{"containers": {"cna": {"affected": [{"product": "Kubernetes", "vendor": "Kubernetes", "versions": [{"status": "affected", "version": "1.15"}, {"status": "affected", "version": "1.14"}, {"status": "affected", "version": "1.13"}, {"status": "affected", "version": "1.12"}, {"status": "affected", "version": "1.11"}, {"status": "affected", "version": "1.10"}, {"status": "affected", "version": "1.9"}, {"status": "affected", "version": "1.8"}, {"status": "affected", "version": "1.7"}, {"status": "affected", "version": "1.6"}, {"status": "affected", "version": "1.5"}, {"status": "affected", "version": "1.4"}, {"status": "affected", "version": "1.3"}, {"status": "affected", "version": "1.2"}, {"status": "affected", "version": "1.1"}, {"lessThan": "1.18.6", "status": "affected", "version": "1.18", "versionType": "custom"}, {"lessThan": "1.17.9", "status": "affected", "version": "1.17", "versionType": "custom"}, {"lessThan": "1.16.13", "status": "affected", "version": "1.16", "versionType": "custom"}]}], "credits": [{"lang": "en", "value": "Kebe Liu of DaoCloud"}], "datePublic": "2020-07-15T00:00:00", "descriptions": [{"lang": "en", "value": "The Kubernetes kubelet component in versions 1.1-1.16.12, 1.17.0-1.17.8 and 1.18.0-1.18.5 do not account for disk usage by a pod which writes to its own /etc/hosts file. The /etc/hosts file mounted in a pod by kubelet is not included by the kubelet eviction manager when calculating ephemeral storage usage by a pod. If a pod writes a large amount of data to the /etc/hosts file, it could fill the storage space of the node and cause the node to fail."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-400", "description": "CWE-400 Uncontrolled Resource Consumption", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2020-08-21T09:06:14", "orgId": "a6081bf6-c852-4425-ad4f-a67919267565", "shortName": "kubernetes"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/kubernetes/kubernetes/issues/93032"}, {"name": "[Security Advisory] CVE-2020-8557: Node disk DOS by writing to container /etc/hosts", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://groups.google.com/g/kubernetes-security-announce/c/cB_JUsYEKyY/m/vVSO61AhBwAJ"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://security.netapp.com/advisory/ntap-20200821-0002/"}], "source": {"discovery": "USER"}, "title": "Kubernetes node disk Denial of Service by writing to container /etc/hosts", "x_generator": {"engine": "Vulnogram 0.0.9"}, "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security@kubernetes.io", "DATE_PUBLIC": "2020-07-15T00:00:00.000Z", "ID": "CVE-2020-8557", "STATE": "PUBLIC", "TITLE": "Kubernetes node disk Denial of Service by writing to container /etc/hosts"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Kubernetes", "version": {"version_data": [{"version_affected": "<", "version_name": "1.18", "version_value": "1.18.6"}, {"version_affected": "<", "version_name": "1.17", "version_value": "1.17.9"}, {"version_affected": "<", "version_name": "1.16", "version_value": "1.16.13"}, {"version_value": "1.15"}, {"version_value": "1.14"}, {"version_value": "1.13"}, {"version_value": "1.12"}, {"version_value": "1.11"}, {"version_value": "1.10"}, {"version_value": "1.9"}, {"version_value": "1.8"}, {"version_value": "1.7"}, {"version_value": "1.6"}, {"version_value": "1.5"}, {"version_value": "1.4"}, {"version_value": "1.3"}, {"version_value": "1.2"}, {"version_value": "1.1"}]}}]}, "vendor_name": "Kubernetes"}]}}, "credit": [{"lang": "eng", "value": "Kebe Liu of DaoCloud"}], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "The Kubernetes kubelet component in versions 1.1-1.16.12, 1.17.0-1.17.8 and 1.18.0-1.18.5 do not account for disk usage by a pod which writes to its own /etc/hosts file. The /etc/hosts file mounted in a pod by kubelet is not included by the kubelet eviction manager when calculating ephemeral storage usage by a pod. If a pod writes a large amount of data to the /etc/hosts file, it could fill the storage space of the node and cause the node to fail."