CVE-2017-1002101
published 2018-03-13CVE-2017-1002101: In Kubernetes versions 1.3.x, 1.4.x, 1.5.x, 1.6.x and prior to versions 1.7.14, 1.8.9 and 1.9.4 containers using subpath volume mounts with any volume type…
PriorityP259critical9.6CVSS 3.0
AVNACLPRLUINSCCHIHAN
EPSS
11.59%
95.5th percentile
In Kubernetes versions 1.3.x, 1.4.x, 1.5.x, 1.6.x and prior to versions 1.7.14, 1.8.9 and 1.9.4 containers using subpath volume mounts with any volume type (including non-privileged pods, subject to file permissions) can access files/directories outside of the volume, including the host's filesystem.
Affected
19 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | kubernetes | < kubernetes 1.7.16+dfsg-1 (bookworm) | kubernetes 1.7.16+dfsg-1 (bookworm) |
| kubernetes | kubernetes | — | — |
| kubernetes | kubernetes | — | — |
| kubernetes | kubernetes | — | — |
| kubernetes | kubernetes | — | — |
| kubernetes | kubernetes | >= 0 < 1.7.16+dfsg-1 | 1.7.16+dfsg-1 |
| kubernetes | kubernetes | >= 0 < 1.7.16+dfsg-1 | 1.7.16+dfsg-1 |
| kubernetes | kubernetes | >= 0 < 1.7.16+dfsg-1 | 1.7.16+dfsg-1 |
| kubernetes | kubernetes | >= 0 < 1.7.16+dfsg-1 | 1.7.16+dfsg-1 |
| kubernetes | kubernetes | 1.3.0 – 1.3.10 | — |
| kubernetes | kubernetes | 1.4.0 – 1.4.12 | — |
| kubernetes | kubernetes | 1.5.0 – 1.5.8 | — |
| kubernetes | kubernetes | 1.6.0 – 1.6.13 | — |
| kubernetes | kubernetes | >= 1.7.0 < 1.7.14 | 1.7.14 |
| kubernetes | kubernetes | >= 1.8.0 < 1.8.9 | 1.8.9 |
| kubernetes | kubernetes | >= 1.9.0 < 1.9.4 | 1.9.4 |
| kubernetes | kubernetes | >= unspecified < v1.7.14 | v1.7.14 |
| kubernetes | kubernetes | >= unspecified < v1.8.9 | v1.8.9 |
| kubernetes | kubernetes | >= unspecified < v1.9.4 | v1.9.4 |
Detection & IOCsextracted from sources · hover to see the quote
- →Exploit requires a pod spec using subPath volume mounts — detect pod/container specs containing the 'subPath' field in combination with any volume type as a trigger for this vulnerability ↗
- →Exploitation vector involves using emptyDir volumes with subPath to escape volume boundaries — audit pod specs for emptyDir + subPath combinations as a high-confidence exploit pattern ↗
- →Successful exploitation can result in access to the Docker socket on the host node — monitor for unexpected access to the docker socket from within containers as a post-exploitation indicator ↗
- →The vulnerability is exploitable through the Kubernetes API by submitting a pod spec with a subPath field — API server admission controls or webhook validators should inspect and block pod specs containing subPath referencing paths outside the volume root ↗
- ·Affected Kubernetes versions are 1.3.x, 1.4.x, 1.5.x, 1.6.x and versions prior to 1.7.14, 1.8.9, and 1.9.4 — detection and patching efforts should confirm cluster version is within this range ↗
- ·The exploit is constrained by the pod's security context — the pod runs with the security constraints of the user but can read files with o=rx mode and appropriate SELinux label, so SELinux enforcement limits but does not fully prevent impact ↗
- ·The vulnerability scope is local — exploitation requires an attacker to already have access to submit pod specs to the Kubernetes API (e.g., authenticated user or compromised workload) ↗
CVSS provenance
nvdv3.09.6CRITICALCVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N
nvdv2.05.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:N
osv9.6CRITICAL
vendor_debian8.8HIGH
vendor_redhat8.8HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-rqgw-vh6p-qf7j: In Kubernetes versions 1
ghsa_unreviewed·2022-05-13
CVE-2017-1002101 [CRITICAL] CWE-59 GHSA-rqgw-vh6p-qf7j: In Kubernetes versions 1
In Kubernetes versions 1.3.x, 1.4.x, 1.5.x, 1.6.x and prior to versions 1.7.14, 1.8.9 and 1.9.4 containers using subpath volume mounts with any volume type (including non-privileged pods, subject to file permissions) can access files/directories outside of the volume, including the host's filesystem.
Kernel
Merge branch 'work.openat2' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs
kernel_security·2020-01-29
CVE-2017-1002101 Merge branch 'work.openat2' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs
Merge branch 'work.openat2' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs
Pull openat2 support from Al Viro:
"This is the openat2() series from Aleksa Sarai.
I'm afraid that the rest of namei stuff will have to wait - it got
zero review the last time I'd posted #work.namei, and there had been a
leak in the posted series I'd caught only last weekend. I was going to
repost it on Monday, but the window opened and the odds of getting any
review during that... Oh, well.
Anyway, openat2 part should be ready; that _did_ get sane amount of
review and public testing, so here it comes"
From Aleksa's description of the series:
"For a very long time, extending openat(2) with new features has been
incredibly frustrating. This stems from the fact that openat(2) is
possibly the most famou
OSV
CVE-2017-1002101: In Kubernetes versions 1
osv·2018-03-13·CVSS 9.6
CVE-2017-1002101 [CRITICAL] CVE-2017-1002101: In Kubernetes versions 1
In Kubernetes versions 1.3.x, 1.4.x, 1.5.x, 1.6.x and prior to versions 1.7.14, 1.8.9 and 1.9.4 containers using subpath volume mounts with any volume type (including non-privileged pods, subject to file permissions) can access files/directories outside of the volume, including the host's filesystem.
