Security Bulletin: IBM Cloud Container Service is affected by two container file system vulnerabilities

Summary

IBM Cloud Container Service is affected by the following vulnerabilities which in some cases allow unauthorized access to the file system on the cluster worker nodes, including deletion of arbitrary files and directories. This document describes the issues and mitigations. It also describes how to check if your clusters are affected and what remedial action to take.

Exploitation of the issues is only possible for an authenticated user who has permission to deploy pods into the cluster. Other mitigations are described below.

Vulnerability Details

CVEID:CVE-2017-1002101**
DESCRIPTION: *Kubernetes could allow a remote attacker to obtain sensitive information, caused by using subpath volume mounts with any volume type. A remote authenticated attacker could exploit this vulnerability to access files/directories outside of the volume, including the host’s filesystem.
CVSS Base Score: 6.5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/140496 for the current score
CVSS Environmental Score: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N)

CVEID:CVE-2017-1002102**
DESCRIPTION: *Kubernetes could allow a local authenticated attacker to delete arbitrary files from the system, caused by a flaw in the container which using a secret, configMap, projected or downwardAPI volume. An attacker could exploit this vulnerability to delete arbitrary files or directories from the system.
CVSS Base Score: 6.1
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/140466 for the current score
CVSS Environmental Score: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H)

Affected Products and Versions

IBM Cloud Container Service clusters using Kubernetes versions 1.7.4, 1.8.8, 1.9.3 or earlier.

Remediation/Fixes

Customers must upgrade the affected clusters to Kubernetes versions 1.7.16, 1.8.11, 1.9.7 (or later) when these versions are released by IBM. Refer to https://console.bluemix.net/docs/containers/cs_versions.html for more information about Kubernetes versions.

Run bx cs kube-versions to check which Kubernetes versions the IBM Cloud Container Service has released.

When the updated Kubernetes versions are released, refer to https://console.bluemix.net/docs/containers/cs_cluster_update.html for instructions to update Kubernetes in your clusters.

Workarounds and Mitigations

Exploitation of these issues is only possible for an authenticated user who has permission to deploy pods into the cluster.

To prevent exploitation of the issue:

• Do not allow untrusted users to control pod spec content.
• Do not use subpath volume mounts with untrusted containers or containers with known file handling security vulnerabilities. The Vulnerability Advisor can be used to detect container vulnerabilities.
• Do not run untrusted containers with secret, configMap, downwardAPI or projected volumes mounted.