Security Advisory for CVE-2017-1000117: git

465 views

Skip to first unread message

Tim Allclair

unread,

Sep 14, 2017, 8:39:05 PM9/14/17

to kubernete...@googlegroups.com

If you are not using the PodSecurityPolicy or a similar mechanism to limit container creation permissions, then you can disregard this message.

Kubernetes has been found to be exposed to git vulnerability CVE-2017-1000117, via gitRepo volumes. It requires the attacker to have access to a powerful permission (create pod) that already grants substantial control over the node.

Mitigations:

- Patch the git version installed on your nodes. See https://public-inbox.org/git/xmqqh8xf...@gitster.mtv.corp.google.com/T/#u for a list of patched versions.

- If using gcr.io/google-containers/hyperkube, upgrade to a patched version: >=1.6.9 or >=1.7.4

- If possible, forbid the usage of gitRepo volumes, via a PodSecurityPolicy or other mechanism.

Reply all

Reply to author

Forward

0 new messages