{
  "threat_severity" : "Moderate",
  "public_date" : "2020-07-15T00:00:00Z",
  "bugzilla" : {
    "description" : "kubernetes: Node disk DOS by writing to container /etc/hosts",
    "id" : "1835977",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=1835977"
  },
  "cvss3" : {
    "cvss3_base_score" : "5.5",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
    "status" : "verified"
  },
  "cwe" : "CWE-400",
  "details" : [ "The Kubernetes kubelet component in versions 1.1-1.16.12, 1.17.0-1.17.8 and 1.18.0-1.18.5 do not account for disk usage by a pod which writes to its own /etc/hosts file. The /etc/hosts file mounted in a pod by kubelet is not included by the kubelet eviction manager when calculating ephemeral storage usage by a pod. If a pod writes a large amount of data to the /etc/hosts file, it could fill the storage space of the node and cause the node to fail.", "A flaw was found in Kubernetes, where the amount of disk space the /etc/hosts file can use is unconstrained . This flaw can allow attacker-controlled pods to cause a denial of service if they have permission to write to the node's /etc/hosts file." ],
  "statement" : "In OpenShift Container Platform (OCP) there is LocalStorageCapacityIsolation feature gate functionality which prevents a denial of service (DoS) attack on the node by writing to the ephemeral storage.This feature is disabled by default in OCP 3.11 and can be enabled as per [1]. Even with enabled  LocalStorageCapacityIsolation feature gate, OCP is affected by this vulnerability, therefore it is recommended to enable the feature gate and also upgrade to an OCP version which has a fix for this vulnerability.\n[1] https://docs.openshift.com/container-platform/3.11/install_config/configuring_ephemeral.html",
  "acknowledgement" : "Red Hat would like to thank the Kubernetes Product Security Committee for reporting this issue. Upstream acknowledges Kebe Liu (DaoCloud) as the original reporter.",
  "affected_release" : [ {
    "product_name" : "Red Hat OpenShift Container Platform 3.11",
    "release_date" : "2021-10-28T00:00:00Z",
    "advisory" : "RHSA-2021:3915",
    "cpe" : "cpe:/a:redhat:openshift:3.11::el7",
    "package" : "atomic-openshift-0:3.11.542-1.git.0.f2fd300.el7"
  }, {
    "product_name" : "Red Hat OpenShift Container Platform 4.3",
    "release_date" : "2020-09-23T00:00:00Z",
    "advisory" : "RHSA-2020:3809",
    "cpe" : "cpe:/a:redhat:openshift:4.3::el7",
    "package" : "openshift4/ose-hyperkube:v4.3.37-202009151447.p0"
  }, {
    "product_name" : "Red Hat OpenShift Container Platform 4.3",
    "release_date" : "2020-09-23T00:00:00Z",
    "advisory" : "RHSA-2020:3808",
    "cpe" : "cpe:/a:redhat:openshift:4.3::el8",
    "package" : "openshift-0:4.3.37-202009120213.p0.git.0.dffefe4.el8"
  }, {
    "product_name" : "Red Hat OpenShift Container Platform 4.4",
    "release_date" : "2020-09-01T00:00:00Z",
    "advisory" : "RHSA-2020:3579",
    "cpe" : "cpe:/a:redhat:openshift:4.4::el7",
    "package" : "openshift-0:4.4.0-202008250319.p0.git.0.d653415.el7"
  }, {
    "product_name" : "Red Hat OpenShift Container Platform 4.4",
    "release_date" : "2020-09-01T00:00:00Z",
    "advisory" : "RHSA-2020:3580",
    "cpe" : "cpe:/a:redhat:openshift:4.4::el7",
    "package" : "openshift4/ose-hyperkube:v4.4.0-202008250319.p0"
  }, {
    "product_name" : "Red Hat OpenShift Container Platform 4.5",
    "release_date" : "2020-08-24T00:00:00Z",
    "advisory" : "RHSA-2020:3519",
    "cpe" : "cpe:/a:redhat:openshift:4.5::el7",
    "package" : "openshift-0:4.5.0-202008130146.p0.git.0.aaf1d57.el7"
  }, {
    "product_name" : "Red Hat OpenShift Container Platform 4.5",
    "release_date" : "2020-08-24T00:00:00Z",
    "advisory" : "RHSA-2020:3520",
    "cpe" : "cpe:/a:redhat:openshift:4.5::el7",
    "package" : "openshift4/ose-hyperkube:v4.5.0-202008130146.p0"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2020-8557\nhttps://nvd.nist.gov/vuln/detail/CVE-2020-8557\nhttps://groups.google.com/g/kubernetes-security-announce/c/cB_JUsYEKyY" ],
  "name" : "CVE-2020-8557",
  "mitigation" : {
    "value" : "On OpenShift Container Platform (OCP) 3.11 and 4.x it's possible to set the allowPrivilegeEscalation Security Context Constraint to 'false' to prevent this. Note that this is set to 'true' by default, and setting it to false will prevent certain binaries which require setuid to stop working. On OCP 3.11 for example the 'ping' command will no longer work [1]. On OCP 4.x and later the 'ping' command will work with allowPrivilegeEscalation set to False, but other setuid binaries will not work.\n[1] https://docs.openshift.com/container-platform/3.11/release_notes/ocp_3_11_release_notes.html",
    "lang" : "en:us"
  },
  "csaw" : false
}