530f199b6e07cdaab32361e39709ac45f3fdc446
- https://github.com/kubernetes/kubernetes/commit/68750fefd3df76b7b008ef7b18e8acd18d5c2f2e
- https://github.com/kubernetes/kubernetes/commit/7fd849cffa2f93061fbcb0a6ae4efd0539b1e981
- https://security.netapp.com/advisory/ntap-20200821-0002
- https://github.com/advisories/GHSA-55qj-gj3x-jq9r (Advisory)
- https://pkg.go.dev/vuln/GO-2024-2753
Parent vulnerabilities
(Appears in the following advisories)
Frequently Asked Questions
What is CVE-2020-8557?
CVE-2020-8557 is a vulnerability in Kubernetes that allows a pod to exceed the disk space limit for the /etc/hosts file.
Which versions of Kubernetes are affected by CVE-2020-8557?
Versions 1.1-1.16.12, 1.17.0-1.17.8, and 1.18.0-1.18.5 of Kubernetes are affected by CVE-2020-8557.
How does CVE-2020-8557 impact Kubernetes?
CVE-2020-8557 allows a pod in Kubernetes to write to its own /etc/hosts file and exceed the disk space limit, which is not accounted for by the kubelet eviction manager when calculating ephemeral storage.
What is the severity of CVE-2020-8557?
CVE-2020-8557 has a severity rating of medium with a CVSS score of 5.5.
How do I fix CVE-2020-8557 in Kubernetes?
To fix CVE-2020-8557 in Kubernetes, update to version 1.19.0, 1.18.6, or 1.17.10, depending on your current version.
- collector/redhat-cve
- collector/nvd-index
- agent/type
- agent/first-publish-date
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2020-8557
- agent/software-canonical-lookup
- agent/severity
- agent/weakness
- agent/remedy
- agent/author
- agent/description
- collector/nvd-cve
- source/NVD
- agent/softwarecombine
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-55qj-gj3x-jq9r
- agent/references
- collector/github-advisory
- collector/mitre-cve
- source/MITRE
- agent/title
- agent/last-modified-date
- agent/tags
- agent/event
- package-manager/redhat
- vendor/kubernetes
- canonical/kubernetes kubernetes
- version/kubernetes kubernetes/1.17.0
- version/kubernetes kubernetes/1.18.0
- package-manager/go