Kubernetes Security Announcement - 1.7.14, 1.8.9, 1.9.4 released to address volume vulnerabilities

[Jordan Liggitt]

We have released Kubernetes 1.7.14, 1.8.9, and 1.9.4 to address two security issues in the Kubernetes volume subsystem. We recommend all clusters update to one of these releases immediately.

In addition to upgrading, PodSecurityPolicy objects designed to limit container permissions must be modified to completely disable hostPath volumes, as the allowedHostPaths feature does not restrict symlink creation and traversal.

CVE-2017-1002101

This vulnerability allows containers using subpath volume mounts with any volume type (including non-privileged pods, subject to file permissions) to access files/directories outside of the volume, including the host’s filesystem.

See Kubernetes issue #60813 for details. Thanks to Maxim Ivanov for reporting this problem.

CVE-2017-1002102

This vulnerability allows containers using a secret, configMap, projected or downwardAPI volume to trigger deletion of arbitrary files/directories from the nodes where they are running.

See Kubernetes issue #60814 for details. Thanks to Joel Smith of Red Hat for reporting this problem.

As a reminder, if you find a security vulnerability in Kubernetes, please report it following the security disclosure process.

Thanks,

Jordan Liggitt

(on behalf of the Kubernetes Product Security Team)