CVE-2020-8557
published 2020-07-23CVE-2020-8557: The Kubernetes kubelet component in versions 1.1-1.16.12, 1.17.0-1.17.8 and 1.18.0-1.18.5 do not account for disk usage by a pod which writes to its own…
PriorityP424medium5.5CVSS 3.1
AVLACLPRLUINSUCNINAH
EPSS
0.50%
39.1th percentile
The Kubernetes kubelet component in versions 1.1-1.16.12, 1.17.0-1.17.8 and 1.18.0-1.18.5 do not account for disk usage by a pod which writes to its own /etc/hosts file. The /etc/hosts file mounted in a pod by kubelet is not included by the kubelet eviction manager when calculating ephemeral storage usage by a pod. If a pod writes a large amount of data to the /etc/hosts file, it could fill the storage space of the node and cause the node to fail.
Affected
32 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | kubernetes | < kubernetes 1.18.5-1 (bookworm) | kubernetes 1.18.5-1 (bookworm) |
| k8s.io | kubernetes | >= 1.1.0 < 1.16.13 | 1.16.13 |
| k8s.io | kubernetes | >= 1.17.0 < 1.17.9 | 1.17.9 |
| k8s.io | kubernetes | >= 1.18.0 < 1.18.6 | 1.18.6 |
| k8s.io | kubernetes_pkg_kubelet | >= 1.1.0 < 1.16.13 | 1.16.13 |
| k8s.io | kubernetes_pkg_kubelet | >= 1.17.0 < 1.17.9 | 1.17.9 |
| k8s.io | kubernetes_pkg_kubelet | >= 1.18.0 < 1.18.6 | 1.18.6 |
| kubernetes | kubernetes | < 1.16.13 | 1.16.13 |
| kubernetes | kubernetes | — | — |
| kubernetes | kubernetes | — | — |
| kubernetes | kubernetes | — | — |
| kubernetes | kubernetes | — | — |
| kubernetes | kubernetes | — | — |
| kubernetes | kubernetes | — | — |
| kubernetes | kubernetes | — | — |
| kubernetes | kubernetes | — | — |
| kubernetes | kubernetes | — | — |
| kubernetes | kubernetes | — | — |
| kubernetes | kubernetes | — | — |
| kubernetes | kubernetes | — | — |
| kubernetes | kubernetes | — | — |
| kubernetes | kubernetes | — | — |
| kubernetes | kubernetes | — | — |
| kubernetes | kubernetes | >= 0 < 1.18.5-1 | 1.18.5-1 |
| kubernetes | kubernetes | >= 0 < 1.18.5-1 | 1.18.5-1 |
CVSS provenance
nvdv3.15.5MEDIUMCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
nvdv2.02.1LOWAV:L/AC:L/Au:N/C:N/I:N/A:P
osv5.5MEDIUM
vendor_debian5.5MEDIUM
vendor_redhat5.5MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Denial of service in Kubernetes in k8s.io/kubernetes
osv·2024-06-10
CVE-2020-8557 Denial of service in Kubernetes in k8s.io/kubernetes
Denial of service in Kubernetes in k8s.io/kubernetes
Denial of service in Kubernetes in k8s.io/kubernetes
GHSA
Denial of service in Kubernetes
ghsa·2024-04-24
CVE-2020-8557 [MEDIUM] CWE-400 Denial of service in Kubernetes
Denial of service in Kubernetes
The Kubernetes kubelet component in versions 1.1-1.16.12, 1.17.0-1.17.8 and 1.18.0-1.18.5 do not account for disk usage by a pod which writes to its own /etc/hosts file. The /etc/hosts file mounted in a pod by kubelet is not included by the kubelet eviction manager when calculating ephemeral storage usage by a pod. If a pod writes a large amount of data to the /etc/hosts file, it could fill the storage space of the node and cause the node to fail.
OSV
Denial of service in Kubernetes
osv·2024-04-24
CVE-2020-8557 [MEDIUM] Denial of service in Kubernetes
Denial of service in Kubernetes
The Kubernetes kubelet component in versions 1.1-1.16.12, 1.17.0-1.17.8 and 1.18.0-1.18.5 do not account for disk usage by a pod which writes to its own /etc/hosts file. The /etc/hosts file mounted in a pod by kubelet is not included by the kubelet eviction manager when calculating ephemeral storage usage by a pod. If a pod writes a large amount of data to the /etc/hosts file, it could fill the storage space of the node and cause the node to fail.
OSV
CVE-2020-8557: The Kubernetes kubelet component in versions 1
osv·2020-07-23·CVSS 5.5
CVE-2020-8557 [MEDIUM] CVE-2020-8557: The Kubernetes kubelet component in versions 1
The Kubernetes kubelet component in versions 1.1-1.16.12, 1.17.0-1.17.8 and 1.18.0-1.18.5 do not account for disk usage by a pod which writes to its own /etc/hosts file. The /etc/hosts file mounted in a pod by kubelet is not included by the kubelet eviction manager when calculating ephemeral storage usage by a pod. If a pod writes a large amount of data to the /etc/hosts file, it could fill the storage space of the node and cause the node to fail.