}]}, "generator": {"engine": "Vulnogram 0.0.9"}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-400 Uncontrolled Resource Consumption"}]}]}, "references": {"reference_data": [{"name": "https://github.com/kubernetes/kubernetes/issues/93032", "refsource": "CONFIRM", "url": "https://github.com/kubernetes/kubernetes/issues/93032"}, {"name": "[Security Advisory] CVE-2020-8557: Node disk DOS by writing to container /etc/hosts", "refsource": "MLIST", "url": "https://groups.google.com/g/kubernetes-security-announce/c/cB_JUsYEKyY/m/vVSO61AhBwAJ"}, {"name": "https://security.netapp.com/advisory/ntap-20200821-0002/", "refsource": "CONFIRM", "url": "https://security.netapp.com/advisory/ntap-20200821-0002/"}]}, "source": {"discovery": "USER"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T10:03:46.168Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/kubernetes/kubernetes/issues/93032"}, {"name": "[Security Advisory] CVE-2020-8557: Node disk DOS by writing to container /etc/hosts", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "https://groups.google.com/g/kubernetes-security-announce/c/cB_JUsYEKyY/m/vVSO61AhBwAJ"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://security.netapp.com/advisory/ntap-20200821-0002/"}]}]}, "cveMetadata": {"assignerOrgId": "a6081bf6-c852-4425-ad4f-a67919267565", "assignerShortName": "kubernetes", "cveId": "CVE-2020-8557", "datePublished": "2020-07-23T16:59:38.580465Z", "dateReserved": "2020-02-03T00:00:00", "dateUpdated": "2024-09-17T03:14:05.177Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:kubernetes:kubernetes:*:*:*:*:*:*:*:*", "matchCriteriaId": "12849C27-DD8A-4D84-92FD-3AB32B43742B", "versionEndExcluding": "1.16.13", "vulnerable": true}, {"criteria": "cpe:2.3:a:kubernetes:kubernetes:*:*:*:*:*:*:*:*", "matchCriteriaId": "CC1FA454-87A3-480C-BB5E-A23086E2EA99", "versionEndExcluding": "1.17.9", "versionStartIncluding": "1.17.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:kubernetes:kubernetes:*:*:*:*:*:*:*:*", "matchCriteriaId": "3E4009BA-8220-4B8E-8B4B-1ADA1680DD70", "versionEndExcluding": "1.18.6", "versionStartIncluding": "1.18.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "The Kubernetes kubelet component in versions 1.1-1.16.12, 1.17.0-1.17.8 and 1.18.0-1.18.5 do not account for disk usage by a pod which writes to its own /etc/hosts file. The /etc/hosts file mounted in a pod by kubelet is not included by the kubelet eviction manager when calculating ephemeral storage usage by a pod. If a pod writes a large amount of data to the /etc/hosts file, it could fill the storage space of the node and cause the node to fail."}, {"lang": "es", "value": "El componente kubelet de Kubenetes versiones 1.1-1.16.12, 1.17.0-1.17.8 y 1.18.0-1.18.5, no cuenta para el uso del disco por parte de un pod que escribe en su propio archivo /etc/hosts. El archivo /etc/hosts montado en un pod para kubelet no esta incluido para el administrador de desalojo de kubelet al calcular el uso de almacenamiento ef\u00edmero por un pod. Si un pod escribe una gran cantidad de datos en el archivo /etc/hosts, podr\u00eda llenar el espacio de almacenamiento del nodo y hacer que el nodo presente un fallo"}], "id": "CVE-2020-8557", "lastModified": "2024-11-21T05:39:01.667", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "LOW", "cvssData": {"accessComplexity": "LOW", "accessVector": "LOCAL", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 2.1, "confidentialityImpact": "NONE", "integrityImpact": "NONE", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0"}, "exploitabilityScore": 3.9, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "jordan@liggitt.net", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2020-07-23T17:15:12.513", "references": [{"source": "jordan@liggitt.net", "tags": ["Issue Tracking", "Patch", "Third Party Advisory"], "url": "https://github.com/kubernetes/kubernetes/issues/93032"}, {"source": "jordan@liggitt.net", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://groups.google.com/g/kubernetes-security-announce/c/cB_JUsYEKyY/m/vVSO61AhBwAJ"}, {"source": "jordan@liggitt.net", "tags": ["Third Party Advisory"], "url": "https://security.netapp.com/advisory/ntap-20200821-0002/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Issue Tracking", "Patch", "Third Party Advisory"], "url": "https://github.com/kubernetes/kubernetes/issues/93032"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://groups.google.com/g/kubernetes-security-announce/c/cB_JUsYEKyY/m/vVSO61AhBwAJ"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://security.netapp.com/advisory/ntap-20200821-0002/"}], "sourceIdentifier": "jordan@liggitt.net", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-400"}], "source": "jordan@liggitt.net", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-400"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"acknowledgement": "Red