Red Hat
kubernetes: Volume security can be sidestepped with innocent emptyDir and subpath
vendor_redhat·2018-03-12·CVSS 8.8
CVE-2017-1002101 [HIGH] kubernetes: Volume security can be sidestepped with innocent emptyDir and subpath
kubernetes: Volume security can be sidestepped with innocent emptyDir and subpath
In Kubernetes versions 1.3.x, 1.4.x, 1.5.x, 1.6.x and prior to versions 1.7.14, 1.8.9 and 1.9.4 containers using subpath volume mounts with any volume type (including non-privileged pods, subject to file permissions) can access files/directories outside of the volume, including the host's filesystem.
It was found that volume security can be sidestepped with innocent emptyDir and subpath. This could give an attacker with access to a pod full control over the node host by gaining access to docker socket.
Statement: This flaw allows a pod to mount any part of the host filesystem. The pod will run with the security contraints placed on the user but could read anything with o=rx mode and appropriate SELinux lab
Debian
CVE-2017-1002101: kubernetes - In Kubernetes versions 1.3.x, 1.4.x, 1.5.x, 1.6.x and prior to versions 1.7.14, ...
vendor_debian·2017·CVSS 8.8
CVE-2017-1002101 [HIGH] CVE-2017-1002101: kubernetes - In Kubernetes versions 1.3.x, 1.4.x, 1.5.x, 1.6.x and prior to versions 1.7.14, ...
In Kubernetes versions 1.3.x, 1.4.x, 1.5.x, 1.6.x and prior to versions 1.7.14, 1.8.9 and 1.9.4 containers using subpath volume mounts with any volume type (including non-privileged pods, subject to file permissions) can access files/directories outside of the volume, including the host's filesystem.
Scope: local
bookworm: resolved (fixed in 1.7.16+dfsg-1)
bullseye: resolved (fixed in 1.7.16+dfsg-1)
forky: resolved (fixed in 1.7.16+dfsg-1)
sid: resolved (fixed in 1.7.16+dfsg-1)
trixie: resolved (fixed in 1.7.16+dfsg-1)
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2017-1002101 origin: kubernetes: Volume security can be sidestepped with innocent emptyDir and subpath [fedora-all]
bugzilla·2018-03-13·CVSS 8.8
CVE-2017-1002101 [HIGH] CVE-2017-1002101 origin: kubernetes: Volume security can be sidestepped with innocent emptyDir and subpath [fedora-all]
CVE-2017-1002101 origin: kubernetes: Volume security can be sidestepped with innocent emptyDir and subpath [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this
Bugzilla
CVE-2017-1002101 kubernetes: Volume security can be sidestepped with innocent emptyDir and subpath [fedora-all]
bugzilla·2018-03-12·CVSS 8.8
CVE-2017-1002101 [HIGH] CVE-2017-1002101 kubernetes: Volume security can be sidestepped with innocent emptyDir and subpath [fedora-all]
CVE-2017-1002101 kubernetes: Volume security can be sidestepped with innocent emptyDir and subpath [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue a
Bugzilla
CVE-2017-1002101 kubernetes: Volume security can be sidestepped with innocent emptyDir and subpath
bugzilla·2017-12-12·CVSS 8.8
CVE-2017-1002101 [HIGH] CVE-2017-1002101 kubernetes: Volume security can be sidestepped with innocent emptyDir and subpath
CVE-2017-1002101 kubernetes: Volume security can be sidestepped with innocent emptyDir and subpath
It was found that volume security can be sidestepped with innocent emptyDir and subpath. A pod could give full control over node host by gaining access to docker socket.
Discussion:
Created kubernetes tracking bugs for this issue:
Affects: fedora-all [bug 1554420]
---
This issue has been addressed in the following products:
Red Hat OpenShift Container Platform 3.3
Red Hat OpenShift Container Platform 3.4
Red Hat OpenShift Container Platform 3.5
Red Hat OpenShift Container Platform 3.6
Red Hat OpenShift Container Platform 3.7
Via RHSA-2018:0475 https://access.redhat.com/errata/RHSA-2018:0475
---
This flaw allows a pod to mount any part of the host filesystem. The pod will run with th
arXiv
KubeFence: Security Hardening of the Kubernetes Attack Surface
arxiv_fulltext·2025-04-15
KubeFence: Security Hardening of the Kubernetes Attack Surface
: Security Hardening of the
Kubernetes Attack Surface
Carmine Cesarano, Roberto Natella
Universit\`a degli Studi di Napoli Federico II, Italy
\carmine.cesarano2, roberto.natella\@unina.it
## Abstract
Kubernetes (K8s) is widely used to orchestrate containerized applications, including critical services in domains such as finance, healthcare, and government. However, its extensive and feature-rich API interface exposes a broad attack surface, making K8s vulnerable to exploits of software vulnerabilities and misconfigurations. Even if K8s adopts role-based access control (RBAC) to manage access to K8s APIs, this approach lacks the granularity needed to protect specification attributes within API requests.
This paper proposes a novel solution, , which implements finer-grain API filtering t
http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00041.htmlhttps://access.redhat.com/errata/RHSA-2018:0475https://github.com/bgeesaman/subpath-exploit/https://github.com/kubernetes/kubernetes/issues/60813http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00041.htmlhttps://access.redhat.com/errata/RHSA-2018:0475https://github.com/bgeesaman/subpath-exploit/https://github.com/kubernetes/kubernetes/issues/60813
2018-03-13
Published