Red Hat
kubernetes: Node disk DOS by writing to container /etc/hosts
vendor_redhat·2020-07-15·CVSS 5.5
CVE-2020-8557 [MEDIUM] CWE-400 kubernetes: Node disk DOS by writing to container /etc/hosts
kubernetes: Node disk DOS by writing to container /etc/hosts
The Kubernetes kubelet component in versions 1.1-1.16.12, 1.17.0-1.17.8 and 1.18.0-1.18.5 do not account for disk usage by a pod which writes to its own /etc/hosts file. The /etc/hosts file mounted in a pod by kubelet is not included by the kubelet eviction manager when calculating ephemeral storage usage by a pod. If a pod writes a large amount of data to the /etc/hosts file, it could fill the storage space of the node and cause the node to fail.
A flaw was found in Kubernetes, where the amount of disk space the /etc/hosts file can use is unconstrained . This flaw can allow attacker-controlled pods to cause a denial of service if they have permission to write to the node's /etc/hosts file.
Statement: In OpenShift Container Pl
Debian
CVE-2020-8557: kubernetes - The Kubernetes kubelet component in versions 1.1-1.16.12, 1.17.0-1.17.8 and 1.18...
vendor_debian·2020·CVSS 5.5
CVE-2020-8557 [MEDIUM] CVE-2020-8557: kubernetes - The Kubernetes kubelet component in versions 1.1-1.16.12, 1.17.0-1.17.8 and 1.18...
The Kubernetes kubelet component in versions 1.1-1.16.12, 1.17.0-1.17.8 and 1.18.0-1.18.5 do not account for disk usage by a pod which writes to its own /etc/hosts file. The /etc/hosts file mounted in a pod by kubelet is not included by the kubelet eviction manager when calculating ephemeral storage usage by a pod. If a pod writes a large amount of data to the /etc/hosts file, it could fill the storage space of the node and cause the node to fail.
Scope: local
bookworm: resolved (fixed in 1.18.5-1)
bullseye: resolved (fixed in 1.18.5-1)
forky: resolved (fixed in 1.18.5-1)
sid: resolved (fixed in 1.18.5-1)
trixie: resolved (fixed in 1.18.5-1)
No detection rules found.
No public exploits indexed.
arXiv
KGSecConfig: A Knowledge Graph Based Approach for Secured Container Orchestrator Configuration
arxiv_fulltext·2021-12-21
KGSecConfig: A Knowledge Graph Based Approach for Secured Container Orchestrator Configuration
KGSecConfig: A Knowledge Graph Based Approach for Secured Container Orchestrator Configuration
Mubin Ul Haque1, M. Mehdi Kholoosi2, and
M. Ali Babar3
Centre for Research on Engineering Software Technologies (CREST)
School of Computer Science, and Engineering, The University of Adelaide, Adelaide, Australia
Cyber Security Cooperative Research Centre
[email protected],
[email protected] [email protected]
plain
plain
## Abstract
Container Orchestrator (CO) is a vital technology for managing clusters of containers, which may form a virtualized infrastructure for developing and operating software systems. Like any other software system, securing CO is critical, but can be quite challenging task due to large number of configurable options. Manual configuration is
Bugzilla
CVE-2020-8557 origin: kubernetes: Node disk DOS by writing to container /etc/hosts [fedora-all]
bugzilla·2020-07-15·CVSS 5.5
CVE-2020-8557 [MEDIUM] CVE-2020-8557 origin: kubernetes: Node disk DOS by writing to container /etc/hosts [fedora-all]
CVE-2020-8557 origin: kubernetes: Node disk DOS by writing to container /etc/hosts [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple
Bugzilla
CVE-2020-8557 kubernetes: Node disk DOS by writing to container /etc/hosts
bugzilla·2020-05-14·CVSS 5.5
CVE-2020-8557 [MEDIUM] CVE-2020-8557 kubernetes: Node disk DOS by writing to container /etc/hosts
CVE-2020-8557 kubernetes: Node disk DOS by writing to container /etc/hosts
The kubelet sets up a file called etc-hosts for each pod, which is mounted in the containers as /etc/hosts. The file isn't counted against memory limits (as a tmpfs file would be) or ephemeral storage usage limits. The container can fill up the node disk on the node which it was scheduled.
Discussion:
Mitigation:
On OpenShift Container Platform (OCP) 3.11 and 4.x it's possible to set the allowPrivilegeEscalation Security Context Constraint to 'false' to prevent this. Note that this is set to 'true' by default, and setting it to false will prevent certain binaries which require setuid to stop working. On OCP 3.11 for example the 'ping' command will no longer work [1]. On OCP 4.x and later the 'ping' command will
https://github.com/kubernetes/kubernetes/issues/93032https://groups.google.com/g/kubernetes-security-announce/c/cB_JUsYEKyY/m/vVSO61AhBwAJhttps://security.netapp.com/advisory/ntap-20200821-0002/https://github.com/kubernetes/kubernetes/issues/93032https://groups.google.com/g/kubernetes-security-announce/c/cB_JUsYEKyY/m/vVSO61AhBwAJhttps://security.netapp.com/advisory/ntap-20200821-0002/
2020-07-23
Published