Hat would like to thank the Kubernetes Product Security Committee for reporting this issue. Upstream acknowledges Kebe Liu (DaoCloud) as the original reporter.", "affected_release": [{"advisory": "RHSA-2021:3915", "cpe": "cpe:/a:redhat:openshift:3.11::el7", "package": "atomic-openshift-0:3.11.542-1.git.0.f2fd300.el7", "product_name": "Red Hat OpenShift Container Platform 3.11", "release_date": "2021-10-28T00:00:00Z"}, {"advisory": "RHSA-2020:3809", "cpe": "cpe:/a:redhat:openshift:4.3::el7", "package": "openshift4/ose-hyperkube:v4.3.37-202009151447.p0", "product_name": "Red Hat OpenShift Container Platform 4.3", "release_date": "2020-09-23T00:00:00Z"}, {"advisory": "RHSA-2020:3808", "cpe": "cpe:/a:redhat:openshift:4.3::el8", "package": "openshift-0:4.3.37-202009120213.p0.git.0.dffefe4.el8", "product_name": "Red Hat OpenShift Container Platform 4.3", "release_date": "2020-09-23T00:00:00Z"}, {"advisory": "RHSA-2020:3579", "cpe": "cpe:/a:redhat:openshift:4.4::el7", "package": "openshift-0:4.4.0-202008250319.p0.git.0.d653415.el8", "product_name": "Red Hat OpenShift Container Platform 4.4", "release_date": "2020-09-01T00:00:00Z"}, {"advisory": "RHSA-2020:3580", "cpe": "cpe:/a:redhat:openshift:4.4::el7", "package": "openshift4/ose-hyperkube:v4.4.0-202008250319.p0", "product_name": "Red Hat OpenShift Container Platform 4.4", "release_date": "2020-09-01T00:00:00Z"}, {"advisory": "RHSA-2020:3519", "cpe": "cpe:/a:redhat:openshift:4.5::el7", "package": "openshift-0:4.5.0-202008130146.p0.git.0.aaf1d57.el8", "product_name": "Red Hat OpenShift Container Platform 4.5", "release_date": "2020-08-24T00:00:00Z"}, {"advisory": "RHSA-2020:3520", "cpe": "cpe:/a:redhat:openshift:4.5::el7", "package": "openshift4/ose-hyperkube:v4.5.0-202008130146.p0", "product_name": "Red Hat OpenShift Container Platform 4.5", "release_date": "2020-08-24T00:00:00Z"}], "bugzilla": {"description": "kubernetes: Node disk DOS by writing to container /etc/hosts", "id": "1835977", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1835977"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.5", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "verified"}, "cwe": "CWE-400", "details": ["The Kubernetes kubelet component in versions 1.1-1.16.12, 1.17.0-1.17.8 and 1.18.0-1.18.5 do not account for disk usage by a pod which writes to its own /etc/hosts file. The /etc/hosts file mounted in a pod by kubelet is not included by the kubelet eviction manager when calculating ephemeral storage usage by a pod. If a pod writes a large amount of data to the /etc/hosts file, it could fill the storage space of the node and cause the node to fail.", "A flaw was found in Kubernetes, where the amount of disk space the /etc/hosts file can use is unconstrained . This flaw can allow attacker-controlled pods to cause a denial of service if they have permission to write to the node's /etc/hosts file."], "mitigation": {"lang": "en:us", "value": "On OpenShift Container Platform (OCP) 3.11 and 4.x it's possible to set the allowPrivilegeEscalation Security Context Constraint to 'false' to prevent this. Note that this is set to 'true' by default, and setting it to false will prevent certain binaries which require setuid to stop working. On OCP 3.11 for example the 'ping' command will no longer work [1]. On OCP 4.x and later the 'ping' command will work with allowPrivilegeEscalation set to False, but other setuid binaries will not work.\n[1] https://docs.openshift.com/container-platform/3.11/release_notes/ocp_3_11_release_notes.html"}, "name": "CVE-2020-8557", "public_date": "2020-07-15T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2020-8557\nhttps://nvd.nist.gov/vuln/detail/CVE-2020-8557\nhttps://groups.google.com/g/kubernetes-security-announce/c/cB_JUsYEKyY"], "statement": "In OpenShift Container Platform (OCP) there is LocalStorageCapacityIsolation feature gate functionality which prevents a denial of service (DoS) attack on the node by writing to the ephemeral storage.This feature is disabled by default in OCP 3.11 and can be enabled as per [1]. Even with enabled  LocalStorageCapacityIsolation feature gate, OCP is affected by this vulnerability, therefore it is recommended to enable the feature gate and also upgrade to an OCP version which has a fix for this vulnerability.\n[1] https://docs.openshift.com/container-platform/3.11/install_config/configuring_ephemeral.html", "threat_severity": "Moderate"}